At 4:16 PM +0100 9/8/08, Darren J Moffat wrote:
Hopefully this is interesting enough to get forwarded on...
Ditto. :-)
Warnings aren't enough in this context [ whey already exists ] the only thing that will work is stopping the page being seen - replacing it with a clearly worded explanation with *no* way to pass through and render the page (okay maybe with a debug build of the browser but not in the shipped product).
It depends on how we think change can be achieved. Until now, people designing pages using bad security practices balanced their laziness with the fact that their content would be displayed anyway so whatever. You are proposing moving to the other extreme. Given how easy your solution would be for browser vendors to implement, we have to assume that they have considered it and rejected it.
A less extreme solution would be to make the warning the user sees on a mixed-content page more insulting to the bank. "This page contains both encrypted and non-encrypted content and is inherently insecure. The owner of this web site has clearly made a very poor security decision in showing this page to you. It is likely that other pages on this site also have similarly poor security. Knowing this, do you wish to continue anyway?"
--Paul Hoffman, Director --VPN Consortium --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
