[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update
Florian Weimer
fweimer at bfk.de
Mon Jul 19 09:28:37 EDT 2010
* Otmar Lendl:
> As I see it, the web security user-interface right now has a serious
> shortcoming:
>
> Right now it's either
>
> * http:, meaning no security at all
> * https: meaning encryption and MITM protection via server certs
> * https + EV Certs, big green "all is fine" GUI
EV certs are just about the color. At the technical level, they are
equivalent because browsers have no concept of an EV-only session.,
and EV and non-EV HTTPS are considered of the same origin.
> The real issue is how to present this to the user: What he gets is better
> than plain http, but not as strong as PKI-backed https.
IMHO, the answer is to transparently upgrade to HTTPS within HTTP, and
continue to show the http:// protocol scheme at the UI level. Thus,
passive eavesdropping becomes impossible, but the user experience
stays the same (which is important because support calls because of
unexpected URL bar colors cost money).
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the Dnssec-deployment
mailing list