Re: [TLS] Eleven out of every ten SSL certs aren't valid

aerowolf@gmail.com Wed, 30 June 2010 21:14 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:date:message-id:subject:mime-version:content-type; b=DC1iWfMxipONAFl/EYZBQjMVQPsCb9aAODM+GTEtLaOgAVWZx2ILR67/8w0yTQHIw4 X0wSxTXWhKC4cmjUcISGzT9tB8XRZI4olvh88hiQk5jWnnU/P6zrEhGrLO0iezGxwue3 fjwpdG/mhg7mnbvkZ6a6qeLK1lJIOg+Q74/nY=
From: aerowolf@gmail.com
To: Marsh Ray <marsh@extendedsubset.com>
Date: Wed, 30 Jun 2010 14:14:10 -0700
Message-ID: <gb2nzhrxuhxkbh92unJYNxe982v3j_gmsm@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="gmsm0.4.7eqgb2nzpf0n5957kyztf2"
Cc: tls@ietf.org
Subject: Re: [TLS] Eleven out of every ten SSL certs aren't valid
Precedence: list

On Tue, Jun 29, 2010 at 12:13 PM, Marsh Ray <marsh@extendedsubset.com> wrote:
> First of all, count me as one who thinks Ivan's work is really cool.
>
> On 06/29/2010 01:29 PM, Ivan Ristic wrote:
>>
>> The problem with that view is that, while the users are experiencing
>> all those sites with invalid certificates they are getting used to the
>> idea that nothing bad comes from browser warnings.
>
> But we don't know that, do we?

Yes, actually we do.  There are several specific cases that exist in Mozilla's bug database, including one from a woman who was continuously MITM'd for every site she went to from a particular publicly-accessible wireless access point.  She clicked through all the warnings, thinking that they were problems with Firefox, when Firefox was indeed providing her with valid and appropriate warnings.

-Kyle H

Attachment: smime.p7s

Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
[TLS] Eleven out of every ten SSL certs aren't va… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Adam Langley
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Blumenthal, Uri - 0668 - MITLL
Re: [TLS] Eleven out of every ten SSL certs aren'… Rob P Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Joshua Davies
Re: [TLS] Eleven out of every ten SSL certs aren'… Yoav Nir
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… Rob P Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Nikos Mavrogiannopoulos
Re: [TLS] Eleven out of every ten SSL certs aren'… Bill Daskaluk
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Tim Dierks
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… Jeffrey A. Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
Re: [TLS] Eleven out of every ten SSL certs aren'… Bill Frantz
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Ivan Ristic
Re: [TLS] Eleven out of every ten SSL certs aren'… Florian Weimer
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Bruno Harbulot
Re: [TLS] Eleven out of every ten SSL certs aren'… Blumenthal, Uri - 0668 - MITLL
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Steffen Schulz
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… aerowolf
Re: [TLS] Eleven out of every ten SSL certs aren'… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Seth David Schoen
Re: [TLS] Eleven out of every ten SSL certs aren'… Nicolas Williams
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… Martin Rex
Re: [TLS] Eleven out of every ten SSL certs aren'… =JeffH
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Steingruebl, Andy
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] Eleven out of every ten SSL certs aren'… Steingruebl, Andy
[TLS] TLS, PKI, and web security. Was: Eleven out… Marsh Ray
Re: [TLS] Eleven out of every ten SSL certs aren'… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Marsh Ray
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Robert Relyea
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Bruno Harbulot
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Robert Relyea
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Bruno Harbulot
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Yoav Nir
Re: [TLS] TLS, PKI, Yoav Nir
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Bruno Harbulot
Re: [TLS] TLS, PKI, Robert Relyea
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Steingruebl, Andy
Re: [TLS] TLS, PKI, Kyle Hamilton
Re: [TLS] TLS, PKI, Marsh Ray
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, Bruno Harbulot
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Marsh Ray
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Ralph Holz
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Yoav Nir
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Nasko Oskov
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Martin Rex
Re: [TLS] TLS, PKI, Peter Gutmann
Re: [TLS] TLS, PKI, and web security. Was: Eleven… Kyle Hamilton

Re: [TLS] Eleven out of every ten SSL certs aren't valid

Attachment: smime.p7s