On Thursday 02 June 2005 11:33, Birger Tödtmann wrote:

Am Mittwoch, den 01.06.2005, 15:23 +0100 schrieb Ian G: [...]

...

For an example of the latter, look at Netcraft. This is quite serious - they are putting out a tool that totally bypasses PKI/SSL in securing browsing. Is it insecure? Yes of course, and "it leaks my data like a seive" as one PKI guy said.

[...]

What I currently fail see is the link to SSL. Or, to its PKI model.

That's the point. There is no link to SSL or PKI. The only thing in common is the objective - to protect the user when browsing. Secure browsing is now being offered by centralised database sans crypto.

Netcraft bypasses it, but I won't use Netcraft exclusively because I'm happy to use the crypto in SSL. Netcraft and Trustbar are really nice add-ons to improve my security *with SSL*. So where is the point?

Sure, I think it is a piece of junk, myself. But I am not important, I'm not an "average user." The only thing that is important is what the user thinks and does. When Netcraft announced their plugin had been ported from IE to Firefox last week, they also revealed that they had "60,000 downloads in hours." That tells us a few things. Firstly, users want protection from phishing. Secondly, Netcraft have succeeded enough in the IE world in creating a user base for their solution that it easily jumped across to the Firefox userbase and scored impressive numbers straight away. Which tells us that it actually delivers something useful (which may or may not be security). So we cannot discount that the centralised database concept works "well enough" by some measure or other. So now we wait to see which model wins in protecting the user from spoofing. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com