On Mon, Sep 22, 2014 at 2:47 PM, <[email protected]> wrote: > To the larger discussion, I have 2 questions: 1) what is the specific message > you'd like to convey to the user ‎beyond what the simple lock icon provides.
That the site not only uses authenticated https but uses authenticated https *better*. (I think forward secrecy and HSTS can be considered the main ingredients of "better".) The bar for the old lock is pretty low: You get the old lock with SSL3, RSA key transport and RC4 without HSTS. However, just changing the criteria for the old lock would probably have the effect of "crying wolf", since so many currently lock-bearing sites don't meet the better criteria. > 2) What action do you intend the user to take based on seeing the new > indicator? I expect most users not to take any action. I'd expect site admins who see the new indicator on someone else's site to thing "Why does the other site have a cooler lock than mine? I want the cooler lock, too." and then learn how to get the cooler lock. I'd also expect a small group of technically informed users, who currently don't bother inspecting the ciphersuite and HSTS state of sites, to nag sites that they use but that don't have the new indicator to fix their act to get the new indicator. -- Henri Sivonen [email protected] https://hsivonen.fi/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
