At 11:21 PM +0100 9/9/08, Dave Howe wrote:
Darren J Moffat wrote:
Warnings aren't enough in this context [ whey already exists ] the
only thing that will work is stopping the page being seen - replacing
it with a clearly worded explanation with *no* way to pass through
and render the page (okay maybe with a debug build of the browser but
not in the shipped product).
One thing that concerns me is that in the new release of firefox, there
appears to be NO way to get to a site that has a bad certificate (or
self signed certificate) other than overriding the warning permanently -
no "ok let me see it, I have seen the warning and want to look just this
once" that the "remember mismatched domains" plugin for 2.x gave you.
That may concern you, but I consider it a feature. Instead of
teaching users to "always click through the damn dialog boxes", FF3
says "if you fell for it once, you're going to always fall for it so
we won't teach you bad habits". There are arguments for either
strategy.
Given that few or none of us on this list are actually trained
interface experts, I'm sure we could debate this until Perry pulls
the moderator switch again. The salient point is that people who have
more stake in the game (Mozilla Inc.) have spent longer thinking
about this than we give them credit for and come to the design
decisions that they have.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
