[tor-talk] Dutch CA issues fake *.torproject.org cert (among many others)

[Marsh Ray]

On 09/07/2011 04:48 PM, Julian Yon wrote:
>
> There's no need to be patronising. I have plenty of security
> experience.

Sorry, wasn't trying to be patronizing. Just trying to give my opinion
plainly.

This is where, IMHO, computer security people can maybe take a step
back. Sure we should all remind each other that it's easy to get
engrossed in the computer screen that we forget what's going on around
us and who may be watching.

But everyone in the world has experience managing their own personal
space and physical security. Computing devices are ordinary physical 
objects now. Computer security people may not be any better qualified to 
advise on personal physical security (and maybe we come across as a 
little patronizing too).

> Shared environments are not a thing of the past, certainly not in
> the UK, and a physically present adversary is a real threat for many
> people.

Right. I'm just not particularly qualified to advise about that kind of
threat.

> Not everyone can be told to look away (unless you like time in
> hospital), and if you can use a drop-down with your screen covered
> then I applaud you. And online-banking isn't aimed at experts, it's
> used by "normal" people. It's so easy to mitigate this specific
> threat in software that it is negligent not to do so.

Realistically today the bank may have thousands of customers with
malicious keyloggers for every one who is protected by an obscured
display. This was not the case just a few years ago, the threat has
changed. The keylogger threat might be somewhat mitigated with the UI
changes, but the UI is largely incapable of restoring a user's physical
security.

- Marsh