[65703] in North American Network Operators' Group
Re: Does your Certifying Authority have a clue who you are? Do they care?
daemon@ATHENA.MIT.EDU (Bob Beck)
Fri Dec 5 11:56:41 2003
To: Joe Abley <jabley@isc.org>
Cc: Valdis.Kletnieks@vt.edu, Adi Linden <adil@adis.on.ca>,
nanog@nanog.org
In-reply-to: Your message of "Fri, 05 Dec 2003 11:26:22 EST."
<C397F131-273F-11D8-A817-00039312C852@isc.org>
Date: Fri, 05 Dec 2003 09:55:56 -0700
From: Bob Beck <beck@bofh.cns.ualberta.ca>
Errors-To: owner-nanog-outgoing@merit.edu
>There is an expectation that URLs which do not produce "this
>certificate is not trusted" messages are safe for people to use to
>disclose sensitive information like credit card numbers. The average
>consumer has been educated to this effect at great length by
>commerce-oriented websites and browser vendors.
Sorry, this is the night soil of a large and very well fed
male ox. Anyone who believes that more than 20% of the users have been
educated to do this hasn't gone around spoofing their own https sites
on their wireless lans and measuring how many passwords they get. and
I'm being *generous* with the 20% - I typically get a valid password 9
out of 10 connections to a spoof site.
What lusers have been educated to do is "Oh look, an annoying
box has popped up. click the button to make it go away so I can keep
going." I seriously doubt they differentiate it too much from popup
ads for porn sites or herbal viagra.
-Bob
