1 One vector site-spoof attacks rely on is hiding the true domain name.
True - so users should make sure they are certain of the true domain before interacting with a site. If they can't be sure, they shouldn't interact with it.
Currently, of course, if the connection isn't over SSL, _we_ can't be sure that they are connected to a particular domain. And if the browser can't be sure, the user certainly can't.
How about if the address bar by default showsonly the domain-name and the user can change that to be the current behavior. Further the domain name only appears in the status-bar when TLS is in use and the domain name of the site is in the certificate?
While we might do the address bar differently if we were starting browser design again, I think I can fairly safely say that changing the way it works now is a non-starter from a usability point of view. It would be too confusing for users.
Regardingthe value of showing the organization name and country. I say
it's hard to know if "subbrand.sometld" is really owned and operated by
"mega-product company." Showing the domain name to the user does not
address this.
That's the first good argument I've heard for this change. :-)
Showing the name of the company may. Showing
"firstbankofsomewhere.sometld" is not as reliable as showing "First
Bank of Somewhere" as the organization name.
I note your example includes a geographical location; not many business names do. How many "First Banks" are there around the world?
This is especially true when certificates are issued to enrollees who demonstrate control of a domain at most.
We need to deal with that particular issue a different way, IMO.
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security