Jean-Marc Desperrier wrote:
I have some comments about this request, but I'm not sure inside the bug
is the best place. Anyway the bug is about implementing some things that
have been discussed here recently.
This one?
https://bugzilla.mozilla.org/show_bug.cgi?id=286107
I'm not convinced by the "let's add another warning" side of this bug.
Especially when I see the reporter suggesting to put it inside a pop-up
dialog.
Dialog have proven until now they don't work, so why would this one by
any different ?
I reckon the best way to do it is the red bar display
that HJ or Gervase has indicated. It sits just below
the chrome and it isn't invasive.
It works well for SSH, because you decide what machine you connect too,
and you keep connecting to the same set of machines, so when that dialog
pops up, it rings a bell. Also the population of SSH users is *not*
*exactly* the general population.
Now the problem about SSL is that in most cases, you don't choose where
you do an ssl connection, when you want to buy something, it's the
sellers who chooses the secure site, same for entering password, etc...
For phishing, the user is being phished from a site
that she has a relationship to. It is her bank account,
or her eBay account. In this case, she does precisely
choose where she wants to go! So it's very apropos.
OTOH, there is a modus operandi of phishing where the
user is encouraged to go to a totally new site. I'd
be happy if just the major cases - own bank account -
were addressed as a first step as I think that's where
the majority of the losses are.
So in that case, when the seller tells you "go to that site for the
transaction", what use will be the warning ? Users will get used to
seeing regularly that annoying warning, and to click through it or
ignore it.
Sure, that's why I like the red bar effect. Users
don't need to do any work to ignore it. But it's
right there.
Sometimes they will click on a link expecting that link to lead to a
site they trust because they know it well, and there it's important to
have the message, but how does the browser know *when* that happens ?
Because if it outputs this warning too often, people will stop reacting
to it.
And will the average user react appropriately ? : "Why the hell is
Firefox telling me it's the first time I go to ebay.com, they really
have a bug !"
Average users are getting more and more aware of
identity theft and phishing. All you need to say
I suspect is that "this is an anti-phishing check,
please make really sure this is what you wanted!"
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
