On 2007-02-06, Gervase Markham <[EMAIL PROTECTED]> wrote: > Michael Lefevre wrote: [snip] >> I don't see how a simple on/off indication is going to work, unless it is >> "on" for any and all sites that a "normal" user wants to give their >> personal details to, > > "Personal details"? I give out personal details over plain HTTP all the > time. Is that really what you meant?
No - I was trying to generalise. I meant passwords for bank accounts, credit card details and other stuff that that people really want to ensure go to only the people they are intending to give them to. > EV's success is certainly not guaranteed. But if 200 Paypal customers > have their account details stolen every day, and this becomes 150 > because the other 50 IE 7 users go "no green bar - I won't enter my > password" then that's obviously worth it for Paypal. > > It doesn't have to solve the problem completely to be worth doing, I guess not, but it would be nice if it could :) > and it doesn't have to be used by other sites to be valuable for your > site. No, but that would also help. If those 50 users recognise the green bar is missing for Paypal, that's good. If 30 of them do their banking with Anybank, who don't get EV, and Anybank says "it's ok to use our site without the green bar", then maybe next time they are at Paypal, they will forget that it's one of the sites that should have the green bar rather than one of the sites that doesn't. Multiply that by lots of sites, and people won't remember which have the green bar and which don't, and then it's maybe only preventing 2 of those Paypal accounts getting stolen each day, and at that point I'd wonder whether it is worth doing (in general, not just for Paypal). -- Michael _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
