RE: Browser security warning

 
If security context relies on users understanding what digital
certificates are then we've failed.  As any usability expert will tell
you, techies keep falling in the trap of assuming average users
understand technology just because we do.  This is reflected in the
obscure error messages we display, such as the one I shared from IE6.

Do we want to make the WWW safe enough for your grandmother to use and
understand?  Or do we want to make it a playground for techno elites
only?

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Stephen Farrell
Sent: Friday, December 22, 2006 7:29 AM
To: Michael(tm) Smith
Cc: public-wsc-wg@w3.org
Subject: Re: Browser security warning




Michael(tm) Smith wrote:
> It's going to be very hard for any browser to provide information 
> about the problem without mentioning the word "certificate".

Maybe hard, but I think worth trying.

> How would you suggest the browser could make an ordinary user 
> understand what a certificate is so that the user can take action when

> encountering this case (a site with a self-signed cert for which no 
> browser is going to have a root certificate)?
> 
> Or do you think browsers should not even bother trying to warn users 
> about sites with self-signed certs? (That is, just treat them as they 
> would an unsecure site without any cert.)

1st N times perhaps. If the user continues to access that site and the
same server key is used, then at some point the browser might indicate
that fact to the user.

S.

Received on Thursday, 28 December 2006 06:14:45 UTC