- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Fri, 12 Oct 2007 13:52:50 -0400
- To: Ian Fette <ifette@google.com>
- CC: yngve@opera.com, Johnathan Nightingale <johnath@mozilla.com>, W3C WSC Public <public-wsc-wg@w3.org>
But if you concede that existing warnings are failing, this isn't a new attack vector. At worst it maintains the status quo, and at best it makes more serious SSL warnings more effective. serge Ian Fette wrote: > LOL... all I'm saying is this. For the case of www vs bare hostname, I > can see this being common enough to warrant investigation. For the other > cases, I see a lot of risk in terms of opening up new attack vectors, > changing defaults, breaking standards etc, but I'm not sure I really see > the benefit. > > On 10/12/07, *Serge Egelman* <egelman@cs.cmu.edu > <mailto:egelman@cs.cmu.edu>> wrote: > > Are you trying to use the Nuremberg defense now? > > Though I'm not convinced that this would be breaking the standard. The > standard specifies errors, but not how to display them. In this > instance we choose not to display anything. > > serge > > Ian Fette wrote: > > I notice you didn't comment on the liability implications at the > end of > > my reply ;-) I don't see a huge upside to breaking standards, I do > see a > > huge potential downside. I would be willing to consider it if it > helped > > in the common case - which I think it might for the example of > > https://example.com and https://www.example.com - i.e. maybe we > special > > case www. But beyond that, I don't know if it's common enough to > provide > > any real upside, and I am fairly certain that there's a huge risk in > > breaking a spec like SSL... > > > > -Ian > > > > On 10/12/07, *Thomas Roessler* <tlr@w3.org <mailto:tlr@w3.org> > <mailto:tlr@w3.org <mailto:tlr@w3.org>>> wrote: > > > > On 2007-10-12 09:29:56 -0700, Ian Fette wrote: > > > > >> Of the number of sites that yield warnings for this (where the > > >> certificate was granted for the domain, but the subdomain > > >> doesn't match), how many are malicious? How many times is it > > >> benign when this warning appears? > > > > > The point isn't how many of these such sites are currently > > > malicious. > > > > Well, if you want to consider the habituation effect that > occurs, a > > warning that mostly cries wolf is significantly worse than one > > that's mostly right. > > > > In particular, if a warning mostly occurs under legitimate > > circumstances, the attack vector might not even be new. > > > > The question is really whether the survey that Johnathan was > citing > > (i.e., current warnings have an effect in something like 40% > of all > > cases) is right, or whether the assumption is right that the > current > > warnings are largely ignored. > > > > -- > > Thomas Roessler, W3C < tlr@w3.org <mailto:tlr@w3.org> > <mailto:tlr@w3.org <mailto:tlr@w3.org>>> > > > > > > -- > /* > Serge Egelman > > PhD Candidate > Vice President for External Affairs, Graduate Student Assembly > Carnegie Mellon University > > Legislative Concerns Chair > National Association of Graduate-Professional Students > */ > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Friday, 12 October 2007 17:53:52 UTC