A few days ago, I reached pretty similar ideas as a conclusion of the recent debatting, reinforced by remembering how valid the old SSL usability rant of Matthew Thomas was (http://mpt.phrasewise.com/2003/11/11),
Great rant, but as with many rants I notice MPT didn't propose any real alternative approaches (which is why I like Ian's rants better than MPT's :-)
Just a few things :
- There's too many cases. Only experts are actually interested in why the site is not secure, just tell the general public that it's not, and you have to open the details windows to learn why.
So below I will discuss several ways of restricting the options to a minimum.
Actually I think in practice Firefox users (to the extent they're paying attention at all) pay most attention to the yellow background appearing in the location bar. (As a personal anecdote, I've been using Firefox for almost a year now and only noticed last night that -- unlike Mozilla -- Firefox does *not* display an open lock on a page not using SSL/TLS, it just shows nothing.) The yellow bar could remain a binary option, displayed only in the "high-assurance" case, with the status bar icons being secondary indicators that could be multi-state.
There's quite a lot that can be debatted about the "high-assurance"/"low-assurance" distinction.
It might be good to implement first the second, and allow more time to think about what we want for the first.
Well Ian would say (and I can't blame him) "if you can't define low vs. high, why bother implementing a UI to show the difference?" IMO his question needs to be addressed in some manner.
- "high-assurance" is something new, I'd see a new icon.
I disagree. I think that in the context of the CA market and the web as it's evolved "low assurance" is the new thing, and that typical user's expectations (to the extent they have expectations at all -- some clearly don't) are that the lock means "good for e-commerce and finance".
In any case, we need to limit the case as much as possible, so alternatively what I'd see is : nothing/a discreet check mark/lock.
This is basically what I proposed for the "normal" cases, so I presume you're objecting only to using icons for the "unusual" cases.
> Cliking the "check mark" would show the detail windows.
I presume you mean double-clicking the check mark (i.e., to bring up the "Page Info" window). In Firefox a single click on the padlock does nothing, so the same should hold true for clicking on a checkmark.
This said, I'd see a closed eye icon, rather than a check mark for this.
Choice of icon is up for debate. I like the check mark because it's tied to the display of the domain name from the cert and whether it does or doesn't match the requested name.
- About the non-matching cert name, many people misconfigure servers, it's not definitively showing an attack attempt. That's why, and also in order to limit the number of possible case, I'd just remove the warning (warning are bad, the blocked popups warning is less bad but is still bad), and display the normal GUI as if there's no encryption in that case.
Removing the warning popup is OK I think, but I think there should be some indication of a problem for non-matching cert names. Otherwise we'd be displaying a domain name in the status bar, one that doesn't happen to match the one in the location bar, with no graphical indicator (like the "X" or whatever) that might serve to draw the user's attention to that fact.
That's all the time I have now. I'll try to comment more this weekend sometime.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
