On 03/03/2009 05:51 PM, Boris Zbarsky:
Jean-Marc Desperrier wrote:
But, and as the link Eddy just reported shows, the attack is far from
being only for SSL.
I think we should reconsider the options available to make the domain
name more visible for http connexions.
What about a white version of the hostname display for http sites ?
Wait. Why does the domain matter at all for non-SSL connections? It's
not like we have any guarantees against MITM here...
If we train users to watch out for positive SSL indicators and warn
before submitting any information I think this should not be necessary.
However I could imagine a re-vamped UI where the actual domain name is
more prominent and the real URL less important for the average user.
Something like this:
+----+-------------+
| | +-------------------------------------+
|SSL | DOMAIN.COM | URL |
| | +-------------------------------------+
+----+-------------+
The URL part might be only optional or hide and reappear on mouse-over.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security