Frank Hecker wrote:<snip>
5. Discourage typical users from modifying the default list of "trusted" CAs and certificates, in particular by adding new site or CA certs as warning dialogs pop up.
I'm not sure I understand this sentence.
I meant the following: Right now when you connect to a site that presents a self-signed SSL cert, or an SSL cert issued by a CA not currently in the Firefox/NSS default list (or in the list, but with SSL "trust bit" set to "no"), the user is presented with a warning dialog that (among other things) offers them the option to "trust" the site cert and/or the CA cert on a permanent basis. This in turn causes at least some end users to modify the default cert list simply in order to get past the warning dialog and get on with viewing the page.
(The user could also cancel the connection or accept the cert only for the current session, of course, but I suspect a significant percentage of people actually accept the site or CA cert permanently.)
I believe that we should discourage such behavior, by removing the warning dialog entirely. Instead Firefox should simply display the web page in question without popping up a dialog, with some UI indicator to indicate that the page was not retrieved via a "normal" SSL connection. (For example, I suggested displaying a question mark instead of a padlock, and not changing the address bar background at all.) If the user then wants to actually "trust" the site or CA cert they could do so in some other way, e.g., through a menu item on an informational message dropdown, or through FF preferences, or whatever. But making such a decision would be optional, not forced through use of a modal dialog.
Note that this issue is entirely separate from the issue of using different UI for "low asurance" vs. "high assurance" certs, and IMO should be considered no matter what people decide om the latter issue.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
