Gervase Markham wrote: > Ram A M wrote: > > 1 One vector site-spoof attacks rely on is hiding the true domain name. > > True - so users should make sure they are certain of the true domain > before interacting with a site. If they can't be sure, they shouldn't
> interact with it. > > Currently, of course, if the connection isn't over SSL, _we_ can't be > sure that they are connected to a particular domain. And if the browser > can't be sure, the user certainly can't. Fair point. Do you think that regular old homoglyph attacks are so easy that it's not worth eliminating this type? I'd rather see users trained to only trust high risk activities to TLS bound connections but incremental progress is still progress. The confusion point you make below may very well outweight the perhaps slight benefits this change would bring. > > How about if the address bar by default showsonly the domain-name and > > the user can change that to be the current behavior. Further the domain > > name only appears in the status-bar when TLS is in use and the domain > > name of the site is in the certificate? > > While we might do the address bar differently if we were starting > browser design again, I think I can fairly safely say that changing the > way it works now is a non-starter from a usability point of view. It > would be too confusing for users. I would love to see data on this. I think the majority of non-expert browser users consider the address bar useful primarily for entering domain names and secondarily useful for checking where they're at. The first is reasonable the second is riskier under the current model than it needs to be. I know better than to glance at the address bar and draw conclusions (I scroll left and right to be sure it says what it looks like - or if it's TLS bound I have even better options). > > Showing the name of the company may. Showing > > "firstbankofsomewhere.sometld" is not as reliable as showing "First > > Bank of Somewhere" as the organization name. > > I note your example includes a geographical location; not many business > names do. How many "First Banks" are there around the world? I think it holds either way, consider "Bank Cial" who controls some but not all of: "bankcial.ch", "cialbank.ch", "bankcial.com", "cialbank.com", "cial.ch". _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security