There has been an interesting and important debate on this list on the
`Mozilla security process`. The discussion focused on improved security
indicators, specifically to help protect against spoofed web site
attacks (including phishing, pharming, etc.). This is also one of my
main research interests. In particular, with Ahmad Gbara and now few
other (great!) students, we develop TrustBar
(http://TrustBar.MozDev.org), a browser extension (for FF and Mozilla,
soon also for IE).
There are, of course, many different ideas in this space; Ka-Ping listed
five of them, including TrustBar (thanks!). I think many of the
proposals have a lot in common in their goals and even functionality. In
particular, as Ian noted, I believe we learned a lot from Tyler's and
other works on petnames, e.g.
http://www.skyhunter.com/marcs/petnames/IntroPetNames.html, and of
course other proposals such as Gerv's. Indeed, we adopted a lot of this
into our new release (in testing / finish process now), and I think it
meets very well the requirements Ka-Ping listed (and others). In
particular, it gives substantial value even for naive users, without
requiring action or understanding (we have some usabilty data on this).
I am a great believer in cooperation and open process. Our goal should
be to try to reach `rough agreement` on what is the right security
indicator, and not to get our code used... We should do more open
comparisons, criticism, and try to reach agreements on goals and
specific solutions. Is there sufficient interest to create an
(informal/Mozilla/...) forum/mailinglist to pursue this? Any volunteer
to take care of it?
Best, Amir Herzberg
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
