|
|
Subscribe / Log in / New account

An alleged SSL/TLS protocol vulnerability

An alleged SSL/TLS protocol vulnerability

Posted Sep 21, 2011 16:46 UTC (Wed) by rickmoen (subscriber, #6943)
In reply to: An alleged SSL/TLS protocol vulnerability by JoeBuck
Parent article: An alleged SSL/TLS protocol vulnerability

Joe --

Personally, I have the great and good fortune that the unending travails, hapless fate, and proverbial helplessness of 'most users' is simply not my problem. In my experience, concentrating on assisting people willing to take at least a very minimal amount of initiative increases the quality of my life, and enhances my satisfaction and ability to get things done, immensely. That is one of the advantages of Linux itself, for example.

I do wish you the very best of luck in your effort to make the Internet safe for 'most users'.

Rick Moen
rick@linuxmafia.com

to post comments

An alleged SSL/TLS protocol vulnerability

Posted Sep 22, 2011 12:16 UTC (Thu) by mpr22 (subscriber, #60784) [Link] (4 responses)

Someone who has installed a non-default browser has probably already taken "at least a very minimal amount of initiative". However, even highly self-starting people are not immune to warning fatigue, and the more intrusive the false positives get, the less likely even highly competent people are to leave the warnings enabled.

And remember: J. Random Luser's incapability, ineptitude, and inability to self-motivate is, in fact, your problem. It's not directly your problem, but it is your problem.

An alleged SSL/TLS protocol vulnerability

Posted Sep 22, 2011 17:48 UTC (Thu) by rickmoen (subscriber, #6943) [Link] (3 responses)

mpr22 wrote:

...even highly self-starting people are not immune to warning fatigue, and the more intrusive the false positives get, the less likely even highly competent people are to leave the warnings enabled.

Let me tell you how the world of https looks, as I encounter it: The number of https sites I use that are meaningfully security-sensitive is about 20 or 30. (I don't reuse passwords among sites. I run the HTTPS Everywhere extension, NoScript, AdBlock Plus.) Number of https sites, from among those 20 or 30, that generate warnings about mixed http/https content: literally zero, as it happens.

If I did encounter warnings on, say, some banking or similar sites among the 20 or 30 prior to a few days ago, I would 'stop ignoring' them by finding out why they were occuring and fixing them if possible. There would have been no 'warning fatigue'. As it happens, a few days ago I decided to add RequestPolicy as a general XSS/CSRF preventative, and it make the entire problem discussed here go away completely.

Now, certainly I would appreciate seeing a general cleanup where Same Site policies are enforced without needing RequestPolicy, NoScript, etc. as bandaids. It strikes me that making browsers back off to http any time there's mixed content might be a logical next step, but the exact general implementation is, thankfully, not my problem either. Your assertion that someone in a situation like mine inevitably will make some ghastly error on account of 'warning fatigue' is simply factually incorrect. Which brings me to your other contention:

J. Random Luser's incapability, ineptitude, and inability to self-motivate is, in fact, your problem. It's not directly your problem, but it is your problem.

I prefer to think of it as a 'consulting opportunity'. Anyway, is this some sort of fatuous ideological advocacy? It sounds very much like the corporate-exhoratation genre, such as when one-time Blyth Software CEO and self-promoting dullard Michael Minor told all of us 1980s technical employees that we were 'all salesmen'. (The same logic suggested that we were also all janitors, all accounting clerks, and all receptionists.)

Rick Moen
rick@linuxmafia.com

An alleged SSL/TLS protocol vulnerability

Posted Sep 22, 2011 17:55 UTC (Thu) by rickmoen (subscriber, #6943) [Link]

By 'Same Site policies", I meant Same Origin policy, but just could not remember the correct name off the top of my head.

Rick Moen
rick@linuxmafia.com

An alleged SSL/TLS protocol vulnerability

Posted Sep 23, 2011 9:44 UTC (Fri) by mpr22 (subscriber, #60784) [Link] (1 responses)

J. Random Luser's ineptitude is your problem because his computer is a botnet zombie generating negative utility for everyone who has systems facing or nearly-facing the public Internet.

An alleged SSL/TLS protocol vulnerability

Posted Sep 24, 2011 2:22 UTC (Sat) by rickmoen (subscriber, #6943) [Link]

Ah, so it's 'my problem' to roughly the same extent that rabies in the critter population above my town is 'my problem'. And this news flash merited your injecting a public service announcement into an LWN thread about technology. Well, as they say in the American South, 'Bless your heart.'

Rick Moen
rick@linuxmafia.com


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds