Realistically, the only way to describe this kind of thing to an end-user is to bring up something -- in a language the user can understand -- that explains what's going on with the connection. My current thinking is that this needs to be brought up for all connections, not just connections that have something wrong with them -- get users to understand what a "normal" connection to their bank or Amazon or other e-commerce sites looks like, and inform them of the problems (and Mozilla's recommendation that they not enter any privileged information into the site) when something's amiss.
This requires, once again, changes to the chrome. Where can the reports on the users' behavior with alternate interfaces (by Gerv and/or by Johnathan) be found? (I'm most interested in looking at the testing methodology, interface design methodology, interface description/mock-up, sample size, sample constituency, user actions taken, and how user actions taken were interpreted.) -Kyle H On Fri, Jan 30, 2009 at 5:09 AM, Ian G <i...@iang.org> wrote: > On 30/1/09 13:25, Jean-Marc Desperrier wrote: >> >> Ian G wrote: >>>> >>>> Ian G wrote, On 2009-01-29 10:01: >>>>> >>>>> [...] when firefox trips >>>>> over a cert, it could show something like that. >>>> >>>>> | There is a problem with this cert! >>>>> | >>>>> | ==> *The cert was not issued by a known CA*<== >>>>> | The cert has expired or is not yet valid >>>>> | [...] > > ... >>> >>> * if you show a selection of items, then the user tends to read the >>> actual selection, read some of the others, and then think about what >>> that means.[...] >> >> I'm not convinced still that « not issued by a known CA » would mean >> anything for Joe Shmoe. And that's the target we should aim for. > > > I don't disagree; my words above were definately edited for brevity and > understanding by this audience, not the end-user. > > How we convey that meaning to the end-user who does not understand what it > means is a big problem, yes. It's a big challenge for Mozilla. My view is > that eventually Mozilla has to do that, whether it does it this year, or in > 10 years, it will eventually have to convey that info to the user who right > now doesn't really want to know about it. > > >> Don't take it wrong. I'm strongly in favor in bringing information, but >> finding what information will be actually useful is *hard*. > > > Oh, yes. That's why I *strongly and vociferously* support the experiments > that have been conducted by Johnathan and in the past, Gerv, in order to > search for the way that works with users. Only by a mix of careful thought > and rough & tumble in the userspace will we find the path. > > >> Maybe the best is a link to an on-line help ressource that will help Joe >> Shmoe understand that a caCert issued cert on a Debian ressource site is >> not a big deal, but that this self-signed cert on a home equity loan >> site that ask him his bank account info *is*. > > > Certainly, we can outsource the tricky bits to a web page. > > (In my mind, I see the real end-users not clicking on that, but clicking > over to their voice-chat program, and getting their pet techie on the line. > "Hey, bro, what's the difference between CA-not-trusted and > you-can't-rely-on-self-signed? what's this mumbo jumbo that Firefox is > telling me?") > > >> The best solution will still be as much as possible be to not bring out >> a warning if there's not actually an attack : "Don't cry wolf" ! > > > Because of the bayesian problem, I believe there is no way to avoid the > "don't cry wolf" dilemma. So, in essence, the path is to bring out the > info, and create some sort of shared approach between the user and Firefox, > working together. > > Real security begins at the application and ends at the mind. Which is to > say, it is end-to-end, not discrete components. Which is another way of > saying, sooner or later, the user has to enter into the security system. > > > > iang > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
