https://blog.startcom.org/?p=86
Eddy has a point here. Comment: At the minimum, such a change is too big and important to make in a RC. It should happen before beta, as it's a drastic change to the UI of webbrowsers. I agree that current verification procedures by CAs mean almost nothing and thus "verified" sites should not be very prominent. So, I agree with the general direction of demoting normal SSL certificates. I think it's going a bit too far, though. More importantly, I agree with Eddy that overloading the favicon is a very bad idea. First, if I hadn't read the *text* that Eddy wrote, I would never had understood that the blue means SSL. Even looking at the direct comparison screenshots, I didn't see it. And that's because the favicon is owned by the site. Second, Eddy shows how subtle the difference between a faked favicon and a real SSL favicon is. Then, you say you want to make users understand indenty. Yet, the padlock is gone, and even in earlier builds, it didn't go to the Security Page Info dialog as it used to do in older browsers and IIRC FF2. A simplified Security Page Info dialog would be what makes users understand SSL identity verification. Lastly, identity on the Internet is the domain, not the real name. The DNS ensures that there's only one entity in the world with that domain. By demoting the domain in the EV case, I think you blurry the notion of identity on the Internet. I fully agree with showing the real name as additional indication, but the domain should stay the primary identification means, EV or not. EV only prevents man-in-the-middle/posing and adds possibility to sue. At the minimum, please the remove the favicon modifications and keep padlock both in URLbar and statusbar (the former, because that's where it belongs, and the latter, because that's what old browsers did and many sites ask the user to look out for), for both EV and normal CA-signed SSL sites. Or just go back to what you did in the betas, because it's pretty late for such important UI changes. Ben Followup-To: mozilla.dev.apps.firefox _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
