I've thought a lot about this and for my money I don't think a UI indicator is the right solution for a a difficult problem like encouraging and rewarding good security practices. I realize my sphere of influence is limited so I’ll just offer the following perspective for whatever it may be worth: The crux of the problem is how to identify security done right. Two aspects to consider: 1) When coming up with a grading scale for how good a security implementation is, I think the best we do is have 2 categories: "pretty good" and "good enough". Maybe add a "poor" or "not acceptable" category too. Either way, I'm concerned that a "best" category might prove to be out of reach for most sites, assuming we could agree in the first place as to what constitutes "best". 2) Doing a good job on security for a "main page" (i.e. the origin document) is one thing but getting all the ancillary stuff right is a much larger challenge. Think of all the iframes and style sheets and dynamic content and so forth that are loaded on just about any real page you come across: js libraries, branding and marketing artwork, analytics reporting. A lot of the time that stuff is not under the control of the site owner, yet can affect my own security as a visitor to the site. I shouldn't say "everything looks good" if some of the ancillary content is not well protected. So, how can shortcomings on the ancillary side of things be factored in to an overall score in a way that is fair? Taken together, I'm concerned a UI indicator of some sort might turn into something that's not fair nor accurate and therefore not very meaningful. Were that to happen, I don't think we'd end up encouraging anyone to do a better job on website security. I like the idea of encouraging and rewarding those who make the effort to have good security practices but I don't think this is the right path.
On Mon, Sep 22, 2014 at 1:47 PM, <[email protected]> wrote: > To the larger discussion, I have 2 questions: 1) what is the specific message you'd like to convey to the user beyond what the simple lock icon provides. 2) What action do you intend the user to take based on seeing the new indicator? For downgrading EV UI to a lock when not enabling certain other features I would expect the effect to be that developers upgrade their security features. For showing a green lock instead of a normal lock I would expect developers to do likewise. The idea would be to make address bar UI more attractive for those domains that put effort into getting security right. (There's some problems here at the moment, currently the address bar is arguably less cluttered when not deploying TLS. There's a couple of bugs filed on making them more equal.) -- https://annevankesteren.nl/ | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
