On Wed, 8 Nov 2006, Duane wrote: > What I find amusing is the fact that even after attacks in the wild that > hides the status bar in MSIE and shows an image which fakes the status > bar and lock, they still want a uniform interface to make it easier for > fraudsters to fake in future.
I think some degree of uniformity in the user interface is good. For example, users need to be able to distinguish trustworthy UI (chrome) from untrustworthy UI (content), and ideally we should standardize on a task that they only have to learn once. This is not to say the UIs have to look identical -- as Passpet shows, i think personalization can play a big part in trustworthy UI -- but the user shouldn't have to learn lots of different schemes. At a more general level, though, i agree with you: my intuition is that the chrome problem (a.k.a. "trusted path") is probably more significant than the certificate verification problem, and needs some more attention. -- ?!ng _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
