[cryptography] SSL is not "broken by design"

Nico Williams nico at cryptonector.com
Mon Sep 19 23:01:15 EDT 2011


On Mon, Sep 19, 2011 at 9:20 PM, Ben Laurie <ben at links.org> wrote:
> On Tue, Sep 20, 2011 at 12:42 AM, James A. Donald <jamesd at echeque.com>
> wrote:
>> The user expects a login screen.  Login screens are *not* traditionally
>> full screen, even on cell phones.  Therefore, if we take login out of the
>> web page, if the user ceases to expect or perceive login as happening out
>> there on the web, but instead perceives it as happening locally, the user
>> will not expect a full screen login page.
>
> That is not the issue. The issue is that if an app can be full screen it can
> fake whatever a login window looks like.

Well, not if it doesn't know what screen to fake (that was James' point).



More information about the cryptography mailing list