On Tuesday 24 May 2005 04:24, Duane wrote: > Ian you've been preaching for literally years the CAs logo should be on > the chrome, and everyone has shouted down how ineffective etc this would > be verse any real world benefit.
Oh? I hadn't noticed ;-) > Then a thought occurred to me, why not have a pop-up, but not in the > usual sense, basically it's a mouse over bubble thing that pops up when > you mouse over the padlock showing any information including the CA > logo... Then of course it disappears the moment you move your mouse out > of that area of the screen. I think actually Firefox does this - at least the Firefox 1.0 on Linux that I can access right now does (but no more, I keep clicking on the padlock and that doesn't work it seems). Mouse-overs are a start, but not really effective in a under a phishing attack. We have to think about what happens when we are tricked. If we as a human are tricked, we aren't going to go running around looking at mouse-overs. What we are going to do is our normal mass-image absorption and processing .... and if we check the padlock at all, the glance in the lower corner will be it. _Once we get suspiciou_, as humans, then we'll do the mouse-over, then we'll click on the padlock, or go looking for the cert, or carefully read and compare the URL with the status bar domain. But we have to get there first. We have to make the user suspicious. Which means we need discordance. We need statements of wrongness, off-key music, harsh colours. Anything that can wake up the subconscious in the brain and put it into an uncomfortable state. How that is done is a HCI challenge. All I'm suggesting is more info, and accurate information of confidence; as the debate keeps showing, stating the domain name in the status bar is essentially meaningless without the CA as it doesn't indicate who said it, and we don't know who said it, even in this group where people read and know the code. The eye moves and absorbs at incredible speed. Mouse overs do not. (Not to mention they are totally ineffective in a Linux environment where a mis-move on the mouse causes focus to be switched.) iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
