[tahoe-dev] SSL samurai attack migration ninjas, film at 11

Shawn Willden shawn at willden.org
Fri Oct 28 19:47:49 UTC 2011

Yes, yes, but that doesn't explain why browsers treat encrypted but
unauthenticated connections as *less* secure that connections that are
unencrypted *and* unauthenticated.

If you were asked to rank the security of the following:

Encrypted and authenticated
Encrypted and unauthenticated
Unencrypted and unauthenticated

How would you order them?  How do browsers order them?

On Fri, Oct 28, 2011 at 1:19 PM, Randall Mason <clashthebunny at gmail.com>wrote:

> So the key to this discussion is that https provides two things.  First is
> encryption.  That my data is only seen by me and the server I'm talking to.
> This is the part that you two are talking about.  The second thing that it
> does is provide identity.  That I not only know that only the person I'm
> talking to is the server, but also who owns and controls the server.  This
> is the part that browsers are warning you about.  I don't care as much about
> encrypting my credit card as who can decrypt that information.  With self
> signed certs, you need some sort of web of trust.
> On Oct 28, 2011 9:40 PM, "Shawn Willden" <shawn at willden.org> wrote:
>> On Fri, Oct 28, 2011 at 12:21 PM, Kevin Reid <kpreid at switchb.org> wrote:
>>> I don't know what the browser vendors are thinking, but I can make some
>>> stuff up.
>> That's always my approach when I don't know the answer :-)
>>> Argument #1:
>>>  Premise 1: "https:" means it's secure, to the user.
>>>  Premise 2: HTTPS security rests on the CAs providing certificates
>>>             for DNS names.
>>>  Conclusion: If a certificate is not signed-by-a-CA-etc. then the user
>>>              thinks they are secure but aren't; therefore warn them.
>>> Not showing indicators of security to the user solves this problem, but
>>> if you hide "https:" then you're not accurately displaying the URL...
>> I don't think "accurately displaying the URL" is important.  In the last
>> few years browsers have started altering displayed URLs in all sorts of
>> ways, including dropping the protocol prefix entirely in many cases.  I just
>> checked and neither Firefox nor Google Chrome display http://.  Further,
>> while Chrome does display https:// on SSL-enabled sites (and highlight it
>> in green), FF doesn't display https:// either.
>> Displaying the URL accurately isn't relevant to 95% (99%?) of users of the
>> web.  The remainder can always figure out what they need to.
>>> Argument #2:
>>>  If the author of a *link* wrote "https:" then they expect that link
>>>  to securely designate the intended target; if there is a certificate
>>>  problem then the link is not succeeding at that job and proceeding
>>>  despite that would be a vulnerability.
>> Among all the ways a misconfigured web server could cause problems, I
>> think this is pretty low on the list.
>> --
>> Shawn
>> _______________________________________________
>> tahoe-dev mailing list
>> tahoe-dev at tahoe-lafs.org
>> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
> _______________________________________________
> tahoe-dev mailing list
> tahoe-dev at tahoe-lafs.org
> http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20111028/8a994294/attachment.html>

More information about the tahoe-dev mailing list