Gervase Markham wrote:
On what basis would you mark a level 2 certificate as safe? How can a
user make such a decision safely?
Out-of-band information. What follows is sorta fuzzy, and it's 4am here, so be
gentle. ;)
Say I receive snail mail from a brick-and-mortar merchant I trust which says
"Hey, we have a website now! It's at http://example.com."; I type that URL in
my URL bar, and mark it trusted after it loads.
Or I'm worried about dealing with some particular site, and I don't know much
about this whole computer security thing. I ask my granddaughter, who does, to
set things up so I can do it. My granddaughter checks things out, and either
tells me that I really shouldn't deal with them or tells me that it should be good.
That sort of thing.
In any case, the "user marks it" is just a suggestion. There are other sorts of
out-of-band information ("lots of praise about this site in the press", "lots of
users recommending this site", whatever) that could be used. Pardon me for not
making an exhaustive list, but I really should sleep. :(
-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
