On 6/1/18, Ryan Sleevi wrote:
> On Fri, Jun 1, 2018 at 9:14 AM, Peter Kurrasch wrote:
>
>> Security can be viewed as a series of AND's that must be satisfied in
>> order to conclude "you are probably secure". For example, when you browse
>> to an important website, make sure that "https" is used AND that the
>> domain name looks right AND that a "lock icon" appears in the UI AND,
>> if the site uses EV certs, that the name of the organization seems
>> correct. Failing any of those, stop immediately; if all of them hold
>> true, you are probably fine.
>
> Note that research has shown
citation required
> that your first,
>> make sure that "https" is used
trivially easy after one adds the line
user_pref("browser.urlbar.trimURLs", false);
to user.js.
> second,
>> the domain name looks right
easier after one adds the line
user_pref("network.IDN_show_punycode", true);
to user.js & while not so easy on your first visit, trivially easy thereafter.
> third,
>> a "lock icon" appears
trivially easy
> and fourth options
>> the name of the organization seems correct
a problem on your _first_ visit.
> are all unreasonable requests of humans trying to be productive.
They wouldn't be so unreasonable if Mozilla had picked better defaults.
Lee
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy