[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [security-services] Draft-sstc-sec-consider-03.doc
Well, The question seems to boil down to if users are "dumb" or "smart". Given the last years' virus craze, I tend to believe they are "dumb". Anyway, if we take the SAML SSO scenarios, I at least envision *a lot* of use-cases where the user is strongly authenticated to his/her source (preferably using client-side PKI), but simply redirected to the target. *Long-term*, particularly for B2B-scenarios like OBI, PunchOut, RoundTrip, etc. this security-hole should be addressed, in a way that do not require the *users* to take decisions that they do not understand the consequences of. In B2B the relation [incl. trust] is between the target and the source as the user is just a "tool" for carrying out a business process, so it is perfectly logical to (in some way), offload the verification of the target to the source instead of to the user. That this is technically possible with relative moderate measures, is something I have tried to show in http://www.x-obi.com/OBI400/andersr-mitm-attac-and-cure.ppt Yes! There are other ways to do this, this is just *one* (maybe miserable) example to get the ball rolling... But, Microsoft's security department thinks that the solution is "user education". If a security problem is technically awkward to solve (gives negative side-effects), I agree, but in this case, I stay confident that this can be fixed or at least be vastly improved. Anders ----- Original Message ----- From: "Polar Humenn" <polar@syr.edu> To: "Hal Lockhart" <hal.lockhart@entegrity.com> Cc: "'Anders Rundgren'" <anders.rundgren@telia.com>; <cmclaren@netegrity.com>; "'oasis sstc'" <security-services@lists.oasis-open.org> Sent: Friday, January 11, 2002 01:41 Subject: RE: [security-services] Draft-sstc-sec-consider-03.doc On Thu, 10 Jan 2002, Hal Lockhart wrote: > > > The "client" is unfortunately a *human* that just gets a > > hint that something > > is not correct but he/she may click "Continue" to ignore. > > And maybe even select to > > trust the next time. This is the problem with ad-hoc PKI as > > Dug correctly points > > out. This is also probably the weakest spot in SAML, > > assuming that servers > > are not too easy to hack into. > > This is nonsense. Users get very upset when they get a popup warning about a > security error. Really? I remember Ed Felton of Princeton giving a talk a number of years ago at a Dimacs workshop on Trust Management. In this talk he explained an experiment where he pointed a user at a particular website and had them click on a button. That action raised a security violation which popped up on IE4.0 and the user just clicked it away. Subsequently, the the browser shut off the users machine. You're right, people did get very upset. When asked about the popup, most people said "What popup?". Ed likened the popup window to "merely a incidental fly on the screen that was in the way, which the user swatted away". > We even found it impossible for them to accept a self-signed > certificate from us by secure means. If it doesn't validate with one of the > built-in roots, thay won't touch it. This has been discussed repeatedly in > the PKIX list and in the opinion of some, e.g. Peter Gutmann, it is a major > reason people buy server certificates from public CAs. I guess this situation depends on how many "built-in roots" your browser has, mine came with some 100 of them. Do you find your users actually delete root certificates they don't know enough to like? -Polar > Hal >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC