once more, with feeling.

[Paul Hoffman]

At 11:21 PM +0100 9/9/08, Dave Howe wrote:
>Darren J Moffat wrote:
>>  Warnings aren't enough in this context [ whey already exists ] the
>>  only thing that will work is stopping the page being seen - replacing
>>  it with a clearly worded explanation with *no* way to pass through
>>  and render the page (okay maybe with a debug build of the browser but
>>  not in the shipped product).
>
>One thing that concerns me is that in the new release of firefox, there
>appears to be NO way to get to a site that has a bad certificate (or
>self signed certificate) other than overriding the warning permanently -
>no "ok let me see it, I have seen the warning and want to look just this
>once" that the "remember mismatched domains" plugin for 2.x gave you.

That may concern you, but I consider it a feature. Instead of 
teaching users to "always click through the damn dialog boxes", FF3 
says "if you fell for it once, you're going to always fall for it so 
we won't teach you bad habits". There are arguments for either 
strategy.

Given that few or none of us on this list are actually trained 
interface experts, I'm sure we could debate this until Perry pulls 
the moderator switch again. The salient point is that people who have 
more stake in the game (Mozilla Inc.) have spent longer thinking 
about this than we give them credit for and come to the design 
decisions that they have.

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com