Hacking for Christ

I posted some thoughts on SSL certificates on my site.

Your advice does not protect the user in the following situation: the window is not maximized.

Also, I disagree with your stance that https sites are the only ones worth protecting, and that browsers should only protect users from spoofed https sites.

Jesse: you are going to need to elaborate a bit. Are you just talking about the ambiguity of "the bottom right corner"? It refers to the bottom right corner of the web page, but I can see how it might be confusing. Or is there something else?

How are we supposed to protect the user from spoofed sites when we can't be certain what site a user is actually on? DNS spoofing isn't that hard - at least, according to dveditz. Phishers aren't doing it now, but only because there are currently easier ways to catch people.

Just wondering if it would add any benefit to include not only the site name next to the padlock, but also the organisation that the certificate is registered to?

Henri: it's not directly relevant to IDN, but mozilla.org is currently developing a CA Certificate Policy which determines what root certs can and cannot go into Mozilla. Have a look and see if the Finnish Population Register Centre's cert might qualify. Even if it doesn't, you don't have to pay an American company for a cert - I'm sure many companies whose certs we include are not American.

"you are going to need to elaborate a bit. Are you just talking about the ambiguity of 'the bottom right corner'? It refers to the bottom right corner of the web page, but I can see how it might be confusing. Or is there something else?"

Your advice doesn't protect users when the window is not maximized because the entire window could be bogus/spoofed using a larger browser window's content area.

"How are we supposed to protect the user from spoofed sites when we can't be certain what site a user is actually on? DNS spoofing isn't that hard - at least, according to dveditz. Phishers aren't doing it now, but only because there are currently easier ways to catch people."

I find it hard to believe that it's that easy to compromise DNS. If it were, the Internet would be plagued by problems worse than phishing.

Your advice doesn't protect users when the window is not maximized because the entire window could be bogus/spoofed using a larger browser window's content area.

That requires a user to visit a malicious site, and for that site to know what other sites the user is currently visiting. (Assuming that if you get a "login to Paypal" popup while randomly surfing, you aren't silly enough to fill it in. I'm not sure we can do much to help people who are that silly.)

I find it hard to believe that it's that easy to compromise DNS.

In some cases, it's pretty easy - Dan Veditz pointed me at airpwn.

Even if it doesn't, you don't have to pay an American company for a cert - I'm sure many companies whose certs we include are not American.

Being American in particular is not the key issue but, rather, that a government site (or any site for that matter) would have to buy a cert from a foreign private company in order to avoid suspicion. Also, the choice of CA gets rather limited if you take the intersection of the default CA sets of Mozilla Foundation, Apple, Microsoft, Opera Software and Sun (JDK!).

In general, it is questionable that the same company can provide the problem (unvetted IDNs) and charge for the solution (certs).

In some cases, it's pretty easy - Dan Veditz pointed me at airpwn.

IMO, wireless networks should be secured on the link layer or on the IP layer instead of requiring each app to deal with the issue.