On 2/1/09 09:16, Daniel Veditz wrote:
Kyle Hamilton wrote:
("legitimate sites will never ask you to add an exception" my ass.)
If we shorten the phrase to
"Legitimate banks and stores will not ask you to do this"
would you not agree that is true enough as far as the average non-expert
user need be concerned?
Not for me. Lots of very small stores try to do the right thing and set
up self-signed certs with their cousin or friend doing the website.
Then they discover that nobody can use the site, the admin wants more
money, and it's all pointless anyway ... so they back off and use HTTP
instead of HTTPS.
They are still legitimate, just small.
The giveaway clue is the word "legitimate". Whenever that is used in a
conversation, we can be sure that someone is trying to sell us something
without giving us the full picture. As a complete generalism, good
advertising does not use the word "legitimate" because real legitimacy
is self-evident or checkable or branded or somehow subject to real feedback.
The furor seems to be over the "and other public sites" bit, which I
believe to be an attempt to cover things like government sites,
charities and the like -- and as such that's pretty much still a true
statement as well. Public, as opposed to private sites which might
legitimately use a self-signed.
Can you suggest better wording that would help our roughly 200 million
users make the right choice?
How about:
"Please be aware that this website is not fully protected with third
party claims by Certification Authorities. You may not be talking to
who you think you are talking to, be careful to check in other ways. We
support the rights of smaller websites to use cryptography, but this
carries additional risks."
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
