I think it would be better to continue discussing it in .security and not .crypto.
I unfortunately probably will have to leave the discussion, as I'm from tomorrow in holiday for two weeks with little/none internet access.
Jean-Marc Desperrier wrote:
I have some comments about this request, but I'm not sure inside the bug is the best place. Anyway the bug is about implementing some things that have been discussed here recently.
This one?
https://bugzilla.mozilla.org/show_bug.cgi?id=286107
I'm not convinced by the "let's add another warning" side of this bug.
Especially when I see the reporter suggesting to put it inside a pop-up dialog.
Dialog have proven until now they don't work, so why would this one by any different ?
I reckon the best way to do it is the red bar display that HJ or Gervase has indicated. It sits just below the chrome and it isn't invasive.
It works well for SSH, because you decide what machine you connect too, and you keep connecting to the same set of machines, so when that dialog pops up, it rings a bell. Also the population of SSH users is *not* *exactly* the general population.
Now the problem about SSL is that in most cases, you don't choose where you do an ssl connection, when you want to buy something, it's the sellers who chooses the secure site, same for entering password, etc...
For phishing, the user is being phished from a site that she has a relationship to. It is her bank account, or her eBay account. In this case, she does precisely choose where she wants to go! So it's very apropos.
OTOH, there is a modus operandi of phishing where the user is encouraged to go to a totally new site. I'd be happy if just the major cases - own bank account - were addressed as a first step as I think that's where the majority of the losses are.
So in that case, when the seller tells you "go to that site for the transaction", what use will be the warning ? Users will get used to seeing regularly that annoying warning, and to click through it or ignore it.
Sure, that's why I like the red bar effect. Users don't need to do any work to ignore it. But it's right there.
Sometimes they will click on a link expecting that link to lead to a site they trust because they know it well, and there it's important to have the message, but how does the browser know *when* that happens ?
Because if it outputs this warning too often, people will stop reacting to it.
And will the average user react appropriately ? : "Why the hell is Firefox telling me it's the first time I go to ebay.com, they really have a bug !"
Average users are getting more and more aware of identity theft and phishing. All you need to say I suspect is that "this is an anti-phishing check, please make really sure this is what you wanted!"
iang
_______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
