I would politely ask you how many users you think are > both interested in, able to understand, and willing to take decisions > based on _six_ different security states in a browser?
I think this thread is about deprecating things and moving developers onto more secure platforms. To do that, you'll need to tell me *why* I need to make the effort. The only thing that I am going to care about is to get users closer to that magic green bar and padlock icon. You may hope that security is black and white, but in practice it isn't. There is always going to be a sliding scale. Do you show me a green bar and padlock if I go to www.google.com, but the certificate is issued by my intranet? Do you show me the same certificate error I'd get as if I was connecting to a clearly malicious certificate. What if I go to www.google.com, but the certificate has been issued incorrectly because Firefox ships with 500 equally trusted root certificates? So - yeah, you're going to need a rating system for your security: A, B, C, D, Fail. You're going to have to explain what situations get you into what group, how as a developer I can move to a higher group (e.g. add a certificate hash into DNS, get an EV certificate costing $10,000, implement DNSSEC, use PFS ciphersuites and you get an A rating). I'm sure that there'll be new security vulnerabilities and best practice in future, too. Then it is up to me as a developer to decide how much effort I can realistically put into this... ...for my web-site containing pictures of cats... _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
