[1196] in WWW Security List Archive
Re: Netscape's little key icon
daemon@ATHENA.MIT.EDU (Brian W. Spolarich)
Sun Nov 26 21:43:21 1995
Date: Sun, 26 Nov 1995 18:38:57 -0500 (EST)
From: "Brian W. Spolarich" <briansp@umich.edu>
To: "Seth I. Rich" <seth@hygnet.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199511262046.PAA15622@arkady.hygnet.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Sun, 26 Nov 1995, Seth I. Rich wrote:
> Hm. So judging from what I've been sent and what I've skimmed, the
> iconic representation of `You are talking to somewhere you can trust' is
> determined not by the site to which a potentially insecure transaction
> will be sent, but by the URL from which the form was sent.
>
> ... Hm. Is it a logical deduction that if I've received a page from site
> X, that the next server I'll access will also be X? Isn't that the
> implication of this icon?
Not at all. For example, forms received from "http://www.yahoo.com/"
are submitted to "http://search.yahoo.com/". And MANY WWW documents are
listings of information at other sites. If I use a secure transaction
mechanism to submit a search to Yahoo, I would assume that most of the
links returned were not Yahoo.
Status icons such as Netscape's security icon can only tell you about
the current document. As for embedded forms, you could show an icon
saying that "the ACTION of the current form is of type 'https'" but I
don't know how useful that would be, and might be considered misleading
if, for example, the session key negotiation were to fail when you
submitted the form (due to impersonation on the other end???).
I can see why one might infer what you're getting at, but I think that
there are too many problems trying to determine what you want to be
determined. Embedded links can go anywhere, and the browser can't make
very many assumptions about what's on the other side of a URL until it
actually attempts to resolve and open it.
-brian
=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=-=+=
Brian W. Spolarich briansp@umich.edu
Gale Research (800) 877-GALE x1021
Internet Publishing Specialist http://galenet.gale.com/
=-==+=-=+=-Lying and Deception are the best forms of encryption.-=+=-=+=-=-
