Re: Permanently store this exception selected by default
Hi, Given users' tendency to click-through security warnings, would it not perhaps be better for that box to be UNchecked by default? No. If its a legitimate selfsign cert, its best to store it - then the user won't be bothered but a real attack (changed cert again) would trigger the warning again (not that it would help this user). If its an attack cert, the damage (stolen password etc.) often happens with the first click anyway, so there is not much to lose after that. And beside that, the user would click away the warning next time anyway... Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention FROM NG in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Permanently store this exception selected by default
File a bug. (If we're going to annoy the users every time they first encounter a security exception, we might as well go whole-hog and do it every time they encounter a security exception.) -Kyle H, the embittered On Fri, Jun 4, 2010 at 7:21 PM, TEO Tse Chin teotsec...@gmail.com wrote: Hello, I encountered an expired cert for an IMAP (STARTTLS) server from an ISP. While I've followed up with the ISP about the expired cert, there was something about Thunderbird's behavior that caught my attention. In the Add Security Exception dialog box, the checkbox for Permanently store this exception was checked by default. Given users' tendency to click-through security warnings, would it not perhaps be better for that box to be UNchecked by default? That way they'll get a warning each time, and more likely to go bug their service provider to keep their certs up to date. Tse Chin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Permanently store this exception selected by default
On 2010-06-04 19:21 PDT, TEO Tse Chin wrote: I encountered an expired cert for an IMAP (STARTTLS) server from an ISP. While I've followed up with the ISP about the expired cert, there was something about Thunderbird's behavior that caught my attention. In the Add Security Exception dialog box, the checkbox for Permanently store this exception was checked by default. Given users' tendency to click-through security warnings, would it not perhaps be better for that box to be UNchecked by default? No. This was deliberate. Users' tendency to click through without reading the warning/error first is a direct function of the frequency with which the user experiences the error. It's that frequency that is the enemy. The idea is that the way to get users to pay attention to errors is to make them infrequent. Showing the user the SAME error over and over is the worst thing to do in terms of conditioning him to ignore all similar errors. So, we did what we could to minimize the frequency. That way they'll get a warning each time, and more likely to go bug their service provider to keep their certs up to date. Actually, they're more likely to ignore it. Tse Chin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Permanently store this exception selected by default
On 2010-06-06 11:22 PDT, aerow...@gmail.com wrote: File a bug. No, don't. It would be a duplicate. Find the bug already on file. It's probably already resolved WONTFIX. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Permanently store this exception selected by default
Sorry to reply out of order That way they'll get a warning each time, and more likely to go bug their service provider to keep their certs up to date. Tse Chin Even as a technical user I have a hard time finding out whom to contact at a site and how to convince them to get a properly signed certificate (webmaster@ is usually clueless). If they can't be bothered to google free ssl or keep them up to date chances are they won't fix a self signed certificate or an expired certificate anytime soon. As much as I dislike this interface change I agree with it. -Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Permanently store this exception selected by default
Hello, I encountered an expired cert for an IMAP (STARTTLS) server from an ISP. While I've followed up with the ISP about the expired cert, there was something about Thunderbird's behavior that caught my attention. In the Add Security Exception dialog box, the checkbox for Permanently store this exception was checked by default. Given users' tendency to click-through security warnings, would it not perhaps be better for that box to be UNchecked by default? That way they'll get a warning each time, and more likely to go bug their service provider to keep their certs up to date. Tse Chin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto