On Fri, Mar 05, 2004 at 06:00:22PM -0800, Hallam-Baker, Phillip wrote:
The security controls in this case are a set of Web crawlers that
continuously scan the net for violations of the use policy. There
are a couple of other features built in that help detect abuse.
If I take the "image seal" I steal from the Thawte homepage myself and
put it up on www.eaxmple.com, how will a web crawler detect the abuse?
And even if there is the "accept dialog" people will see the image
and happily believe they are on www.example.com and click the dialog
away as "just another crazy popup I don't know what it means".
Sure it is a system that is based on enforcement rather than
cryptography. But even so systems of that kind can work. Until
cryptography came along they were all we had.
Agreed. But we HAVE cryptography and each Browser has the "security"
button I can click on and see the certificate. IMHO the correct way
would be to have a big "watch out" sign on each https homepage and
encourage the user to check the cert for validity. Instead the user
is discouraged to inspect the "real thing" and encouraged to believe
in an eye catcher as a sign of trust.
Security people always tell us and have the experience that the biggest
issue in security is to have responsible users. But now IMHO the security
industry tries to train the user to believe in a image more than looking
and the cert and this is IMHO highly contradictorily (and wrong).
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg