Heikki Toivonen wrote: > > On the principle, but perhaps we want different things present by default. > Well, obviously, if a green address bar is enough default information for you, than we disagree... > > I am not against having optional features that show additional > information on mouse over. I think "Authenticated by" is optional, and > means nothing to most users. > Exactly, it means nothing!
> It's not my proposal, and has in fact been discussed by people for > years. The basic idea is that if you go to a site and there is an SSL > error (expired cert, wrong host error, whatever), instead of a dialog > box with an OK button you are treated with an error page. There is no > way to click OK. You can simply not get to the site. This takes the > likely uninformed user out of the picture. > I think this should be considered! > > Now, what is there to help me make a decision about the trustworthiness > of the site, and the possibility of getting law enforcement involved if > I feel wronged? Just to list some things I could do: check how > professional the site looks, look at whois information, search for > opinions from other shoppers, and so on. For new sites there won't be > much available. > Which is not what a casual user would do anyway....none of this! > Then there's the certificate. Yes? How should the casual user know ANYTHING about the certificate? > But with today's domain validation only > certificates that is not much help. If you would know, that it's domain validated, than you would KNOW much more! Or for that matter, any other type of verification performed - and you'd know about it - would help! > If they were using EV certificate, I > would be more confident that they are a real company at least, and I > could get their real contact information in case of problems. > > Sure, but since you are a casual user (just pretending for a minute) you would know NOTHING, except that the address bar is green....WOW... -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
