CarlosRivera wrote:
If folks don't know to look and demand https in sensitive situations,
then it is unlikely that the browser can help those folks much in this
regard. I know that there are dialogs boxes that popup asking are you
sure you want to submit form data over a non-secure channel (or
something similar). I would imagine that most people choose the I
know what I am doing, don't bother me about this again button.
Perhaps this dialog box keeps bugging folks and the only way to turn
it off is via about:config. If they are smart enough to figure out
about:config setting, then hopefully they should be smart enough to
know to look for https.
Back in the old days, it was an essential part
of the security model that users were told when
they were using a secure connection. Then,
the idea went, they could feel safe about
putting their data in.
But, that was in days when there was no threat.
Fast forward to 2003, and phishing started on
a mass basis. Now we are in 2005, we can
pretty much agree that users are facing a
threat.
However, in the meantime, what happened was
that the security model got swept under the
carpet because users got annoyed at the popups
and developers preferred to use the chrome space
for other things.
So, yes, some of the things that annoy users are
going to be hard to go back to. The emphasis
these days is on non-popup and non-offensive
security advisories. Something like the new
Firefox bars that slot down the bottom or top
when a new plugin is required: they are perfect.
If these new bars slotted in, saying something
like "new SSL site, do you trust this one?" then
the user can keep browsing leaving the bar
untouched, can delete the bar, or can enter
the 'trust' information. Without having to feel
beset upon by the gremlins of popups.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
