ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Usability RE: Write an RFC Was: experiments in the ietf week

2008-03-25 05:45:27
from [Hallam-Baker, Phillip] [Permanent Link] 
What I am trying to get at here is the problem of usability. Security is no use 
to me to stop Internet crime if everyone either turns it off or is unable to 
use it. The layered model is a big problem here because the lower layers 
abstract away the user. There is no user interface, there are no user oriented 
use cases and as a result the protocols fail to deliver the necessary 
information to the upper layers to allow the user to make sure that they are 
safe.


"3. Do Not Verify Server Cert and we won't verify yours :)"

OK, it is a good idea to turn on confidentiality and integrity. But this is not 
something that is really going to help solve the evil twin WiFi attack out in 
the general population. Its a pretty insidious attack as the effects are 
localized and we can't measure the frequency. 

If we are going to do experiments then we should be providing feedback to the 
relevant parties. Pointing out to the IEEE that WiFi security fails basic 
principles of security usability - the user does not have sufficient 
information to distinguish the intended connection from the twin - would be a 
useful purpose.


Of course, going round pointing out this sort of thing to others would make it 
incumbent on us to fix the same problems in our protocols.



-----Original Message-----
From: Patrik Fältström [mailto:patrik(_at_)frobbit(_dot_)se]
Sent: Mon 24/03/2008 10:30 PM
To: Hallam-Baker, Phillip
Cc: Russ Housley; IETF Discussion
Subject: Re: Write an RFC Was: experiments in the ietf week
 

On 25 mar 2008, at 02.18, Hallam-Baker, Phillip wrote:


I am willing to have a go at it next time round but only if I have  
some idea what I am expected to have on my machine and what  
authentication indicata I am to expect.

As it stands there is no way for me to evaluate an authentic or  
inauthentic experience. I don't know what authentic looks like. I  
have no trust anchor.


This email message sent to me was enough of a trust anchor to use  
802.1x. Specifically as "the instructions" are the same as IETF-70 and  
previous meetings.

http://www.ietf.org/mail-archive/web/71attendees/current/msg00154.html

Sure, the mail was not signed, but I also asked a friend at the  
meeting "what he used". And as we both had the same instructions, we  
trusted that. If we wanted to, we could have asked someone actually  
running the network, but we did not feel we had to.

    Patrik



_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IETF Last Call on Walled Garden Standard for the Internet, Yoshihiro Ohba
Next by Date:  Re: Write an RFC Was: experiments in the ietf week, Andrew G. Malis
Previous by Thread:  Re: Write an RFC Was: experiments in the ietf week, Patrik Fältström
Next by Thread:  Re: Write an RFC Was: experiments in the ietf week, Andrew G. Malis
Indexes:  [Date] [Thread] [Top] [All Lists]