Eddy Nigg wrote:
[...]. But if we believe that we should get to the point to prevent users
from clicking through errors (because of the risk involved) than we are
very close already. Implementation proposals may vary, but I think that
with providing better security for the AVERAGE user, overall usability
of the Internet will improve and facilitate more business on the
Internet in every respect (not only financial transactions, but getting
applications from the OS to the Internet and many other conveniences.
[...]
I'm more convinced by your other message that I understand as follows :
"Yes, users have been trained in the past to ignore warning and access
the site anyway, so the current solution doesn't work perfectly well for
them, *but* it is very effective to push site owner to correct their
site, so that at the end meeting an invalid site will be very rare,
which will result in users being *untrained* to ignore warnings and will
result in them considering the warning as a real security risk instead
of just an annoyance to work around".
That's the best justification I've seen for the current Fx behavior yet.
But for this to work, false positives, sites that are not an attack but
for which the user gets a warning, need to become extremly rare, and I
think some work is needed to ensure that.
Currently I'm seing a lot of those false positives.
I have some idea about what could be done, if not to make access to the
site either, at least lower the amount of false positive, or let user
understand more easily why they got that false positive, but I spend
already too much time on this for today, so I'll present my idea about
it tomorrow.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
