Regarding https://blog.startcom.org/?p=86
Assuming Eddy's screenshots are accurate (and they seem to be to me), it is true that there is now very little difference between HTTP and non-EV HTTPS. Is that by design? (Are we trying to move all significant sites to EV?) To me, in the non-EV case, it isn't obvious where the padlock has gone and what a user should do instead to check where they are. Do we plan to educate users about the new emphasis on identity and the new UI? If so, how? Lastly, the tooltip on the identity button for non-EV just says (in the case of the site above, as an example) "Verified by Startcom Ltd" - surely, to match the relative importance of the bits of information in the identity dialog, it should say "startcom.org - operator identity unknown" or somesuch? Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
