On Tue, 2007-12-04 at 12:38 -0500, Pat Suwalski wrote: > Murray Cumming wrote: > > On Tue, 2007-12-04 at 12:12 -0500, Adam Schreiber wrote: > >>> Unfortunately, one of the main UI elements that indicate a secure > >>> connection is the https:// URL in the URL bar. Are you proposing to > >>> disguise that as well? > >> Maybe just not shade it yellow. It will still be running over ssl > >> like Stef said, just not "securely". > > > > People don't pay much attention to those hints anyway. They think that a > > site is secure if they clicked on a "Secure Payment" link, if they even > > have a concept of secure sites. There's no real answer to this, I'm > > afraid, so sorry for the noise. > > I know we are considering the average user here, but there are many > average users who consider what the box tells them anyway. The box tells > them that the connection is still secure, but that whoever is hosting > the site hasn't shelled out 600 bucks to Verisign. If you are connecting on an insecure network (say coffee shop wireless) then a https connection to an untrusted certificate is a distinctly weak form of security. It tells you that you have a encrypted connection to *somebody*. - Owen (And note that Stef's proposal doesn't just greenlight a connection to https://bugs.freedesktop.org, it greenlights a https connection to a DNS-spoofed https://mybank.com.)
Attachment:
signature.asc
Description: This is a digitally signed message part