Re: About SSL "Trick or Treat" Dialogs



Murray Cumming wrote:
On Tue, 2007-12-04 at 12:12 -0500, Adam Schreiber wrote:
Unfortunately, one of the main UI elements that indicate a secure
connection is the https:// URL in the URL bar. Are you proposing to
disguise that as well?
Maybe just not shade it yellow.  It will still be running over ssl
like Stef said, just not "securely".

People don't pay much attention to those hints anyway. They think that a
site is secure if they clicked on a "Secure Payment" link, if they even
have a concept of secure sites. There's no real answer to this, I'm
afraid, so sorry for the noise.

I know we are considering the average user here, but there are many average users who consider what the box tells them anyway. The box tells them that the connection is still secure, but that whoever is hosting the site hasn't shelled out 600 bucks to Verisign.

I've thought about this quite a bit in my spare cycles, and I think the dialog is just too big, at least in Firefox. It was a positive step when they made the default to "accept" the connection. But the dialog should just be a simple OK/Cancel messagebox with a line saying that it the certificate could not be verified, with a button to more details.

The *incorrect* way of doing it is how it is done in IE7, which replaces the content area of the browser with something that looks just like their Error page. There are two links which look similar to the usual useless MS KnowledgeBase links to accept and deny. They really go out of their way to prevent people from using such sites, apparently.

--Pat


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]