It's an assumption of Gervase's current anti-phishing proposal that everything starts with SSL. Indeed, sites really should have no business slinging around passwords and credit card numbers in cleartext -- it's pretty irresponsible. Here are a few thoughts on how we might encourage the use of SSL and move towards a world in which users come to expect it.
1. As mentioned in my last message, a transient warning could appear when the user is typing text into a form on an unencrypted site. The warning would appear below the text field while the focus is in the field, and disappear automatically (no extra user effort needed) when the focus moves elsewhere. The warning could say something like "The text you enter here will be visible to the public" if the connection is unencrypted. 2. Currently, typing in password fields shows a bunch of stars to give the impression that what you type is secret. Well, if we are really serious about the necessity of SSL for keeping passwords secret, then why should we give that impression when there's no encryption? Suppose that, if there's no SSL, password fields *don't* blank out the text with stars -- they just behave like normal visible text fields. That would be instant, unmistakable feedback, and i think it would be a pretty intuitive way to show that the password isn't being kept secret. 3. Consider these three cases: (a) Unencrypted connection. (b) SSL connection with a self-signed certificate. (c) SSL connection with a certificate signed by a known CA. Of these three options, (a) is the riskiest context in which to submit an HTML form; (b) and (c) are safer. (If you trust centralized CAs, then you might also believe that (c) is safer than (b). I *don't* trust the CAs, but that is an issue for a separate thread. In any case, i hope we can agree that (b) is still safer than (a).) Compare this ranking of risk to the user experience. (b) is heavily penalized by a pop-up warning, but (a) and (c) are not penalized at all. It may be worth thinking about how to bring these user-experience costs more in line with the actual risks, so that sites are encouraged to use encryption without being required to pay the extortion^H^H^H^H^H^H^H^H^Hfees demanded by centralized CAs. 4. What if the browser chose SSL by default first? As in, when you type "paypal.com" in the location bar, the browser *first* tries https://paypal.com/. If that fails, then it falls back to http://paypal.com/. In a world where self-signed certificates aren't penalized with a big scary warning, this might go a long way toward encouraging more widespread use of SSL. Your thoughts? -- ?!ng [1] http://www.gerv.net/security/stay-safe/discussion.html _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security