[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)



On 09/07/2011 04:48 PM, Julian Yon wrote:

There's no need to be patronising. I have plenty of security
experience.

Sorry, wasn't trying to be patronizing. Just trying to give my opinion
plainly.

This is where, IMHO, computer security people can maybe take a step
back. Sure we should all remind each other that it's easy to get
engrossed in the computer screen that we forget what's going on around
us and who may be watching.

But everyone in the world has experience managing their own personal
space and physical security. Computing devices are ordinary physical objects now. Computer security people may not be any better qualified to advise on personal physical security (and maybe we come across as a little patronizing too).

Shared environments are not a thing of the past, certainly not in
the UK, and a physically present adversary is a real threat for many
people.

Right. I'm just not particularly qualified to advise about that kind of
threat.

Not everyone can be told to look away (unless you like time in
hospital), and if you can use a drop-down with your screen covered
then I applaud you. And online-banking isn't aimed at experts, it's
used by "normal" people. It's so easy to mitigate this specific
threat in software that it is negligent not to do so.

Realistically today the bank may have thousands of customers with
malicious keyloggers for every one who is protected by an obscured
display. This was not the case just a few years ago, the threat has
changed. The keylogger threat might be somewhat mitigated with the UI
changes, but the UI is largely incapable of restoring a user's physical
security.

- Marsh
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk