Re: About SSL "Trick or Treat" Dialogs



Adam Schreiber wrote:
> On Dec 4, 2007 9:29 AM, Stef Walter <stef-list memberwebs com> wrote:
>> I'd like to propose [1] that we do away with these dialogs in GNOME. In
>> my opinion if we cannot verify the certificate, then we should simply
>> not show the UI elements that indicate a secure connection. We should
>> just act as if the connection is like any other normal connection.
>>
>> Removing these dialogs doesn't 'solve' security on the Internet [3], but
>> I think it will make things far less confusing for the user while
>> maintaining the same level of security.
> 
> I agree with Stef on not presenting these dialogs to the user.
> However, it may be useful if we keep track of sites that use certs ala
> ssh so that if a site's cert changes the user could be warned about a
> possible man in the middle or phishing attack.

Yes, that's an additional security measure that it would be great to
have. Phishing detection systems may want this sort of info as an
additional input criteria for their algorithms as well.

Stef



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]