Tyler Close wrote: > On 6/13/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > >>Me and a few others have expressed some doubts about getting petnames >>into the default Mozilla installation. > > In that email, you prefaced your comments with the admission that you > hadn't actually used the petname tool yet. I was holding off on > commenting since I've found that actual use clears up many questions. > I'll make some rebuttals here, but I really think you should just try > using the tool. Like you've asked, I wrote the code. It's your job to > run the code now.
Fair enough, and I just did. However, it does not make me change my opinion, and I think my earlier points stand. I could imagine myself using petnames, but then again I am far from the average user. Some things that felt like bugs, but maybe they can be tweaked from some options: * it was not automatically enabled by default nor was there any indication that it was installed when I relaunched (I know this was covered in the docs, but it would be nice to tell user on first launch what they need to do, ideally bringing up the toolbar customization dialog on top) * it automatically added entries to my personal Bookmarks Toolbar Folder when I edited a petname for a site, not something I would expect or want * when I hovered over the control it presented a tiny (2x2 or so) empty tooltip * after playing around for a while I managed to go to a site I had set a petname for but the petname field showed untrusted (I've been unable to reproduce this, though) Tested on WinXP. > I think the "lazy user" argument is a seductively easy one to make, > but is dubious. Remember that we're talking about people's bank Maybe you haven't seen an average user. Today I was helping someone install something on their computer, and downloaded a file without looking where it went. Since this was not a computer savvy user I assumed it went to the desktop (was using Firefox). Doh, not there. I asked the user where the files they download go to. The answer: "I don't know." Another example when I showed someone how the Firefox password manager worked. We put some pages requiring login into the bookmarks toolbar as well. That person then went ahead and logged into all of them at the same time. I was surprised and said that one should always log out of the previous service first. And that person goes: "Why?" These persons use computers daily, and have used for years, and seem to have no difficulty handling the software they normally use. There are countless examples like this. I have a hard time trying to figure out how to explain to these people why they should use petnames, when they should use it, what should happen when things are right, and what to do when things don't look right. > Further compare the cost of entering a petname to the cost of > establishing an online account. The user typically must choose a > username and passphrase and complete multiple pages of preferences / > demographic information. Adding entry of a petname to this task list > is a neglible increase. I disagree. (My mom goes to her bank, talks to a real person, they tell her what icon to click on the desktop, what to type in the editable area at the top, what to enter to the two editable fields that appear below. Then click something that says "Pay bills", which will bring up a form that looks just like the paper version she is used to.) > We can also compare the workload of the petname tool to that of other > browser navigation tools. Use of the petname tool is very comparable > to bookmarks. Are you going to argue that bookmarks are too hard to > use? I am pretty sure not every browser user knows about bookmarks. Adding a new bookmark, and going to saved bookmarks is easy enough once you know what they are and how to do it, though. I know many people don't know how to use the Bookmarks Toolbar Folder, or change bookmark properties, let alone customize anything else. > in isolation, but relative to other anti-phishing tools. The petname > tool is much easier to use than the current "Location tool". To guard > against phishing, the user must carefully examine each character in > the domain name shown in the "Location tool", on each page transition. You assume people do that. I bet most just look that it says the name of their bank somewhere on the page. Then you get layers on top of that: some look for lock icon somewhere, some look for lock icon in lower right hand corner, some also look at URL, some also look at URL carefully, ... > In conclusion, the petname tool is easier to use than the existing > Firefox anti-phishing tools and provides stronger protection. When > compared to the protected assets, the cost of using the petname tool > is trivial. It provides stronger protection, there I agree. And even cost compared to the potential loss. But I still don't think it is suitable for/usable by the masses. >>and are willing to pay for the chrome real estate it takes. > > I don't understand this complaint. The petname tool is *tiny*. It's > just a text field. It's about 20-25% of the browser window width it seems. It's about the height of my bookmarks toolbar folder or menubar or status bar. Not tiny. There are only two text fields in the default browser chrome. A total of less than 30 things (by my quick count) that you can click, drag or which show information. It would be a significant addition to the things where you need to write something, and not insignificant when compared to the whole either. And there are only so many places to put it. On the menubar it looks weird, and it is not menu. There is no room on the toolbar that houses URL and buttons. Maybe the bookmarks toolbar folder, but then that takes away the space I need for my bookmarks and it is not really a bookmark at all. I don't seem to be able to use Firefox toolbar customization to move it to the status bar where it might fit the best. But there are also hundreds of extensions that want to add their own stuff to the UI. Keeping at least the defaults minimal is a worthwhile goal. If I put petnames in the status bar, I don't know where Foxy Tunes goes then. And I also have a Tindertool there. And "keep windows on top" extension. And so on, all competing for the same real estate. I don't know how to convince you, except perhaps by telling you to try some usability tests with some people that are inexperienced computer users. -- Heikki Toivonen _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
