2. Acknowledge the typical user's expectation that the display of a padlock is something associated primarily with e-commerce or financial sites, and basically means "it's safe for you to enter sensitive financial or other personal information on this page".
I'd concur that this is what users who notice the padlock at all expect it to mean.
5. Discourage typical users from modifying the default list of "trusted" CAs and certificates, in particular by adding new site or CA certs as warning dialogs pop up.
I'm not sure I understand this sentence.
Without further ado, here's the proposal:
* Retain the current Firefox UI when SSL/TLS is not used:
- no padlock or other SSL/TLS-related indicator in status bar - location bar background is white - site domain name is *not* displayed in the status bar
Er... a slight snag here is that dveditz and I just agreed that we would start displaying domain names on non-secure sites. But that's not set in stone. I've invited him over here to participate.
Having read your proposal, I think I'm going to do some "thinking out loud".
We want to clearly indicate the following information, all of which is useful:
1) Can I be certain I'm connected to the domain in the URL bar? Yes/No 2) Is the connection encrypted? Yes/No 3) Can I put my CC number into this web page? Yes/No
1) could be fulfilled by a high-assurance cert, low-assurance cert, self-signed cert or Secure DNS.
2) could be fulfilled by any sort of cert, and is a subset of 1).
3) is a subset of 2), and is fulfilled when there is a high-assurance cert.
If this is true, then it's just a matter of determining the UI. Here's one suggestion:
We have a tick for "domain name verified" (case 1) We have the yellow background for "encrypted" (case 2) We have the lock (instead of the tick) for "CC-safe" (case 3)
My only concern with this plan is that then the UI difference between cases 2 and 3 is not as visible as it could be. But it's only a plan - the real question is, is my 1/2/3 division correct?
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
