- From: Ian Fette <ifette@google.com>
- Date: Fri, 12 Oct 2007 10:59:39 -0700
- To: "Serge Egelman" <egelman@cs.cmu.edu>
- Cc: yngve@opera.com, "Johnathan Nightingale" <johnath@mozilla.com>, "W3C WSC Public" <public-wsc-wg@w3.org>
- Message-ID: <bbeaa26f0710121059q4a93d8d6kc42f48c672adc628@mail.gmail.com>
I think that where we disagree is on this point: You seem to be of the opinion that if a warning is deficient (where we can define deficient later, perhaps majority of people ignore it / whatever), then it should be pulled out. What I am saying is that a warning, even if deficient, can still help a large number of users who do pay attention to warnings (even if they are a minority of users), and that you are probably going to face a tough sell to vendors in that you are asking them to potentially take on liability for little benefit. I think this point has come up in other threads of conversation as well. On 10/12/07, Serge Egelman <egelman@cs.cmu.edu> wrote: > > But if you concede that existing warnings are failing, this isn't a new > attack vector. At worst it maintains the status quo, and at best it > makes more serious SSL warnings more effective. > > serge > > Ian Fette wrote: > > LOL... all I'm saying is this. For the case of www vs bare hostname, I > > can see this being common enough to warrant investigation. For the other > > cases, I see a lot of risk in terms of opening up new attack vectors, > > changing defaults, breaking standards etc, but I'm not sure I really see > > the benefit. > > > > On 10/12/07, *Serge Egelman* <egelman@cs.cmu.edu > > <mailto:egelman@cs.cmu.edu>> wrote: > > > > Are you trying to use the Nuremberg defense now? > > > > Though I'm not convinced that this would be breaking the > standard. The > > standard specifies errors, but not how to display them. In this > > instance we choose not to display anything. > > > > serge > > > > Ian Fette wrote: > > > I notice you didn't comment on the liability implications at the > > end of > > > my reply ;-) I don't see a huge upside to breaking standards, I do > > see a > > > huge potential downside. I would be willing to consider it if it > > helped > > > in the common case - which I think it might for the example of > > > https://example.com and https://www.example.com - i.e. maybe we > > special > > > case www. But beyond that, I don't know if it's common enough to > > provide > > > any real upside, and I am fairly certain that there's a huge risk > in > > > breaking a spec like SSL... > > > > > > -Ian > > > > > > On 10/12/07, *Thomas Roessler* <tlr@w3.org <mailto:tlr@w3.org> > > <mailto:tlr@w3.org <mailto:tlr@w3.org>>> wrote: > > > > > > On 2007-10-12 09:29:56 -0700, Ian Fette wrote: > > > > > > >> Of the number of sites that yield warnings for this (where > the > > > >> certificate was granted for the domain, but the subdomain > > > >> doesn't match), how many are malicious? How many times is > it > > > >> benign when this warning appears? > > > > > > > The point isn't how many of these such sites are currently > > > > malicious. > > > > > > Well, if you want to consider the habituation effect that > > occurs, a > > > warning that mostly cries wolf is significantly worse than one > > > that's mostly right. > > > > > > In particular, if a warning mostly occurs under legitimate > > > circumstances, the attack vector might not even be new. > > > > > > The question is really whether the survey that Johnathan was > > citing > > > (i.e., current warnings have an effect in something like 40% > > of all > > > cases) is right, or whether the assumption is right that the > > current > > > warnings are largely ignored. > > > > > > -- > > > Thomas Roessler, W3C < tlr@w3.org <mailto:tlr@w3.org> > > <mailto:tlr@w3.org <mailto:tlr@w3.org>>> > > > > > > > > > > -- > > /* > > Serge Egelman > > > > PhD Candidate > > Vice President for External Affairs, Graduate Student Assembly > > Carnegie Mellon University > > > > Legislative Concerns Chair > > National Association of Graduate-Professional Students > > */ > > > > > > -- > /* > Serge Egelman > > PhD Candidate > Vice President for External Affairs, Graduate Student Assembly > Carnegie Mellon University > > Legislative Concerns Chair > National Association of Graduate-Professional Students > */ >
Received on Friday, 12 October 2007 17:59:53 UTC