Hi, > > If I understand things correctly, you want to have the browser maintain a > > sort of whitelist of domains the user trusts. Whenever the browser > > encounters a new SSL domain, the user is asked, if she wants to include > > it in the list of trusted domains. Have I gotten the idea right? > > Nope. I don't think anyone with knowledge of browser UI and/or user > behaviour and acceptance would propose such a thing.
All right, but what's this about then: http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bim.jpg Could you enlighten me? > What's proposed is a list of trusted (or untrusted) TLDs, set by us. Trusted not to allow homographed domain names, right? Nice concept, but this still assumes the user will consciously look at the address bar to check the domain although there is no UI indication that tells him to do so. I know every browser does it this way, but I am not sure it is right to expect that much from the average user. (I guess it would already be an achievement if users would really understand the padlock icon...) > I saw this proposed on Bugtraq; I think the participants there explained > quite well why it wouldn't work. I know it's a tradeoff between usability and teaching the user to do the right thing. I just think the current balance puts a bit too much weight on the convenience side. > But thank you for your input :-) I know I may be getting on people's nerves with this. ;) I just think it's an important decision. Michael -- recursive see: recursive -RfC 1983 _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
