On Wed, Aug 14, 2024 at 1:08 PM Theodore Ts'o <tytso@xxxxxxx> wrote:
On Tue, Aug 13, 2024 at 01:25:29PM -0400, Nick Lockheart wrote:
>
> Users should be educated that these levels indicate the eavesdropping
> protection of the connection, with an easy-for-normal-people-to-
> understand analogy, of a guy in a coffee shop.
>
> ie. "This security level protects you from eavesdropping by another
> customer in the coffee shop, but does not stop the coffee shop owner
> from eavesdropping using the coffee shop's WiFi router".
>
> A new type of authentication should be added to replace any certificate
> use besides "Domain Verification". For example, determining that a
> business exists and is legitimate.
Unfortunately, when it comes to security issues, there has been a lot
of painful experience which has caused many people to conclude that
anything which depends on user education is doomed to fail.
Somewhat agree. The big problem I have with 'User Education' is that it tends to end up blaming the user for bad outcomes they had no real way to avoid because they don't have the information they need to make the right choice.
Most mail clients hide the email address these days. In principle, it is fairly easy to ensure that emails purporting to come from the company domain originated from a company server. (just use another account for mailing lists) But that straightforward security measure doesn't stop an impersonation attack because that information is hidden from the user lest it confuse them.
So we end up with a situation in which the reason user education fails is because the product is incompetently designed and denies them the information they need to secure themselves. So the poor user gets slammed both ways and each time the real fault is with the engineers.
And if some major browser decided to drop all of the current
certificate protections, and allowed arbitrary CA's to join, and
claimed that the solution is that users should be able to click on the
lock icon, and make their own determination whether that CA should be
trustworthy, or peer at some domain name like m0rganstanl3y.cm is a
good place to be typing their social security number and banking
passwords, or pay $$$ to some third party like McAfee, I suspect that
web browser's reputation would be savaged in the press and a lot of
security experts would be telling users to avoid that web browser at
all costs....
I am not seeing a user revolt when something very close to what you describe is happening in social media. The pushback is coming from politicians who are furious about the resulting riots. And they should be.
We are not going to get much chance to fix things.
Rather than writing off user education, I think we need a process similar to requirements engineering looking at threats in the same way we consider use cases and demand that the user be given instructions that allow them to avoid that threat.
Of course, long instructions that are difficult to read need to be considered in the same light as complex specifications that are impossible to implement correctly.
The reason I called the meeting that led to the creation of EV certs was that the confusion of DV/OV certs had left users in a situation where they had no means of vetting a potential online merchant.before handing over their credit card info. EV was designed to address a specific threat. Where we are now is that the user has no way to tell, we just blame them for the consequences when they guess wrong.
