once more, with feeling.

Dave Howe DaveHowe at gmx.co.uk
Wed Sep 10 20:27:31 EDT 2008 

Paul Hoffman wrote:
> At 11:21 PM +0100 9/9/08, Dave Howe wrote:
>> Darren J Moffat wrote:
>>>  Warnings aren't enough in this context [ whey already exists ] the
>>>  only thing that will work is stopping the page being seen - replacing
>>>  it with a clearly worded explanation with *no* way to pass through
>>>  and render the page (okay maybe with a debug build of the browser but
>>>  not in the shipped product).
>>
>> One thing that concerns me is that in the new release of firefox, there
>> appears to be NO way to get to a site that has a bad certificate (or
>> self signed certificate) other than overriding the warning permanently -
>> no "ok let me see it, I have seen the warning and want to look just this
>> once" that the "remember mismatched domains" plugin for 2.x gave you.
> 
> That may concern you, but I consider it a feature. Instead of teaching
> users to "always click through the damn dialog boxes", FF3 says "if you
> fell for it once, you're going to always fall for it so we won't teach
> you bad habits". There are arguments for either strategy.

True enough, but the "clickthru bandits" will just see a button that
reads to them "make this error go away" then next time will forget they
did it - and will take the fact that they went straight into the site to
mean the problem was "fixed" or simply not remember there ever was a
problem.

In the meantime, a choice I *used to have* is now taken from me, in the
interests of selling more EV certificates.

> Given that few or none of us on this list are actually trained interface
> experts, I'm sure we could debate this until Perry pulls the moderator
> switch again. The salient point is that people who have more stake in
> the game (Mozilla Inc.) have spent longer thinking about this than we
> give them credit for and come to the design decisions that they have.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list