beltzner | 1 Feb 07:13 2007
Picon

Re: Study questions EV certs effectiveness?

On 1/30/07, Ka-Ping Yee <mozilla <at> zesty.ca> wrote:
> That's interesting.  Where is the design discussion about the UI taking
> place?

There's been no real design discussion about how to surface EV
certificates in Firefox yet, really. But I'm pretty well established
on record as saying that the red/yellow/green treatment proposed by
IE, while an incremental improvement over what we have now, also
represents an oversimplification of a bunch of concepts into a set of
disingenuous "danger!", "caution!" and "safe!"  metaphors.

Here's a set of equations I like to repeat whenever I notice anyone's
listening - trust me, it's awkward at bus stops - and which are also
pretty tied to my disdain of the "green bar" UI:

   EV != safe
   EV = validated identiy

   SSL/TLS != safe
   SSL/TLS = encrypted conduit

Being able to talk about validated identity is indeed quite
interesting, but advertising "get the green bar"[1], "go green"[2] or
telling users that they are safe when they see a green URL bar all
cause concern in my mind.

As for the future, I'm not sure that dev.security is the right place
for discussions of the UI. It's the right place for discussions of the
EV specification, for discussion of our plans to be able to detect,
parse and make EV metadata available, but the front end design of how
(Continue reading)

beltzner | 1 Feb 07:20 2007
Picon

Flowchart covering SSL checks, error states, dialogs

Is there a document anywhere that describes how a certificate is
parsed, analysed, which checks and confirmations are done in which
order, and when it's kicked out with errors, which of those errors are
user facing, etc?

Basically something like:
http://www.w3.org/2006/WSC/wiki/NoteKDECertificateValidationErrors

thanks,
mike

--

-- 
/ mike beltzner / phenomenologist / mozilla corporation /
jerome.kaluza | 1 Feb 09:59 2007
Picon

lock proxy configuration

Hello all,
I am looking for a way to forbid to users to change the proxy server
in firefox config options, but i don't know exactly how to do this, by
extentions or should i have to modify the source code of firefox
(1.5).

or is there file to set protection on it in the filesystem?

thank you
Gervase Markham | 1 Feb 12:09 2007
Picon

Re: Flowchart covering SSL checks, error states, dialogs

beltzner wrote:
> Is there a document anywhere that describes how a certificate is
> parsed, analysed, which checks and confirmations are done in which
> order, and when it's kicked out with errors, which of those errors are
> user facing, etc?

Not to my knowledge. Such a thing would be fantastic!

Gerv
Gervase Markham | 1 Feb 12:09 2007
Picon

Re: lock proxy configuration

jerome.kaluza <at> gmail.com wrote:
> Hello all,
> I am looking for a way to forbid to users to change the proxy server
> in firefox config options, but i don't know exactly how to do this, by
> extentions or should i have to modify the source code of firefox
> (1.5).

You can do it using pref locking, assuming the users don't have 
permissions to change the prefs file. We can't substitute for lack of 
operating system security.

Pref locking is, I seem to remember, fairly undocumented. I've never 
used it. Google may well be your friend.

Gerv
Eddy Nigg (StartCom Ltd. | 1 Feb 12:53 2007

Re: Study questions EV certs effectiveness?

Hi Mike,

beltzner wrote:
> Being able to talk about validated identity is indeed quite
> interesting, but advertising "get the green bar"[1], "go green"[2] or
> telling users that they are safe when they see a green URL bar all
> cause concern in my mind.
I'm glad to hear that! In a previous thread I made the suggestion and a 
proposal, instead of colored address bars,  to provide to the user with 
much needed information in an easier way than today, mainly:

- Mouse over the padlock should display basic information found in the 
subject line.
- Click on the padlock should open the "Certificate Viewer".

Today the situation is, that in order to get a clue about important 
details of the issued certificate one has to:

Right Click on the page -> View Page Info -> Select Security Tab -> 
Click View....in order to receive this information. This is not 
efficient and most casual users can't / don't know how to get there and 
what to expect! As mentioned in the earlier thread I suggest to improve 
the UI in such a way to give the user an easy way to make a judgment 
about the site. Obviously most CA's bother to include valuable 
information in the subject line concerning the level and type of the 
verification of the identity.

BTW, when clicking on Thunderbird on the lock/signature I receive the 
Certificate Viewer....why in Firefox this isn't the same behavior, is 
mysterious ;-)
(Continue reading)

Jan Steffen | 1 Feb 13:31 2007
Picon

Re: lock proxy configuration

Gervase Markham schrieb:
> jerome.kaluza <at> gmail.com wrote:
>> Hello all,
>> I am looking for a way to forbid to users to change the proxy server
>> in firefox config options, but i don't know exactly how to do this, by
>> extentions or should i have to modify the source code of firefox
>> (1.5).
> 
> You can do it using pref locking, assuming the users don't have
> permissions to change the prefs file. We can't substitute for lack of
> operating system security.
> 
> Pref locking is, I seem to remember, fairly undocumented. I've never
> used it. Google may well be your friend.
> 

These pages might help:
http://ilias.ca/blog/2005/03/locking-mozilla-firefox-settings/
http://www.alain.knaff.lu/howto/MozillaCustomization/

Cheers, Jan
Boris Zbarsky | 1 Feb 16:59 2007
Picon

Re: Study questions EV certs effectiveness?

Eddy Nigg (StartCom Ltd.) wrote:
> - Mouse over the padlock should display basic information found in the 
> subject line.

Mousing over the padlock currently shows a tooltip that says "Authenticated by 
XXXX" where XXXX is the O field of the certificate issuer.  I agree that we 
could show better stuff here.  The question is what to show.

> - Click on the padlock should open the "Certificate Viewer".

In Seamonkey, clicking on the padlock opens the "security" tab in page info.  In 
Firefox, double-clicking on the padlock does the same.

> Today the situation is, that in order to get a clue about important 
> details of the issued certificate one has to:
> 
> Right Click on the page -> View Page Info -> Select Security Tab -> 
> Click View....

Actually, in Firefox, "Double-click on the lock, click View".  But yes, clearly 
not so discoverable (e.g. you didn't find it).

> most casual users can't / don't know how to get there and 
> what to expect!

They wouldn't know to click on the lock icon either, frankly...

-Boris
Eddy Nigg (StartCom Ltd. | 1 Feb 17:29 2007

Re: Study questions EV certs effectiveness?

Hi Boris,

Boris Zbarsky wrote:
> Mousing over the padlock currently shows a tooltip that says 
> "Authenticated by XXXX" where XXXX is the O field of the certificate 
> issuer.  I agree that we could show better stuff here.  The question 
> is what to show.
Right! I think the "Authenticated by" is not the most important perhaps 
(And I'm saying it and run a CA ;-)). I like the approach Opera took for 
example, with showing to whom the certificate is issued in the address 
bar and a click on it brings a window with all important details about 
the holder and the issuer of the certificate. Certainly worth looking 
into a similar option for FF.
>
> In Seamonkey, clicking on the padlock opens the "security" tab in page 
> info.  In Firefox, double-clicking on the padlock does the same.
Yes, actually you are right! Perhaps I'm just used to previous FF 
versions? Don't know...
>
> Actually, in Firefox, "Double-click on the lock, click View".  But 
> yes, clearly not so discoverable (e.g. you didn't find it).
Also yes...I guess, that opening the Certificate Viewer instead would be 
a minor investment with the greatest effect. If the UI people can agree 
on this we could open a bug perhaps...
>
> They wouldn't know to click on the lock icon either, frankly... 
Maybe :-) So a prominent section in the address bar dedicated to the 
lock and additional information if the page is secured, would attract 
more attention than currently. I think the combination of both steps 
would bring an improvement to FF.
(Continue reading)

Ben Bucksch | 1 Feb 20:34 2007

EV guidelines

Followup-To m.d.security

Basics: SSL certificates are supposed to ensure the identity of the one 
you talk to. One reason is to make the crypto meaningful (a MITM attack 
is still possible with SSL, if the middleman uses his own cert and the 
client accepts it as real). The other reason is to connect online 
business to real world business - if you buy at a store, and give your 
credit card data, you want to know it's not going to Russia, but to a 
real company, and that you can sue them, if they don't deliver.
Note that SSL certificates say nothing about the trustworthiness or 
similar, just verify identity.

Problem: GeoTrust and a few other companies started selling cheap 
certificates which are issued automatically (no human involved) and only 
check whether the applicant has control over the domain (or email 
address) that the certificate is to be issued for. These are called 
"domain control verification" or DV certs. The "holder's name" field in 
the certificate does not get verified *at all* and is thus useless with 
these certs - it either equals domain name or can be simply lying, 
despite being signed by the CA. Given that, these new cert types pose a 
significant problem to business on the web, and make phisher's life easy 
(if phishers even bother with SSL or certs).

EV solution by the "CA/Browser Forum": A bunch of CAs came up with a 
proposal of a new cert standard. Mainly, it mandates the checks that the 
CA has to do to verify the certificate holder. They are intended to be 
sold to high-profile sites like eBay.com, and cost $1000/year upwards. 
So, one obvious reason for EV is that CAs want to charge more money from 
the customers that make a lot of money on the web. It does increase the 
level of vetting substantially, and it's definitely a huge improvement 
(Continue reading)


Gmane