Robert Relyea wrote:
[...]
KCM is good for a single pipe between to fixed and seldom changing
computers, [...]. In the many to many or the one to many case, KCM
trains the user to ignore the warning messages. [...]
Mozilla is the same. Users are making lots of connections, often to new
sites that they have never visited before. They trash their profiles.
They reload their machines. [...]
I wanted to make more or less the same point.
KCM in SSH works well with a small number of computer, if you have to
establish trust with a new one rarely, and if you keep connecting to the
same computers again and again, and their config almost never changes.
This really doesn't scale to the internet and SSL. Even casual users can
visit hundred of sites in one day, and for most of them never come back
to visit them again later.
Also, there's another important pattern I notice with SSL use on the
internet :
- They are few sites on which SSL is both really important and that are
misconfigured.
- They are many sites (the most in those 8% of self-signed certs) where
SSL is completely misconfigured but it's not so important, because
whilst there's some info I want to *read* on the site I certainly don't
intend to send it any sensitive info.
Which means that more often than not the default checking of the
"Permanently store this exception" check-box of Fx, is annoying for me.
Because I just want to see what's on this site this one time, thank you
Fx for warning me it hasn't proper protection, but don't clutter my
profile with that, and on the whole I'd prefer to be warned again if I
ever come back again to the same site.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
