Eddy Nigg (StartCom Ltd.) wrote: > Heikki Toivonen wrote: >> Some people have pushed for making SSL errors such that you cannot just >> click OK and proceed to the site. I'd like to see that happen. > Interesting! Can you be more specific on what you propose here?
It's not my proposal, and has in fact been discussed by people for years. The basic idea is that if you go to a site and there is an SSL error (expired cert, wrong host error, whatever), instead of a dialog box with an OK button you are treated with an error page. There is no way to click OK. You can simply not get to the site. This takes the likely uninformed user out of the picture. >> I fail to find the logic in not letting me know the identity of the >> website operators I want to do business with. >> > And I fail to understand, why you shouldn't know the identity of the web > site operator? I am not sure I understand your question. Here's my usage scenario I was thinking about: I want to buy some new gadget. It is expensive, so I want to do some research to find the cheapest place to buy it. Using various search engines I arrive at site that has it in a price range I like. Being conscious about security, I check that they support SSL on the shopping page. However, this is a site I have never visited before. Now, what is there to help me make a decision about the trustworthiness of the site, and the possibility of getting law enforcement involved if I feel wronged? Just to list some things I could do: check how professional the site looks, look at whois information, search for opinions from other shoppers, and so on. For new sites there won't be much available. Then there's the certificate. But with today's domain validation only certificates that is not much help. If they were using EV certificate, I would be more confident that they are a real company at least, and I could get their real contact information in case of problems. -- Heikki Toivonen _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
