On Tue, Aug 13, 2024 at 01:25:29PM -0400, Nick Lockheart wrote: > > Users should be educated that these levels indicate the eavesdropping > protection of the connection, with an easy-for-normal-people-to- > understand analogy, of a guy in a coffee shop. > > ie. "This security level protects you from eavesdropping by another > customer in the coffee shop, but does not stop the coffee shop owner > from eavesdropping using the coffee shop's WiFi router". > > A new type of authentication should be added to replace any certificate > use besides "Domain Verification". For example, determining that a > business exists and is legitimate. Unfortunately, when it comes to security issues, there has been a lot of painful experience which has caused many people to conclude that anything which depends on user education is doomed to fail. And if some major browser decided to drop all of the current certificate protections, and allowed arbitrary CA's to join, and claimed that the solution is that users should be able to click on the lock icon, and make their own determination whether that CA should be trustworthy, or peer at some domain name like m0rganstanl3y.cm is a good place to be typing their social security number and banking passwords, or pay $$$ to some third party like McAfee, I suspect that web browser's reputation would be savaged in the press and a lot of security experts would be telling users to avoid that web browser at all costs.... - Ted
