Re: clarifications needed re safe form editor cert matching algorithm from Ian Fette on 2007-10-12 (public-wsc-wg@w3.org from October 2007)

From: Ian Fette <ifette@google.com>
Date: Fri, 12 Oct 2007 10:59:39 -0700
To: "Serge Egelman" <egelman@cs.cmu.edu>
Cc: yngve@opera.com, "Johnathan Nightingale" <johnath@mozilla.com>, "W3C WSC Public" <public-wsc-wg@w3.org>
Message-ID: <bbeaa26f0710121059q4a93d8d6kc42f48c672adc628@mail.gmail.com>
I think that where we disagree is on this point: You seem to be of the
opinion that if a warning is deficient (where we can define deficient later,
perhaps majority of people ignore it / whatever), then it should be pulled
out. What I am saying is that a warning, even if deficient, can still help a
large number of users who do pay attention to warnings (even if they are a
minority of users), and that you are probably going to face a tough sell to
vendors in that you are asking them to potentially take on liability for
little benefit. I think this point has come up in other threads of
conversation as well.

On 10/12/07, Serge Egelman <egelman@cs.cmu.edu> wrote:
>
> But if you concede that existing warnings are failing, this isn't a new
> attack vector.  At worst it maintains the status quo, and at best it
> makes more serious SSL warnings more effective.
>
> serge
>
> Ian Fette wrote:
> > LOL... all I'm saying is this. For the case of www vs bare hostname, I
> > can see this being common enough to warrant investigation. For the other
> > cases, I see a lot of risk in terms of opening up new attack vectors,
> > changing defaults, breaking standards etc, but I'm not sure I really see
> > the benefit.
> >
> > On 10/12/07, *Serge Egelman* <egelman@cs.cmu.edu
> > <mailto:egelman@cs.cmu.edu>> wrote:
> >
> >     Are you trying to use the Nuremberg defense now?
> >
> >     Though I'm not convinced that this would be breaking the
> standard.  The
> >     standard specifies errors, but not how to display them.  In this
> >     instance we choose not to display anything.
> >
> >     serge
> >
> >     Ian Fette wrote:
> >     > I notice you didn't comment on the liability implications at the
> >     end of
> >     > my reply ;-) I don't see a huge upside to breaking standards, I do
> >     see a
> >     > huge potential downside. I would be willing to consider it if it
> >     helped
> >     > in the common case - which I think it might for the example of
> >     > https://example.com and https://www.example.com - i.e. maybe we
> >     special
> >     > case www. But beyond that, I don't know if it's common enough to
> >     provide
> >     > any real upside, and I am fairly certain that there's a huge risk
> in
> >     > breaking a spec like SSL...
> >     >
> >     > -Ian
> >     >
> >     > On 10/12/07, *Thomas Roessler* <tlr@w3.org <mailto:tlr@w3.org>
> >     <mailto:tlr@w3.org <mailto:tlr@w3.org>>> wrote:
> >     >
> >     >     On 2007-10-12 09:29:56 -0700, Ian Fette wrote:
> >     >
> >     >     >> Of the number of sites that yield warnings for this (where
> the
> >     >     >> certificate was granted for the domain, but the subdomain
> >     >     >> doesn't match), how many are malicious?  How many times is
> it
> >     >     >> benign when this warning appears?
> >     >
> >     >     > The point isn't how many of these such sites are currently
> >     >     > malicious.
> >     >
> >     >     Well, if you want to consider the habituation effect that
> >     occurs, a
> >     >     warning that mostly cries wolf is significantly worse than one
> >     >     that's mostly right.
> >     >
> >     >     In particular, if a warning mostly occurs under legitimate
> >     >     circumstances, the attack vector might not even be new.
> >     >
> >     >     The question is really whether the survey that Johnathan was
> >     citing
> >     >     (i.e., current warnings have an effect in something like 40%
> >     of all
> >     >     cases) is right, or whether the assumption is right that the
> >     current
> >     >     warnings are largely ignored.
> >     >
> >     >     --
> >     >     Thomas Roessler, W3C  < tlr@w3.org <mailto:tlr@w3.org>
> >     <mailto:tlr@w3.org <mailto:tlr@w3.org>>>
> >     >
> >     >
> >
> >     --
> >     /*
> >     Serge Egelman
> >
> >     PhD Candidate
> >     Vice President for External Affairs, Graduate Student Assembly
> >     Carnegie Mellon University
> >
> >     Legislative Concerns Chair
> >     National Association of Graduate-Professional Students
> >     */
> >
> >
>
> --
> /*
> Serge Egelman
>
> PhD Candidate
> Vice President for External Affairs, Graduate Student Assembly
> Carnegie Mellon University
>
> Legislative Concerns Chair
> National Association of Graduate-Professional Students
> */
>
Received on Friday, 12 October 2007 17:59:53 UTC