Tyler Close wrote:
The current SSL UI requires substantial
user input on every site visit.
It requires user action, not user input. There is a difference.
To be safe, the user must verify that
SSL is enabled and that the displayed domain name exactly matches the
expected domain name (which implies that the user has also discovered
and memorized the correct domain name).
I don't think that's particularly unreasonable. What's the domain name
of your bank? PayPal? Ebay?
Any site with which the user has a relationship involving money will
have been visited by them several times, and they will know what the
indicator is supposed to look like.
I'm not arguing the current UI is perfect, but I think you are
dismissing it too readily.
I think it's also important that we move beyond the "blame the
customer" phase of this failure.
This is a straw man. We are not "blaming the customer". Having said
that, it's hard to protect a user who is happy to type their CC number
into any form which asks for it.
Gerv
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
