In the light of yet another in an apparently neverending string of CA failures, how long are browser vendors going to keep perpetuating this PKI farce? [0]. Not only is there no recorded instance, anytime, anywhere, of a browser certificate warning actually protecting users from harm [1], but the blind faith that browsers place in certificates is actively harming users when things fail, as they have again and again and again. Users, or at least technical ones with enough knowledge to understand the issues, have completely lost faith in browser PKI. If you look at discussion threads on technical forums [2], browser PKI is seen purely as something to roll your eyes at, to make jokes about. No-one (and as before that's with an implied "who understands the details") has any faith in it any more. The total inability and/or unwillingness of the browser vendors to respond to this and provide real security measures that don't involve simply changing the silly-walk they do with certificates and continuing as before is not only not helping users in any way, it's actively harming them, and users are aware of this. Browsers may as well turn off all their PKI-related code and just use anon-DH for everything, which would be safer than the current false-sense-of-security silly-walk they're doing, not to mention saving tens (hundreds?) of millions of dollars paid to commercial CAs by sites wanting to disable the browser warnings. Browser PKI costs a fortune to run, it doesn't protect users from anything the attackers are doing, and at worst it actively endangers them. If it was a commercial good, RAPEX would have it withdrawn [3]. Peter. [0] I mean "farce" in its theatrical sense here, "unlikely, extravagant, and improbable situations [...] highly incomprehensible plot-wise (due to the large number of plot twists and random events that often occur) [...] Farce is also characterized by [...] the use of deliberate absurdity or nonsense, and broadly stylized performances" (from Wikipedia, which has a more detailed definition than e.g. the OED). [1] See "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users", Cormac Herley. [2] And I realise the likes of Slashdot aren't the best of them, but it's the most accessible and has the most participants, so it's a quick way to gauge public opinion. [3] "RAPEX is the EU rapid alert system that facilitates the rapid exchange of information between Member States and the Commission on measures taken to prevent or restrict the marketing or use of products posing a serious risk to the health and safety of consumers". _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE