- From: Ian Fette <ifette@google.com>
- Date: Fri, 12 Oct 2007 10:30:50 -0700
- To: "Serge Egelman" <egelman@cs.cmu.edu>
- Cc: yngve@opera.com, "Johnathan Nightingale" <johnath@mozilla.com>, "W3C WSC Public" <public-wsc-wg@w3.org>
- Message-ID: <bbeaa26f0710121030m117bde86ybbdbb687ab250ed4@mail.gmail.com>
LOL... all I'm saying is this. For the case of www vs bare hostname, I can see this being common enough to warrant investigation. For the other cases, I see a lot of risk in terms of opening up new attack vectors, changing defaults, breaking standards etc, but I'm not sure I really see the benefit. On 10/12/07, Serge Egelman <egelman@cs.cmu.edu> wrote: > > Are you trying to use the Nuremberg defense now? > > Though I'm not convinced that this would be breaking the standard. The > standard specifies errors, but not how to display them. In this > instance we choose not to display anything. > > serge > > Ian Fette wrote: > > I notice you didn't comment on the liability implications at the end of > > my reply ;-) I don't see a huge upside to breaking standards, I do see a > > huge potential downside. I would be willing to consider it if it helped > > in the common case - which I think it might for the example of > > https://example.com and https://www.example.com - i.e. maybe we special > > case www. But beyond that, I don't know if it's common enough to provide > > any real upside, and I am fairly certain that there's a huge risk in > > breaking a spec like SSL... > > > > -Ian > > > > On 10/12/07, *Thomas Roessler* <tlr@w3.org <mailto:tlr@w3.org>> wrote: > > > > On 2007-10-12 09:29:56 -0700, Ian Fette wrote: > > > > >> Of the number of sites that yield warnings for this (where the > > >> certificate was granted for the domain, but the subdomain > > >> doesn't match), how many are malicious? How many times is it > > >> benign when this warning appears? > > > > > The point isn't how many of these such sites are currently > > > malicious. > > > > Well, if you want to consider the habituation effect that occurs, a > > warning that mostly cries wolf is significantly worse than one > > that's mostly right. > > > > In particular, if a warning mostly occurs under legitimate > > circumstances, the attack vector might not even be new. > > > > The question is really whether the survey that Johnathan was citing > > (i.e., current warnings have an effect in something like 40% of all > > cases) is right, or whether the assumption is right that the current > > warnings are largely ignored. > > > > -- > > Thomas Roessler, W3C < tlr@w3.org <mailto:tlr@w3.org>> > > > > > > -- > /* > Serge Egelman > > PhD Candidate > Vice President for External Affairs, Graduate Student Assembly > Carnegie Mellon University > > Legislative Concerns Chair > National Association of Graduate-Professional Students > */ >
Received on Friday, 12 October 2007 17:31:10 UTC