[132929] in cryptography@c2.net mail archive
Re: once more, with feeling.
daemon@ATHENA.MIT.EDU (Paul Hoffman)
Wed Sep 10 11:56:44 2008
In-Reply-To: <48C6F700.7000906@gmx.co.uk>
Date: Wed, 10 Sep 2008 08:22:40 -0700
To: Dave Howe <DaveHowe@gmx.co.uk>, cryptography@metzdowd.com
From: Paul Hoffman <paul.hoffman@vpnc.org>
At 11:21 PM +0100 9/9/08, Dave Howe wrote:
>Darren J Moffat wrote:
>> Warnings aren't enough in this context [ whey already exists ] the
>> only thing that will work is stopping the page being seen - replacing
>> it with a clearly worded explanation with *no* way to pass through
>> and render the page (okay maybe with a debug build of the browser but
>> not in the shipped product).
>
>One thing that concerns me is that in the new release of firefox, there
>appears to be NO way to get to a site that has a bad certificate (or
>self signed certificate) other than overriding the warning permanently -
>no "ok let me see it, I have seen the warning and want to look just this
>once" that the "remember mismatched domains" plugin for 2.x gave you.
That may concern you, but I consider it a feature. Instead of
teaching users to "always click through the damn dialog boxes", FF3
says "if you fell for it once, you're going to always fall for it so
we won't teach you bad habits". There are arguments for either
strategy.
Given that few or none of us on this list are actually trained
interface experts, I'm sure we could debate this until Perry pulls
the moderator switch again. The salient point is that people who have
more stake in the game (Mozilla Inc.) have spent longer thinking
about this than we give them credit for and come to the design
decisions that they have.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
