[cryptography] Security Pop-Up of the Day
Joe St Sauver
joe at oregon.uoregon.edu
Wed Sep 21 10:56:52 EDT 2011
#In viewing an e-mail this morning I received the following pop-up:
#"Revocation information for the security certificate for this site is not
#Do you want to proceed?"
#Not just once but for every URL embedded in the e-mail.
#Anybody want to put forward a conjecture about the response to this pop-up
#across the population of e-mail users?
Naturally, users (or their support staff) will disable OCSP/CRL checking to
make the pop-ups stop happening.
Since that's not something that can be done on a granular basis,
they'll disable it globally. After all, <sarcasm>that's something that
doesn't really matter, right?</sarcasm> What a "terrific" way to get
users to undermine their own security :-(
In many ways this reminds me of the misreaction you sometimes see to
S/MIME signed emails. Since many users don't use client certs, smime
signature file attachments are often unrecognized and thus their
purpose is not understood.
At least at some sites, the reaction to an unknown potential threat may
be reptilian: Smash/kill it! Operationally speaking, this may mean things
like mod'ing MIMEDefang (or whatever folks are using to deal with genuinely
dangerous attachments or genuinely dangerous HTML constructs) to now also
eliminate the "threat" of those dastardly smime.p7s files. (just for the
record, I'm not aware of ANY exploit that leverages smime.p7s files, is
When smime.p7s files start getting stripped, there goes yet another
potentially critical piece of security technology.
More information about the cryptography