nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Does your Certifying Authority have a clue who you are? Do they care?

From: Bob Beck <beck () bofh cns ualberta ca>
Date: Fri, 05 Dec 2003 09:55:56 -0700



There is an expectation that URLs which do not produce "this 
certificate is not trusted" messages are safe for people to use to 
disclose sensitive information like credit card numbers. The average 
consumer has been educated to this effect at great length by 
commerce-oriented websites and browser vendors.


        Sorry, this is the night soil of a large and very well fed
male ox. Anyone who believes that more than 20% of the users have been
educated to do this hasn't gone around spoofing their own https sites
on their wireless lans and measuring how many passwords they get. and
I'm being *generous* with the 20% - I typically get a valid password 9
out of 10 connections to a spoof site.
             
         What lusers have been educated to do is "Oh look, an annoying
box has popped up. click the button to make it go away so I can keep
going." I seriously doubt they differentiate it too much from popup
ads for porn sites or herbal viagra.

           -Bob
Previous By Date Next
Previous By Thread Next

Current thread: