Gervase Markham wrote:
Michael Roitzsch wrote:
If I understand things correctly, you want to have the browser maintain a sort of whitelist of domains the user trusts. Whenever the browser encounters a new SSL domain, the user is asked, if she wants to include it in the list of trusted domains. Have I gotten the idea right?
Nope. I don't think anyone with knowledge of browser UI and/or user behaviour and acceptance would propose such a thing.
What? That's almost exactly what you first and second proposal was about, only you called it SSL History.
No, my SSL history proposal was entirely different from this. The browser maintains a list of _all_ SSL domains the user has _visited_ and tells the user when they visit a new one. No asking the user, no whitelist.
What's proposed is a list of trusted (or untrusted) TLDs, set by us.
Again, this is new, and this was certainly not part of your first and second proposals.
He is talking about solutions specific to the IDN homograph attacks. This is the current proposed solution for that problem. When I finally catch up on all my email, I hope to circulate those proposals more widely.
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
