W3C home > Mailing lists > Public > public-usable-authentication@w3.org > April 2006

Re: Secure Chrome

From: Mike Beltzner <beltzner@mozilla.com>
Date: Fri Apr 21 18:38:58 2006
Message-ID: <2020151671-1145631041-cardhu_blackberry.rim.net-26070-@engine20-cell02>
To: "George Staikos" <staikos@kde.org>
Cc: public-usable-authentication@w3.org
I think your statement is true of any proposal. Users will pay attention to content, not chrome, so no matter what solution we come up with, users will have to be taught/led/influenced to understanding the new model. 

George, what do you think secure chrome should get us, if anything?


-----Original Message-----
From: George Staikos <staikos@kde.org>
Date: Fri, 21 Apr 2006 02:21:22 
To:"Undisclosed.Recipients": ;
Subject: Re: Secure Chrome

On Tuesday 18 April 2006 00:09, Mike Beltzner wrote:

> >   Do you think any website developers will ever accept such a
> > thing? :-)  I
> > think not...
> At the conference we briefly discussed the potential for websites to
> prompt browsers to enter a secure mode for a given page (using some
> sort of meta tag, maybe?). The idea being that secure mode would only
> needed at the point of web authentication or login, after which point
> the app should be free to take advantage of all sorts of bells and
> whistles.

  I think this only works if users are trained to only enter sensitive 
information in a page that has entered secure mode.  Today in Porto Alegre I 
was trying to get onto the wifi network and I found the following:
- one provider was using a certificate that I had no root for in Firefox or 
- one provider was embedding an https frame in an http page
- one provider was not using any https
- at least one provider wrote "your data is secure" in the page

  I am very skeptical that we will see these sites implement secure-mode, and 
I'm also very skeptical that users won't continue to enter their information 
in a phishing site that does one of the techniques above.  This makes me 
wonder how effective the solution will be in the short term.

George Staikos
KDE Developer				http://www.kde.org/

Staikos Computing Services Inc.		http://www.staikos.net/

Received on Friday, 21 April 2006 18:38:58 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC