Re: clarifications needed re safe form editor cert matching algorithm

But if you concede that existing warnings are failing, this isn't a new
attack vector.  At worst it maintains the status quo, and at best it
makes more serious SSL warnings more effective.

serge

Ian Fette wrote:
> LOL... all I'm saying is this. For the case of www vs bare hostname, I
> can see this being common enough to warrant investigation. For the other
> cases, I see a lot of risk in terms of opening up new attack vectors,
> changing defaults, breaking standards etc, but I'm not sure I really see
> the benefit.
> 
> On 10/12/07, *Serge Egelman* <egelman@cs.cmu.edu
> <mailto:egelman@cs.cmu.edu>> wrote:
> 
>     Are you trying to use the Nuremberg defense now?
> 
>     Though I'm not convinced that this would be breaking the standard.  The
>     standard specifies errors, but not how to display them.  In this
>     instance we choose not to display anything.
> 
>     serge
> 
>     Ian Fette wrote:
>     > I notice you didn't comment on the liability implications at the
>     end of
>     > my reply ;-) I don't see a huge upside to breaking standards, I do
>     see a
>     > huge potential downside. I would be willing to consider it if it
>     helped
>     > in the common case - which I think it might for the example of
>     > https://example.com and https://www.example.com - i.e. maybe we
>     special
>     > case www. But beyond that, I don't know if it's common enough to
>     provide
>     > any real upside, and I am fairly certain that there's a huge risk in
>     > breaking a spec like SSL...
>     >
>     > -Ian
>     >
>     > On 10/12/07, *Thomas Roessler* <tlr@w3.org <mailto:tlr@w3.org>
>     <mailto:tlr@w3.org <mailto:tlr@w3.org>>> wrote:
>     >
>     >     On 2007-10-12 09:29:56 -0700, Ian Fette wrote:
>     >
>     >     >> Of the number of sites that yield warnings for this (where the
>     >     >> certificate was granted for the domain, but the subdomain
>     >     >> doesn't match), how many are malicious?  How many times is it
>     >     >> benign when this warning appears?
>     >
>     >     > The point isn't how many of these such sites are currently
>     >     > malicious.
>     >
>     >     Well, if you want to consider the habituation effect that
>     occurs, a
>     >     warning that mostly cries wolf is significantly worse than one
>     >     that's mostly right.
>     >
>     >     In particular, if a warning mostly occurs under legitimate
>     >     circumstances, the attack vector might not even be new.
>     >
>     >     The question is really whether the survey that Johnathan was
>     citing
>     >     (i.e., current warnings have an effect in something like 40%
>     of all
>     >     cases) is right, or whether the assumption is right that the
>     current
>     >     warnings are largely ignored.
>     >
>     >     --
>     >     Thomas Roessler, W3C  < tlr@w3.org <mailto:tlr@w3.org>
>     <mailto:tlr@w3.org <mailto:tlr@w3.org>>>
>     >
>     >
> 
>     --
>     /*
>     Serge Egelman
> 
>     PhD Candidate
>     Vice President for External Affairs, Graduate Student Assembly
>     Carnegie Mellon University
> 
>     Legislative Concerns Chair
>     National Association of Graduate-Professional Students
>     */
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Friday, 12 October 2007 17:53:52 UTC