Ian G wrote, On 2009-01-03 06:22: > Good question! > > On 3/1/09 06:43, Kyle Hamilton wrote: > >> The only thing that we can do is make sure that the user has as much >> (relevant) information as possible. > > > So what is the relevant info? > > My list of relevant info: > > the name of the CA [1] > the name that the CA signs > the previous acceptance status of the cert > (e.g., number of visits <==> petnames). > the absence of the above > (e.g., we are in OFF mode) > > My list of irrelevant info: > > the cert details > the warnings > the clicks > the status of the connection (e.g., padlock) > > All these are too complex for users.
There's a great deal of anecdotal evidence (and some serious studies) that suggest that anything that goes on outside of the "content" area of the browser, and that does not actively engage the user, will be ignored by a huge percentage of users. There are many users who, anecdotal evidence shows, ignore all "chrome" completely and pay no attention to anything except "content". Because of the fact that good phishers always reproduce the desired content EXACTLY, users who ignore chrome and only examine content will ALWAYS be victims to phishers UNLESS we interrupt their view of the "content" with something that they must deal with when the site's credentials are "phishy". That's why warnings and clicks are different than all the other stuff you describe above. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
