Re: clarifications needed re safe form editor cert matching algorithm

I notice you didn't comment on the liability implications at the end of my
reply ;-) I don't see a huge upside to breaking standards, I do see a huge
potential downside. I would be willing to consider it if it helped in the
common case - which I think it might for the example of https://example.comand
https://www.example.com - i.e. maybe we special case www. But beyond that, I
don't know if it's common enough to provide any real upside, and I am fairly
certain that there's a huge risk in breaking a spec like SSL...

-Ian

On 10/12/07, Thomas Roessler <tlr@w3.org> wrote:
>
> On 2007-10-12 09:29:56 -0700, Ian Fette wrote:
>
> >> Of the number of sites that yield warnings for this (where the
> >> certificate was granted for the domain, but the subdomain
> >> doesn't match), how many are malicious?  How many times is it
> >> benign when this warning appears?
>
> > The point isn't how many of these such sites are currently
> > malicious.
>
> Well, if you want to consider the habituation effect that occurs, a
> warning that mostly cries wolf is significantly worse than one
> that's mostly right.
>
> In particular, if a warning mostly occurs under legitimate
> circumstances, the attack vector might not even be new.
>
> The question is really whether the survey that Johnathan was citing
> (i.e., current warnings have an effect in something like 40% of all
> cases) is right, or whether the assumption is right that the current
> warnings are largely ignored.
>
> --
> Thomas Roessler, W3C  <tlr@w3.org>
>

Received on Friday, 12 October 2007 16:57:37 UTC