On 03/04/2009 04:28 PM, Johnathan Nightingale:
no website can spoof the EV appearance of the site identity button and, with the ssl_domain_display pref set to non-zero, (and appropriate care given to IDN issues), they can't for regular SSL either.
Right, and I'm extremely glad that we are going this route. I also suggest to look on ways to signal to the user when we really expect a secured site (see Jean-Marc's message).
It's extremely annoying to confirm every form submission when unsecured (it's my current setting) - if we could indicate only on password fields or other suspicious combination's (as phishers would most likely start avoiding the password tag altogether), it would be a useful indicator.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [email protected] Blog: https://blog.startcom.org _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
