Threat Model missing a treatment of user phishing

[noloader]

The latest editor's draft (11 December 2015) of Secure Contexts states the following:

Granting permissions to unauthenticated origins is, in the presence of a network attacker, equivalent to granting the permissions to any origin. The state of the Internet is such that we must indeed assume that a network attacker is present. Generally, network attackers fall into 2 classes: passive and active... (Threat Models, § 4.1, ¶ 1)

We _know_ the number one threat to users is phishing, but the model appears to be missing a treatment on the subject.

In this case, the particular threat is the user is asked or tricked into installing a CA certificate and the certificate is later used to intercept traffic. The user could comply in a number of scenarios. The scenarios include:

• tricked into installing it for wifi or broadband access
• tricked into installing it under the guise of a Bring Your Own Devise (BYOD) program

In the first case, an unwitting user at an airport, wifi hotspot or hotel may install it. In the second case, and organization or IT administrator may install it.

[jonathanKingston]

@noloader Secure Contexts scope can't cover phishing in the way you have described in the same way that a compromised machine would also have the ability to cause the same level of damage.

[mikewest]

The request here seems like a duplicate of #13, just stated in a different fashion. Again, if the user agent decides to trust a given certificate, then it considers the connection secure. That's the bar that this specification sets. You're correct that threats exist that involve compromise of the local machine. I don't believe this spec can or should attempt to address them.

Let's continue the conversation on #13. :)