Ian G wrote, On 2009-01-03 19:19: > On 3/1/09 23:40, Nelson B Bolyard wrote:
>> There's a great deal of anecdotal evidence (and some serious studies) >> that suggest that anything that goes on outside of the "content" area >> of the browser, and that does not actively engage the user, will be >> ignored by a huge percentage of users. There are many users who, >> anecdotal evidence shows, ignore all "chrome" completely and pay no >> attention to anything except "content". Because of the fact that good >> phishers always reproduce the desired content EXACTLY, users who >> ignore chrome and only examine content will ALWAYS be victims to >> phishers UNLESS we interrupt their view of the "content" with something >> that they must deal with when the site's credentials are "phishy". >> That's why warnings and clicks are different than all the other stuff >> you describe above. > > OK, so some discussion on how to display the info. Bringing the two > together, the info that is considered relevant might be pasted over the > entire page. Paste info for "good connections" over the entire page as a > shadow display, with all there in big letters, and allow it to fade away > after 2-3 seconds. Pink or mild yellow? The problem is that ANYTHING that you can put into the content area can also be put there as content. If you condition the user to accept large but vanishing yellow letters saying "good connections", the content can do that, too, and phishers will be quick to imitate it. The main point of "chrome" is that content cannot effectively mimic it. It's unspoofable. (It wasn't, always, but browsers have finally gotten wise to that.) > The point being if the "chrome" is ignored, we go where it isn't ignored? > (I really liked the addition of the top and bottom bars in light grey, > within the content part.) That can all be mimicked. > If it is important, we can interrupt the user's info. If it isn't > important enough for that, then it isn't important. That's the entire rationale for the current bad cert "error pages", which replaced the old error dialogs. The also found that users would dismiss any dialogs to get to that precious content, so the only solution was to replace the content entirely. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
