Example Sins

Previous page
Table of content
Next page

Unfortunately, you dont find many examples of usability problems in security bulletins . This is primarily because people like to transfer responsibility for such problems to the end- user , instead of putting the blame on the software. Its easier for vendors to just pass the buck to the user than it is to fess up to putting users at risk.

Nonetheless, here are a couple of our favorite examples of the problem.

SSL/TLS Certificate Authentication

We talked about this one in Sin 10. The basic problem is that, when the user connects to a web site and the web browser gets a certificate that is invalid, or doesnt seem to have any relationship to the site the user tried to find, the browser will typically throw up a confusing dialog box, such as the one shown in Figure 19-1.


Figure 19-1: Internet Explorer dialog box when browsing a site with a self-signed certificate

Most users are going to look at this and think, What the heck does this mean? They wont care, and will just want to get to the web site. Theyre going to click the Yes button without making any real effort to understand the problem. Rare users, whose curiosity gets the best of them, will choose to click the View Certificate button, and then probably wont know what they should be looking for.

Well look at more usable approaches to solving this particular problem in the Redemption Steps section.

Internet Explorer 4.0 Root Certificate Installation

Prior to Internet Explorer 5.0, if you needed to install a new root Certification Authority (CA) certificate because you had to access a web site using SSL/TLS, and the site used its own CA (usually created with OpenSSL or Microsoft Certificate Server), then youd see the sinful dialog box shown in Figure 19-2. (Now dont get us started on the security risks of installing a root CA certificate from a web site you cannot authenticate. Thats another story.)


Figure 19-2: Internet Explorer 4.0 Root Certificate Installation Prompt

This dialog is bad because its totally useless for both nongeeks and admins alike. To the noncrypto person (most of the planet), this dialog means nothing whatsoever. And to the admin, the two hash values are worthless unless youre willing to phone the person or company that created the certificate and ask them to recite the SHA-1 and MD5 hashes to you for confirmation.

Thankfully, this has been fixed in Internet Explorer 5.0 and later with a much more appropriate dialog box.


Previous page
Table of content
Next page
19 Deadly Sins of Software Security. Programming Flaws and How to Fix Them
Writing Secure Code
ISBN: 71626751
EAN: 2147483647
Year: 2003
Pages: 239
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
Beginning Cryptography with Java
Network Security Architectures
The Java Tutorial: A Short Course on the Basics, 4th Edition
Twisted Network Programming Essentials
Sap Bw: a Step By Step Guide for Bw 2.0
Programming .Net Windows Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy