That pretty much completes my night-time excursion into the wonderful world of Firefox security UI discussions. Feel free to flame away.
A few days ago, I reached pretty similar ideas as a conclusion of the recent debatting, reinforced by remembering how valid the old SSL usability rant of Matthew Thomas was (http://mpt.phrasewise.com/2003/11/11), but had no time to describe it in a coherent and convincing way like you just did.
Just a few things :
- There's too many cases. Only experts are actually interested in why the site is not secure, just tell the general public that it's not, and you have to open the details windows to learn why.
So below I will discuss several ways of restricting the options to a minimum.
- I see two parts in this plan. One is introducting the "high-assurance"/"low-assurance" distinction, the older is removing all warning dialogs nobody reads least understand, and reflecting the insurance in the GUI.
There's quite a lot that can be debatted about the "high-assurance"/"low-assurance" distinction.
It might be good to implement first the second, and allow more time to think about what we want for the first.
- "high-assurance" is something new, I'd see a new icon.
I think the solution is an icon representing a vault, and not a lock for "high-assurance". I think it's a symbol everyone understand the meaning of without explanation, and it means you don't need to tell some CA you removed them the 'lock' list, just that they don't meet the criterium for the new 'vault' list. We just need a good vault icon that doesn't look like something else for anybody.
That way, we can keep the lock for the normal SSL case, and not change it's meaning with today.
- If we take apart the "high-assurance"/"low-assurance" distinction, I'd go even further than you.
I think the binary option is tempting.
It's secure, fully, or it's nothing, and the GUI doesn't show anything.
In any case, we need to limit the case as much as possible, so alternatively what I'd see is : nothing/a discreet check mark/lock.
The discreet check mark would be something usually people would not notice, it should fail "look for the lock" (http://www.gerv.net/security/stay-safe/), but it would keep people happy who would find it unfair that any error in the checking means there is nothing in the GUI showing the communication is any different from ordinary http. Cliking the "check mark" would show the detail windows.
This said, I'd see a closed eye icon, rather than a check mark for this.
- About the non-matching cert name, many people misconfigure servers, it's not definitively showing an attack attempt. That's why, and also in order to limit the number of possible case, I'd just remove the warning (warning are bad, the blocked popups warning is less bad but is still bad), and display the normal GUI as if there's no encryption in that case.
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
