Re: clarifications needed re safe form editor cert matching algorithm from Serge Egelman on 2007-10-12 (public-wsc-wg@w3.org from October 2007)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Fri, 12 Oct 2007 13:26:04 -0400
To: Ian Fette <ifette@google.com>
CC: yngve@opera.com, Johnathan Nightingale <johnath@mozilla.com>, W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <470FAE2C.6050107@cs.cmu.edu>

Are you trying to use the Nuremberg defense now?

Though I'm not convinced that this would be breaking the standard.  The
standard specifies errors, but not how to display them.  In this
instance we choose not to display anything.

serge

Ian Fette wrote:
> I notice you didn't comment on the liability implications at the end of
> my reply ;-) I don't see a huge upside to breaking standards, I do see a
> huge potential downside. I would be willing to consider it if it helped
> in the common case - which I think it might for the example of
> https://example.com and https://www.example.com - i.e. maybe we special
> case www. But beyond that, I don't know if it's common enough to provide
> any real upside, and I am fairly certain that there's a huge risk in
> breaking a spec like SSL...
> 
> -Ian
> 
> On 10/12/07, *Thomas Roessler* <tlr@w3.org <mailto:tlr@w3.org>> wrote:
> 
>     On 2007-10-12 09:29:56 -0700, Ian Fette wrote:
> 
>     >> Of the number of sites that yield warnings for this (where the
>     >> certificate was granted for the domain, but the subdomain
>     >> doesn't match), how many are malicious?  How many times is it
>     >> benign when this warning appears?
> 
>     > The point isn't how many of these such sites are currently
>     > malicious.
> 
>     Well, if you want to consider the habituation effect that occurs, a
>     warning that mostly cries wolf is significantly worse than one
>     that's mostly right.
> 
>     In particular, if a warning mostly occurs under legitimate
>     circumstances, the attack vector might not even be new.
> 
>     The question is really whether the survey that Johnathan was citing
>     (i.e., current warnings have an effect in something like 40% of all
>     cases) is right, or whether the assumption is right that the current
>     warnings are largely ignored.
> 
>     --
>     Thomas Roessler, W3C  < tlr@w3.org <mailto:tlr@w3.org>>
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Friday, 12 October 2007 17:27:31 UTC