Paul Hoffman wrote: > At 11:21 PM +0100 9/9/08, Dave Howe wrote: >> Darren J Moffat wrote: >>> Warnings aren't enough in this context [ whey already exists ] the >>> only thing that will work is stopping the page being seen - replacing >>> it with a clearly worded explanation with *no* way to pass through >>> and render the page (okay maybe with a debug build of the browser but >>> not in the shipped product). >> >> One thing that concerns me is that in the new release of firefox, there >> appears to be NO way to get to a site that has a bad certificate (or >> self signed certificate) other than overriding the warning permanently - >> no "ok let me see it, I have seen the warning and want to look just this >> once" that the "remember mismatched domains" plugin for 2.x gave you. > > That may concern you, but I consider it a feature. Instead of teaching > users to "always click through the damn dialog boxes", FF3 says "if you > fell for it once, you're going to always fall for it so we won't teach > you bad habits". There are arguments for either strategy.
True enough, but the "clickthru bandits" will just see a button that reads to them "make this error go away" then next time will forget they did it - and will take the fact that they went straight into the site to mean the problem was "fixed" or simply not remember there ever was a problem. In the meantime, a choice I *used to have* is now taken from me, in the interests of selling more EV certificates. > Given that few or none of us on this list are actually trained interface > experts, I'm sure we could debate this until Perry pulls the moderator > switch again. The salient point is that people who have more stake in > the game (Mozilla Inc.) have spent longer thinking about this than we > give them credit for and come to the design decisions that they have. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]