This raises the question that we've previously debated on this group: If popping up a warning dialog the right thing to do, or does that just encourage users to blindly click "OK"? Is a better alternative to just display the page without the SSL lock icon, with an accompanying information message?
Again, this would be a good use for the "you are connected to the site you think you are connected to" stage (stage 2) of my proposed four-stage model:
- you are connected to some site or other
- you are connected to the site you think you are connected to (secDNS, weak SSL)
- you are connected to the site you think you are connected to and your connection is secure (strong SSL with domain verification)
- you are connected to the site you think you are connected to and your connection is secure and safe for banking (SSL with better verification)
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
