Thorsten Becker wrote: > Nelson B Bolyard schrieb: >>> I think the solution that Jean-Marc outlined above would make some >>> sense: It would make it a bit easier to visit certain sites, but >>> disturb permanently if someone visits a site that has no trust anchor >>> in firefox. >> >> There's a great deal of evidence, and consensus in the UI and security >> community, that UI error/warning dialogs that are easily dismissed >> condition >> users to dismiss them without thinking. Users who do it often enough >> actually reach a point where they are no longer consciously aware that >> they're experiencing the dialog, nor that they're actively dismissing it. >> When that happens, the error dialog loses all value. It might as well >> not exist, because it has no effect. > > Please compare the warning that you receive when you go to > http://www.mozilla.com/firefox/its-a-trap.html > with phishing protection enabled with the warning you get if you go to a > site with a certificate mozilla does not trust. What I do like about the > phishing warning is that it stays on screen even if you ignore the > warning and visit the site.
This is exactly the kind of thing I would like to see for SSL, and there is no reason why the strategy for bad SSL is different from the strategy for malware/fishing. I hope the non existing PSM team ;-) can take that into consideration. Well, I'll copy this message to mozilla.dev.security because the people who implemented the new SSL page might be there (as well as more people who have the power to reconsider this decision). Now if we go in some more details, in the fishing/malware protection feature, the initial screen is coming back for every link on the site, which I think is a bit too much. Try going to the page below and follow some links at the top to see that (you can not test that with its-a-trap.html, because there's no link inside the page to go to another malware flagged page): http://www.km-jsw.gov.cn/new/html/Gov/zcfg/ And also it seems that there is a bug that makes some pages not display the warning bar after going through the warning. Try this one to see this : http://www.km-jsw.gov.cn/new It just happens that in my initial test with the malware protection, I had met this two behaviors which made me think that my idea was different from the malware protection mechanism currently in place. But after all, it's really almost exactly the same with the difference of suppressing the possibility of easily removing the warning bar. PS: I strongly suspect www.km-jsw.gov.cn has been flagged by error (or else we need to talk with the chinese government), which make it a great test site. But I don't know for sure, so access it at your own risks. If you need other malware site addresses for testing, http://www.malware.com.br/#blocklist has a useful list. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
