

Bright people fooling themselves ? - adamo
https://financialcryptography.com/mt/archives/001223.html

======
petewarden
The most interesting part for me was the MS security paper he linked to:

[http://research.microsoft.com/en-
us/um/people/cormac/papers/...](http://research.microsoft.com/en-
us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf)

It's a great explanation of why users are rational to ignore all our security
advice; the expected benefits are so low compared to the effort required, and
a lot of the costs are borne by other people anyway.

------
adamo
Although I agree with the arguments, I cannot (yet?) agree with the final
outcome.

------
dabent
Firefox says: financialcryptography.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.

~~~
swolchok
It's better than plain HTTP if your browser will complain next time if the
cert _changes_ , because at least you're assured that if you weren't under
attack on first visit, you're not under attack now. Displaying a huge error
when the site has made _some_ effort is ironic.

(The point of the error is that a normal, valid certificate means that some CA
has vouched for the identity of the website. When it's some random website you
don't care about, this isn't important. When it's your bank or a business, it
is.)

~~~
fexl
Exactly so. This is the SSH model, and I love it. How does a CA's signature
protect against phishing anyway? It doesn't. Equifax signs both the real site
and the fake site.

