[cryptography] Let's go back to the beginning on this

Kevin W. Wall kevin.w.wall at gmail.com
Tue Sep 13 23:33:11 EDT 2011


On Tue, Sep 13, 2011 at 2:22 PM, Andy Steingruebl <andy at steingruebl.com> wrote:
> On Tue, Sep 13, 2011 at 10:48 AM, Steven Bellovin <smb at cs.columbia.edu> wrote:
>
>> Furthermore,
>> they're probably right; most of the certificate errors I've
>> seen over the years were from ordinary carelessness or errors,
>> rather than an attack; clicking "OK" is *precisely* the right
>> thing to do.
>
> Is anyone aware of any up-to-date data on this btw?  I've had
> discussions with the browser makers and they have some data, but I
> wonder whether anyone else has any data at scale of how often users
> really do run into cert warnings these days. They used to be quite
> common, but other than 1 or 2 sites I visit regularly that I know ave
> self-signed certs, I *never* run into cert warnings anymore.   BTW,
> I'm excluding "mixed content" warnings from this for the moment
> because they are a different but related issue.

Here's a data point...not sure how relevant it is though.

Such warnings are still quite common on our company intranet, because the IT
folks who deploy request and deploy certs, for the most part don't know what
they are doing. E.g., they request a server cert whose CN is the server's I
address which of course results in a warning when the user tries a URL that
uses the host name. We have instructions, but apparently, no on takes the time
to read them. Instead, there mentality is to just tell their user
community to click
through all the warnings.

We very rarely have this problem for certificates on Internet facing web
sites because those people have been trained and in general know what
they are doing.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein



More information about the cryptography mailing list