On Fri, Jun 1, 2018 at 9:14 AM, Peter Kurrasch via dev-security-policy < [email protected]> wrote:
> Security can be viewed as a series of AND's that must be satisfied in > order to conclude "you are probably secure". For example, when you browse > to an important website, make sure that "https" is used AND that the domain > name looks right AND that a "lock icon" appears in the UI AND, if the site > uses EV certs, that the name of the organization seems correct. Failing any > of those, stop immediately; if all of them hold true, you are probably fine. > Note that research has shown that your first, second, third, and fourth options are all unreasonable requests of humans trying to be productive. That is, https is unnecessarily confusing, "the domain looks right" is an unreasonable task (might as well say "Make sure the fabardle is boijoing" when presenting domains), and lock icons positive indicator is unnecessary hostile. And that's before we get to EV certs (are you saying I shouldn't do business with KLM?) So basically, all four steps are unreasonable to determine you're fine :) _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
