[olug] Web Site Certificates - OT

[Dan Anderson]

I think the slashdot comments covered this topic pretty well, but...

-If you are encrypting communication with an unknown end point then
you are not really "secure".  I need to be who I say I am - you need
to be who you say you are and no one else should be able to listen in
- absent these 3 things being established - we're probably better off
not imagining that our communication is secure.
-The number of people who fall for phishing attacks is big enough - we
need more warnings and more explicit warnings, not less
-The "audience" for these warnings is diverse and on security matters
we should error on the side of caution
-The Mozilla method is pretty sound - i.e. you have to take several
steps to do something that might harm you
-The cost factor is not a high barrier to entry (GoDaddy starts at $14.99/year)
-I don't buy his neutrality argument - everyone who wants to do SSL
with a CA signed cert pays a fee for the CA to sign their cert
-Verification is not low value "busy work" - it is the basis for the trust
-The guy's proposed "solution" doesn't solve anything - at best it
delays the "real" warning until the cert changes (upon expiration or
until it is spoofed - how are you to know why the cert changed? For
that matter, how do you know the first cert you get is valid?) giving
users a false sense of security and again training them to ignore
these warnings

Dan

On Mon, Aug 4, 2008 at 8:15 PM, Will Langford <unfies at gmail.com> wrote:
> I still need to get a proper reply to Dan's emails, but this seemed amusing
> as mentioned on /.:
>
> http://www.cs.uml.edu/~ntuck/mozilla/
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>