Xplo Eristotle <[EMAIL PROTECTED]> writes:
> > You might want to turn off TLS if you encounter a web site that is
> > "TLS intolerant".
>
> I have some idea what SSL is, but WTF is TLS?
TLS is _almost_ the same thing as SSLv3. But there are subtle
differences that make some sites that do support SSL break with TLS.
> How would I know if a site is "TLS intolerant", anyway?
Yeah, what *is* the failure mode when connecting to a site that has
this problem? Can users differentiate this from a simply unreachable
site?
Could this perhaps be detected by Mozilla itself?
<URL:https://www.delphion.com/> just seems to time out without any
error when TLS is on.
> > Users choose weak passwords. But unless they get feedback on what's
> > "worse" and what's "better", they're not going to improve the quality of
> > their passwords.
>
> Finally, something in English. But this is silly; anyone who'd be
> messing with this much security stuff in the first place surely knows
> what kind of passwords to choose.
I disagree. Users may get handed out a strong password for their
online banking, but when they click "Yes" in the relevant dialog box,
this is saved by Mozilla, protected only by the master password, and
your computer's general security.
I like the bad/good password bar. I don't like the symbol counting,
though. It leaks too much information to shoulder-surfers for my
taste. The bar should suffice if there is "explain why you consider my
password weak" link to a help page nearby.
> > You would want to turn off a cipher if some clever math wiz was able to
> > find a flaw with it. This does happen from time to time. You might also
> > want to turn off the low-grade encryption ciphers to make sure you're
> > only using the high-grade crypto.
>
> Shouldn't the high-grade crypto stuff be on by default, and transparent
> to the user?
It is. These settings are there so you can turn things OFF which you
don't consider secure.
If the settings are hidden beneath another button (it looks like this,
currently, though the button is disabled), casual users won't see it
anyway.
--
Robbe
