'Re: ssl auth failure gui: does "continue" do what I think it does?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: ssl auth failure gui: does "continue" do what I think it does?
From:       Thiago Macieira <thiago () kde ! org>
Date:       2009-06-09 17:12:23
Message-ID: 200906091912.29362.thiago () kde ! org
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

Jeff Mitchell wrote:
>The majority of self-signed certs I've encountered fit nicely into the
>"don't care" category, and this may be the case for many other web
>citizens.  So my point was, the revamped text of the dialog box,
>whatever it is, should be informative, not paranoid.  It should describe
>what the problem is (e.g. "The certificate for this web site has not
>been verified by a trusted third party.  Data you see or submit may not
>come from the site you believe it is coming from.") with sane options
>for the buttons (not just "continue" which has been demonstrated to be
>vague).
>
>It should avoid the supremely annoying four clicks Firefox now requires
>(two is plenty -- what do you want to do, and are you sure?) and it
>should work with keyboard shortcuts.  And it should avoid the temptation
>to be (drama warning) e.g. "zOMG someone is doing something *bad* on
>this web site, you should really leave!!1!"  Because such an
>ultra-paranoid message is likely to be both untrue (they're probably
>just cheap, not doing something bad) and misleading (it might be
>perfectly safe to stay, as long as you understand the risks).

I would prefer the paranoid Firefox way in all web browsers. Then users 
complained to the websites -- or the webmasters noticed the problem -- and 
someone fixed the issue.

But I agree with you that we can do this with two clicks, a nasty error 
message and forcing the user to review the certificate. Like:

"The website you're trying to connect to is using a certificate that 
contains errors:"
   "The certificate has expired"
   "The certificate is not signed by a trusted source"
   "The certificate is self-signed"
   "The certificate is not issued to this server"
   etc.

    "Review certificate and continue"  "Cancel"

Then show the certificate and ask:
   "Ignore errors temporarily"  
   "Always ignore these errors for this certificate"
   "Cancel"

Maybe the first message could be shown in a webpage just like Firefox and 
now Konqueror errors. But the ability to show it in a dialog is necessary 
because of other SSL connections (like IMAP).

-- 
  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

["signature.asc" (application/pgp-signature)]

>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<

[prev in list] [next in list] [prev in thread] [next in thread] 