https is a perfectly valid protocol, and I don't think that it should
be changed (or any aspect of it should be changed or supplanted). The
ONLY problem that exists is the chrome.
On Mon, Oct 20, 2008 at 6:23 PM, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
>
>> b) some unmistakeable blatantly obvious way to show the user that this
>> site is not using security that's good enough for banking but,
>
> Serious chrome ideas wanted.
>
Serious chrome idea:
How about a little popup at the bottom right hand corner of the
window, that gives information on:
1) Firefox's opinion of how trusted the certificate is ('high' for EV,
'medium' for certs from vetted CAs, 'low' for self-signed and
private-label CAs, 'not at all' for any CA that hasn't been added to
the PSM by the user)
2) Who it says it belongs to (and whether Firefox considers the
information trustworthy, which it only does for EV certificates)
2a) The SubjectAlternativeName (or Subject) that the site's DNS name
validates against
3) Who says it belongs to that entity (and again, whether Firefox
considers that information trustworthy, with the same caveat -- this
should be the Issuer, not the ultimate root)
3a) The ultimate root that the certificate chains to, and how
trustworthy Firefox considers it ('very' for EV-enabled roots even if
the certificate is not marked EV, 'fairly' for non-EV roots included
in the distributed root list, 'not at all' for private-label or
self-signed CAs)
4) Information on the cipher in use for the session, and how long that
'session' has been active (with a button to clear the session to force
a full renegotiation on next connection)
5) a button to see the entire certificate chain
6) A button to dismiss the pop-up
Show this on initial connection, and on ALL pages that have forms to
submit. If someone tries to submit a form on a ('medium' or?) 'low'
opinion without dismissing the popup, shake the popup to draw
attention to it.
Maybe for EV certs, say "Firefox trusts this site for banking" in nice
green letters at the or next to the dismissal button in the popup, or
"Firefox does NOT trust this site for banking" in red (or at least
not-green) lettering, at the same place.
The user-interface features of this are:
1) Allow private-label CAs, if the client wants to
2) Make sure that the user is ALWAYS presented with the information,
rather than simply telling people to "look for the lock"
3) Increase the amount of information that is easily available to the user
4) Motion to indicate something the user really should pay attention to
5) Use the information that Firefox already has to present information
which is otherwise very close to inaccessible to the user.
I don't like modal dialogs. I don't like my browser interposing
itself into my workflow. If it's going to, I'd like to minimize the
annoyance factor that it carries with it (in this case, 'block the
form submission' is the only workflow alteration, and it's something
I'd be willing to deal with).
-Kyle H
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
