Gerv suggested I post this here for discussion - copied from bug 288693
When visiting 'secure' sites that use outdated encryption, Firefox/Thunderbird should give a big ugly warning about the dangers of submitting information to this site.
For reference: the latest Opera 8 beta does this and displays the message
'This site is using an outdated encryption method currently classified as insecure. It cannot sufficiently protect sensitive data. Do you wish to continue?'
From reading the Opera forum, it appears the issue is with SSL connections for which the server is using a 512-bit RSA key. (Or to be precise, an RSA key with a 512-bit modulus, if I remember my RSA stuff correctly.) One could imagine Opera or other browsers (like Firefox!) producing similar warnings for SSL connections with 40-bit keys, SSL connections using the SSL 2.0 protocol, etc.
In Opera, the message must be OKed/cancelled *before the site is even rendered*
My personal preference would be a dialog with a delayed OK button (like XPInstall) to force people to read it.
This raises the question that we've previously debated on this group: If popping up a warning dialog the right thing to do, or does that just encourage users to blindly click "OK"? Is a better alternative to just display the page without the SSL lock icon, with an accompanying information message? And so on... I don't make any claim to knowing what the absolute right thing to do is.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
