OK, I was too flippant, but I'm serious about wanting an alternative to https, something that means security not good enough for financial transactions, but OK for your private home router/server.
Nelson B Bolyard wrote, On 2008-10-20 15:07: > Ian G wrote, On 2008-10-20 13:28: >> (e.g., we do agree that we'd like to write something that says "for >> high value commerce, use XXXX" ... except we don't know what XXXX is.) > > I keep wondering about that. Lots of people seem to agree that they want > some kind of half-vast SSL, providing some encryption, but no assurance > that the party to whom they're connected is who they intended it to be. > No protection against MITM, just a warm fuzzy feeling that "well, at least > we're using encryption". I think the term "security theater" applies. > > How do we give them that in a way that clearly distinguishes between that > and real authenticated connections? I think there are (at least) two parts > to the puzzle: > > a) some way to convey to the browser that the EXPECTED amount of security > is low, so the browser won't try to impose all the usual high security > requirements on the connection (e.g. not impose strong authentication > requiremetns) and hence won't show any warnings. I'm thinking we need an > alterantive to https for this. serious alternatives to https wanted. > b) some unmistakeable blatantly obvious way to show the user that this > site is not using security that's good enough for banking but, Serious chrome ideas wanted. > With such an alternative to regular https, we could raise the bar on https > certs (stop allowing overrides) while still offering an alternative for > those who want it. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
