HJ,
Fantastic stuff! The more graphical presentation
we get, the better!
HJ wrote:
What about displaying the organization in front of the security
padlock, because it is the organization I trust, or not, and not the
domain name. I did this for MultiZilla and it looks like this:
http://multizilla.mozdev.org/screenshots/features/spoofing/secure-host.jpg
A fake site won't be able to use the same organization so it might
look like this:
http://multizilla.mozdev.org/screenshots/features/spoofing/fake-host.jpg
I'd be careful about assuming the fake site can't
get a cert with the real organisation listed in it.
We have so many CAs that one day someone will
slip up on that.
But other than that, adding the Organisation name
is good. I'd also like to see the CA name (for reasons
debated in countless other posts!). In many attacks
we can expect to see the CA name change...
I also change the background of the location bar to orange, and it
looks like this with MultiZilla installed:
http://multizilla.mozdev.org/screenshots/features/spoofing/unicode-host.jpg
but people blame me on MozillaZine for adding a 'stupid color' which I
can't agree less with because Mozilla Firefox already change the
background color into a light yellow background color for secure
sites, so it can't be that stupid. Btw, with MultiZilla installed it
looks like this:
http://multizilla.mozdev.org/screenshots/features/spoofing/plain-host.jpg
Most people are used to traffic lights and a simple color change is
dead easy, even for children or newbies, so it won't be hard to get
them secure or notified about a possible security problem.
I like that orange! If you can figure out a way to
show orange - the colour of caution - when the
user is on a "new" site then that would be good
too. I like the yellow, but would rather see it
reserved for some site that is in some sense
accepted and vetted by the user.
Hey, and it would be *really* nice to have an "odd"
colour for a self-signed cert - maybe purple. Not
good, not bad, just really odd.
The color blind will still see some sort of change, but might not see
the actual color, but the color change is still good, because they
know that something isn't right (I know this because I have a color
blind brother and he's Ok with my work).
Changing the background color also has another advantage, especially
for people that hide the status bar.
Right. All great experiments. How to put something
in place that helps a little bit and puts Firefox ahead
of the curve is worth the effort.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
