On Thursday 12 May 2005 13:28, Duane wrote: > Ian G wrote: > > The most important thing that the browser UI > > can do is to promote more SSL. If twice as > > many people use SSL but it has a slight > > vulerability, that's much better than perfect > > system that is only used by half as many. > > I agree with you on your opinions about opportunistic encryption, any > encryption is better then none, but at the same time absolutely no > verification is of no benefit either.
"Absolutely no verification is of no benefit either" is a chimera. Most tasks don't need so much more verification than domains already give us, and for those tasks that need more, there is more. For those tasks that need less verification, like reading this mailing list, or posting a bug fix to the bugzilla site, or reading a blog, then encryption of an opportunistic kind is fine, a nice win. Also, bear in mind as you must have discovered by now: it is far easier to improve a half-way situation than it is to start from scratch. Once SSL is in place, improving it to add certain features like strong identity or verification or better crypto is easy. But putting an entire website under SSL completely with all the proper protections and getting it to some standard of perfection is a bear. It's no wonder that merhants only do it when they are forced to. It is far more economic to start off with some sort of half way house and upgrade as and when your users show you it is needed. > > So, it would be ok for the lock not to be > > shown as long as the browser does not > > scare the user away or waste their time on > > popups, IMHO. If self-signed certs could be > > used exactly as HTTP, then we could replace > > HTTP with self-signed certs and everyone > > wins. > > mmmmmm.... see above... SSL should be done with drop in certs. Drop in the new cert, get the new feature you want with minutes of sysadmin time spent. How long have you spent on yours so far? iang -- http://iang.org/ _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
