[cryptography] Security Pop-Up of the Day

Joe St Sauver joe at oregon.uoregon.edu
Wed Sep 21 10:56:52 EDT 2011


#In viewing an e-mail this morning I received the following pop-up:
#
#"Revocation information for the security certificate for this site is not 
#available.
#Do you want to proceed?"
#
#Not just once but for every URL embedded in the e-mail.
#
#Anybody want to put forward a conjecture about the response to this pop-up 
#across the population of e-mail users?

Naturally, users (or their support staff) will disable OCSP/CRL checking to 
make the pop-ups stop happening. 

Since that's not something that can be done on a granular basis,
they'll disable it globally. After all, <sarcasm>that's something that
doesn't really matter, right?</sarcasm> What a "terrific" way to get 
users to undermine their own security :-(

In many ways this reminds me of the misreaction you sometimes see to 
S/MIME signed emails. Since many users don't use client certs, smime 
signature file attachments are often unrecognized and thus their 
purpose is not understood.

At least at some sites, the reaction to an unknown potential threat may 
be reptilian: Smash/kill it! Operationally speaking, this may mean things 
like mod'ing MIMEDefang (or whatever folks are using to deal with genuinely 
dangerous attachments or genuinely dangerous HTML constructs) to now also 
eliminate the "threat" of those dastardly smime.p7s files. (just for the 
record, I'm not aware of ANY exploit that leverages smime.p7s files, is 
anyone else?) 

When smime.p7s files start getting stripped, there goes yet another 
potentially critical piece of security technology. 

Sigh.

Joe



More information about the cryptography mailing list