On Tue, Nov 3, 2009 at 12:54 AM, Mike Hearn <[email protected]> wrote: > Yeah, I understood :) I haven't seen much discussion of these issues > so figured I'd try and start some - perhaps a lurker would be > motivated to work on it. Or maybe the Chrome team in a later release.
We had a lot of discussion on this topic before we released the first beta because we wanted to get security right out of the box. I'd certainly be happy to revisit this topic when we have new information. It's tempting to re-arrange the deck chairs, so to speak, but we'd like to have solid data showing that we're going in the right direction first. > The force-ssl stuff seems like good progress. Still, Chrome takes a > less aggressive stance than Firefox on things like click-through > warnings and that doesn't seem like needing academic study to resolve. You say what, but we have numbers on how often users click through the certificate errors, and they're commensurate with the data in this study: http://www.usenix.org/events/sec09/tech/full_papers/sunshine.pdf I'm not sure the extra clicks are buying Firefox users much, if any, security. That particular study is really interesting because the authors find that users learned how to get past their even-more-elaborate error dialogs during the course of the study. Now imagine if they were to use the browser for more than an afternoon... I'd encourage you to think about this issue, come up with great ideas, and get the data to convince us. If there's one thing I've learned working on this project, it's that data trumps opinion every time. Adam --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: [email protected] View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---
