Re: CABForum place in the world

Fri, 09 Jan 2009 11:00:28 -0800 

Johnathan Nightingale wrote:

[...]
- By making the default exception permanent instead of temporary (and
bound to the host, port, cert tuple) we set up a situation where most
"normal" users, who are not using their friend's self-signed webmail
server or their company's web-staging site, are unlikely to see more
than a handful of these in their browsing lifetime. [...]



As I complained here quite noisily a pair of month before, "normal" 
users are completely unable to go beyond the error screen and *they* 
*start* *IE* *instead*. But let's put that flamethrower aside.



- All of this would be better with KCM, which is why I filed this bug to
discuss the possibility.


Hum, I didn't notice earlier this bug was that old.


Your reasonning IIUC is based on the idea users will mostly encounter 
the following two kind of ssl sites :

- professional sites intended for ecommerce
- sites intended to protect sensitive information of a closed community


and that the problem mostly is that the second kind can/won't afford a 
professional SSL cert, so the user needs to add an exception and 
remember it. Or use KCM for them.



I think that you are missing the fact that there's a large number of 
sites around that are *playing* with SSL, and using SSL with no real 
reason to protect actually sensitive information. And it's those sites 
who are the most frequently badly configured.



In my usage, most of the time when I need to add an exception it's for 
one of those sites and I should not remember the exception.



So, I will make the assertion that at least 80% of our users are not
going to benefit from the technical details we include in that error
message, and that while we could do another round of wording
improvements to try to finesse that, the issue goes deeper. 80% of users
don't want to know what a certificate is, or how it is used to secure a
TLS channel, and the wording in the rest of that error page is already
an attempt to make the issue more concrete, without delving into the
specifics.



If we bury them under technical words they don't understand, yes of 
course it's a bad idea.



I am thinking about bringing them useful information in a form they can 
understand. And the kind of information they need would depend of the 
kind of error.

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





























					Reply via email to