There are only two user agent vendors that matter (Google and Mozilla; Microsoft is a laggard, Apple doesn't have that much market share). Seriously, what is stopping the two of them from agreeing on and deploying something much better than the current CA tragedy? Is Mozilla doing anything? Is Google doing anything other than mitigations?
Douglas Perkins, Evan Prodromou, Christopher Allan Webber likes this.
Douglas Perkins, Christopher Allan Webber shared this.
Show all 5 replies
I'd put Mozilla (and/or Google) becoming a CA in the tragedy perpetuation category.
Mike Linksvayer at 2014-09-29T19:20:48Z
Evan Prodromou, Christopher Allan Webber, joeyh likes this.
I assume you're not really asking for yet another cert authority. There are already far too many included by default in major browsers.
Also, current model conflates "CA says site A is really site A" with "Site A is trustworthy; enter your credit card details" which is not always the same. Confuses users and makes them even more vulnerable. (Phishers have used Cloudflare in the past to get browser-valid SSL certs.)
Large organizations ("enterprise users") are still using Internet Explorer on Win7. There may even be some still using IE on WinXP. Since the majority of web browsing occurs at work, nothing will change without Microsoft's concurrence.
Also, current model conflates "CA says site A is really site A" with "Site A is trustworthy; enter your credit card details" which is not always the same. Confuses users and makes them even more vulnerable. (Phishers have used Cloudflare in the past to get browser-valid SSL certs.)
Large organizations ("enterprise users") are still using Internet Explorer on Win7. There may even be some still using IE on WinXP. Since the majority of web browsing occurs at work, nothing will change without Microsoft's concurrence.
lnxwalt@microca.st at 2014-09-29T19:58:19Z
Christopher Allan Webber likes this.
> majority of web browsing occurs at work
Really? I did some naive searching and couldn't find stat on browsing context. I'm really doubtful about above claim given ~40% of people don't have formal employment http://data.worldbank.org/indicator/SL.TLF.CACT.ZS and do the 60% that do really do vast majority of their browsing in employer-internet/browser-supplied context?
Anyway it seems to me lots of new features are deployed on both user agent and server sides without much regard for IE legacy users, and if anything ought be deployed without regard for them, it is replacing the CA tragedy system.
Really? I did some naive searching and couldn't find stat on browsing context. I'm really doubtful about above claim given ~40% of people don't have formal employment http://data.worldbank.org/indicator/SL.TLF.CACT.ZS and do the 60% that do really do vast majority of their browsing in employer-internet/browser-supplied context?
Anyway it seems to me lots of new features are deployed on both user agent and server sides without much regard for IE legacy users, and if anything ought be deployed without regard for them, it is replacing the CA tragedy system.
Mike Linksvayer at 2014-09-29T21:06:53Z
Douglas Perkins likes this.
Even though much of web browsing occurs at work, that does not mean people at work have to use IE for all of their browsing needs. How many of us have multiple browsers installed on our work machines? I do, and so do my close colleagues.