Ian G wrote: > > Nelson B wrote: > > > Jan Egil Kristiansen wrote: > > > >> > >> My click indicated that I was willing to view the site without > >> signature and encryption, and the browser should remind me of that > >> decision. > > > > > > Anyone agree? Disagree? > > > > To reverse myself (again) ... that click overrode > the security model. In this case Jan accepted > the cert. There is only a binary offering, accepting > the cert in *all* its glory and perfidy. Once accepted, > it has been accepted as being correct. > > I'm not sure there is an ordinary use case where > our average user decides to carry on and override > the warning, but wants to be reminded that she > is doing something dangerous. The binary aspects > of the model are such that it's either good or its > bad; the over-ride doesn't give you that fine > distinction. If she accepts that it is bad, she hits > cancel and goes somewhere else. > > Jan was operating as a more cunning technical > type and was capable of making that fine judgement, > an ordinary user wouldn't. I think if the user goes > on, then she does so at her own peril, totally, as it > is unfair of her to expect Firefox to know what's > going on.... > > Still, I suppose if there are a range of uncertainties, > an additional symbol beside the padlock like a > question mark wouldn't go astray.
I agree very much with the last statement, so I submitted bug #276533. See <https://bugzilla.mozilla.org/show_bug.cgi?id=276533>. However, the fact that a bug report now exists does not necessarily mean this will be done. This bug is a "request for enhancement", many of which die. In the meantime, recognize that a certificate mismatch occurred because <www.londonstockexchange.co.uk> is a new domain name while the existing site certificate (installed on the Web server) was issued for <www.londonstockexchange.com>. This is a common occurance caused when someone decides to "upgrade" a secure Web site without thoroughly evaluating all aspects and impacts. I have seen this often and immediately report it to the site's Webmaster. If I can't locate the Webmaster, I do a search to determine the CEO of the owner of the site and send the CEO a postal letter. When you override the mismatch, you effectively say you will accept the site certificate that the server presented as authentic although the domain in the certificate does not match the domain presenting the certificate. That acceptance remains in effect during the current browser session. -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
