- From: Mike Beltzner <beltzner@mozilla.com>
- Date: Wed, 1 Nov 2006 12:19:51 -0500
- To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
- Cc: "Timothy Hahn" <hahnt@us.ibm.com>, <public-wsc-wg@w3c.org>
On 31-Oct-06, at 10:10 AM, Hahn, Timothy wrote: > I have been somewhat frustrated by the various "artifacts" which > different HTTP clients/browsers use to convey whatever security- > related information has been sent from HTTP servers to which the > browser is connected. The current state-of-the-art seems to be > more annoying to users than informative, and even for security > professionals can be confusing to interpret. As a representative from one of the browser vendors, I'm very interested in working towards creating a reliable and consistent user- centric language with which we can convey signals of safety or non- safety (my preference is for the latter, actually) to people using our web browsers. I'm pretty staunch in my belief that users are willing and able to understand these signals, as long as they're directly related to the end-goal that they are attempting to achieve, and not seen, as you say, as "annoying" or otherwise interruptive. On 31-Oct-06, at 12:28 PM, Hallam-Baker, Phillip wrote: > We need to have a clear distinction between control and data. Users > should be able to trust the browser to display content in the > content window and restrict the chrome area to data that is > trustworthy. As George Staikos is so keen to point out, though, it's pretty easy for websites to spoof that chrome area itself and make themselves look authentic. By and large I agree with you, but am not exactly sure how we can do this in a way that isn't itself spoofable. This is, fwiw, why I prefer signals of non-safety over signals of safety. Any indication of "this is good" invites spoofing. Indicators of "this is not good" can be spoofed just as easily, but there's no benefit to doing so. cheers, mike
Received on Wednesday, 1 November 2006 17:50:51 UTC