[65713] in North American Network Operators' Group
Re: Does your Certifying Authority have a clue who you are? Do they care?
daemon@ATHENA.MIT.EDU (Joe Abley)
Fri Dec 5 13:07:06 2003
In-Reply-To: <200312051655.hB5GtvWe002299@bofh.cns.ualberta.ca>
Cc: Valdis.Kletnieks@vt.edu, Adi Linden <adil@adis.on.ca>,
nanog@nanog.org
From: Joe Abley <jabley@isc.org>
Date: Fri, 5 Dec 2003 13:03:40 -0500
To: Bob Beck <beck@bofh.cns.ualberta.ca>
Errors-To: owner-nanog-outgoing@merit.edu
On 5 Dec 2003, at 11:55, Bob Beck wrote:
>
>> There is an expectation that URLs which do not produce "this
>> certificate is not trusted" messages are safe for people to use to
>> disclose sensitive information like credit card numbers. The average
>> consumer has been educated to this effect at great length by
>> commerce-oriented websites and browser vendors.
>
> Sorry, this is the night soil of a large and very well fed
> male ox. Anyone who believes that more than 20% of the users have been
> educated to do this hasn't gone around spoofing their own https sites
> on their wireless lans and measuring how many passwords they get.
20% of users is more than enough to create a helpdesk nightmare for a
web hosting company, and represents sufficient potential lost revenue
to make any merchant give money to a CA.
