[messaging] Are we pursuing real solutions for security?
jbonneau at gmail.com
Tue Mar 11 10:35:18 PDT 2014
> There were discussions in the last day on this list about avoiding the
> "click-ok-to-get-on-with-it" pattern that people are accustomed to,
> including some novel approaches (coming close to "gamification", where
> the user is actively involved in the process and not just presented with
> the simple "either/or" response). These are mechanisms to consider
> manual verification of key fingerprints I've never seen any of these
> proposals implemented or considered before.
Here's one I've never seen done in this context (sorry if it's already been
mentioned): insert a number of false negatives so that users who aren't
checking can be warned by the system and/or inconvenienced just enough to
nudge them. For example, choose randomly with p=0.5 to twiddle a few (or
half or most) of the bits shown on screen. If the user says it matches
anyway, this is certainly wrong so you can tell them to check again and if
it were a real attack, they'd have been MITMed. Perhaps you make them wait
60 seconds to try again, so that this doesn't become there default.
Supposedly the TSA inserts an image of a knife or gun on the carry-on
baggage x-ray scanner every hour or so to prevent people falling asleep.
Perhaps this is far too inconvenient, but worth having in the list of
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Messaging