Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Problem With Using End-to-End Web Crypto as a Cure-All

Posted by Soulskill on from the nobody-reads-the-not-so-fine-print dept.

fsterman writes: Since the Snowden revelations, end-to-end web encryption has become trendy. There are browser add-ons that bolt a PGP client onto webmail and both Yahoo and Google are planning to support PGP directly. They attempt to prevent UI spoofing with icons similar to the site-authentication banks use to combat phishing.

The problem is that a decade of research shows that users habituate to these icons and come to ignore them. An attacker can pull off UI spoofing with a 90%+ success rate.

2 of 89 comments (clear)

  1. Re:nope by theshowmecanuck · · Score: 4, Funny

    Fix your users... Heh heh...

    --
    -- I ignore anonymous replies to my comments and postings.
  2. Re:Provided your MUA supports S/MIME by iluvcapra · · Score: 4, Funny

    And StartCom has been handing out S/MIME certificates without charge.

    I probably wouldn't be interested in a CA that gave me my cert, I'd rather have one that signed one I generated :)

    --
    Don't blame me, I voted for Baltar.