[HTTPS-Everywhere] what does HTTPS-Everywhere consider a "valid" X.509 certificate? [was: Re: Custom rules]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sat Oct 16 13:25:23 PDT 2010
On 10/16/2010 03:59 PM, Chris Palmer wrote:
> Unauthenticated encryption is worthless because it's too hard to explain to
> the people who need it.
Amen. This is doubly true because the authentication is only the first
step of what's often a multi-stage process that is otherwise opaque to
the user. In order to decide whether to take the next step of the
multi-stage process without having given the user the full guarantee, we
need to interrupt the user to go forward and ask them questions that
they also probably don't understand.
For example, faced with an unauthenticated certificate in an https
session, you can't just show a busted-lock icon in the browser, and then
go ahead and load the web page anyway on the theory that the user now
knows it's unauthenticated encryption and make the decision from there
(even if we think the user understands the idea of unauthenticated
encryption).
If you did that, you'd also have to decide while making the http request
which cookies to send to the web server (possibly compromising the
user's session if this was in fact an impostor); which POST or GET data
is acceptable to send (all of which will influence what page is emitted
by the web server); and while rendering the page, you'd need to decide
whether to apply any of the other various same-origin policy decisions
in the browser relative to the other content and scripts in the page.
And so forth.
So not only are you asking the user to understand a concept that they
don't quite get -- you'd often need to ask them to make active,nuanced
decisions based on that concept in what are often intrusive or confusing
situations.
Resolving the authentication first avoids these problems entirely.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101016/22e8671a/attachment.sig>
More information about the HTTPS-everywhere
mailing list