Re: Mozilla Thunderbird SMTP down-negotiation weakness
From: Jason Haar (Jason.Haar_at_trimble.co.nz)
Date: Thu, 27 Oct 2005 10:32:53 +1300 To: Bob Beck <firstname.lastname@example.org>
Bob Beck wrote:
> Sit you your faviorite wireless network and MITM your faviorite ssl
>web sites off it. If your user population is very intelligent, maybe
>only 9 out of 10 will click the "Windows is annoying me with a box and
>an OK button - I will click OK to keep going" popup and ignore the
>certificate mismatch utterly. Otherwise the only hard part will be
>finding a user that doesn't ignore the mismatch - it's so easy to
>get passwords this way it isn't even sporting. It's like whacking baby
>seals with a stick.
> SSL/TLS applications are just the latest most fertile ground where
>software designers have put in a crutches for lazy stupid people thereby
>rendering something kinda ok into something mostly useless.
Well said. I don't see anyone complaining that MSIE allows you to
click-through the warning that the presented cert doesn't match the
hostname and carry on and get compromised. Same with signing executables.
Users don't know what it means - and they "just want it to work!".
Frankly, there is only so much technology can do. At some stage people
have to start taking responsibility for their choices (shall we measure
the IQ of people who open GIF-file based password protected zip files
and run the contents!?!?!? Sheesh)
Actually I'm glad you can click-through and ignore cert mismatches.
Without it I couldn't read many self-signed Web sites where they use
certs just to protect their data in transit. It would smack of monopoly
practices if only Verisign-signed sites/whatever worked within browsers.
-- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1