Bernie Sumption wrote:
The problem as I see it is that the same warning UI is shown whenever there is a less than perfect certificate. Let us assume that 99.99% of the time, this either a misconfigured web server or a homebrew site that is using self-signed certs because they only care about encryption, not authentication. 0.01% of the time it is a MITM attack.In the MITM scenario the UI is not harsh enough. In the common case it is too harsh.
The trouble is that there is no way to distinguish between an MITM or an admin who installed a self signed certificate. The difference between the two is the intention of the person who put the certificate there, and this is impossible to measure using a computer.
The problem right now is that this is the message that the end user currently sees:
+--------------------------------------+ | BLAH BLAH BLAH | | Blah blah blah, blah blah, fishpaste | | blah, call your nephew, he'll fix it | +--------------------------------------+Perhaps icons should be better used, as they are easier for an end user to understand.
A great big red STOP sign perhaps, or some indicator that clearly says "no really, do not continue".
In order for this icon to remain undiluted and in turn lose it's meaning, the icon should not be used anywhere else in the browser.
Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
