Bob Beck wrote:
Sit you your faviorite wireless network and MITM your faviorite ssl
web sites off it. If your user population is very intelligent, maybe
only 9 out of 10 will click the "Windows is annoying me with a box and
an OK button - I will click OK to keep going" popup and ignore the
certificate mismatch utterly. Otherwise the only hard part will be
finding a user that doesn't ignore the mismatch - it's so easy to
get passwords this way it isn't even sporting. It's like whacking baby
seals with a stick.
SSL/TLS applications are just the latest most fertile ground where
software designers have put in a crutches for lazy stupid people thereby
rendering something kinda ok into something mostly useless.
Well said. I don't see anyone complaining that MSIE allows you to
click-through the warning that the presented cert doesn't match the
hostname and carry on and get compromised. Same with signing executables.
Users don't know what it means - and they "just want it to work!".
Frankly, there is only so much technology can do. At some stage people
have to start taking responsibility for their choices (shall we measure
the IQ of people who open GIF-file based password protected zip files
and run the contents!?!?!? Sheesh)
Actually I'm glad you can click-through and ignore cert mismatches.
Without it I couldn't read many self-signed Web sites where they use
certs just to protect their data in transit. It would smack of monopoly
practices if only Verisign-signed sites/whatever worked within browsers.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
