- From: Eric J. Bowman <eric@bisonsystems.net>
- Date: Mon, 19 Jan 2015 16:26:53 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Paul Libbrecht <paul@hoplahup.net>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Anne van Kesteren wrote: > > How do you distinguish that happening from a man-in-the-middle attack > I don't know how to distinguish that, regardless. Just yesterday I tried to pay for a subscription priced in euros, from America. I wanted to pay via Google Wallet, but hit the wrong button for the other payment system. I backed out and tried the Google Wallet link, then started getting certificate errors for non-matching domains, i.e. the domain of the other payment system, which I'd never heard of (and 99% of users wouldn't even click through to investigate from the cert error) and has a .se domain. What I did, was re-start my browser and try again, no problems (have I mentioned the back button is broken now). The foreign payment system appears legit, googled nothing sketchy. This was a mis-configuration by the third-party payment provider offering the two payment options, but looked no different from a MitM to me. What would most users have done? Other Americans would mostly go somewhere that charges dollars, but the rest? Probably click "accept" on the certificate problem and complete the transaction, not restart the browser like I did. Because they're conditioned to click "accept" when they see certificate errors, since most are benign. Or move on. Certainly not suspect a server misconfiguration and restart the browser. Security and privacy are all fine and good, the problem (IMO) remains devising a solution vs. using the anointing oil on one which does nothing but confuse end-users to the detriment of any business depending on browsers for sales, vs. those depending on how browsers work for other reasons. > > How do you distinguish that happening from a man-in-the-middle attack > More important than how anyone on this list distinguishes, is how do our parents/grandparents, especially if we can't? If what I encountered yesterday had been a real MitM, CA/TLS/HTTPS aside, I can't help but think most folks would've opted right into it. The current state of affairs may indemnify browser vendors (hey, we provided a warning and a cancel button), but it doesn't do squat for others. Which is just another problem of deferring to browser vendors on all technology decisions. Their risk-management equations differ greatly from those of other stakeholders, where those other stakeholders have nowhere near the ability to assume the risks deferred to them by WHATWG decisions, as WHATWG's own members. -Eric
Received on Monday, 19 January 2015 23:27:47 UTC