Re: Browser security warning

> > The main point is that naively differentiating between a "secure"
> > state (padlock) and an insecure one (no padlock) isn't very effective.
> > I don't believe that changing from that binary approach to an N-ary
> > one, where the N options map to TLS state-machine states will be any
> > more effective. We need a subtler mix...
> 
>    I agree that the padlock isn't effective.  I'm also against an N-ary
> approach.  Having sites with self-signed certs appear with an HTTPS in 
the
> address bar adds a new category users have to understand.
> 
>    I'm for having only one level of security (not the current two
> states)---you either reach the site in the address bar at the security 
level
> the site has deemed appropriate, or you don't reach it at all.

Interesting. I keep thinking part of the problem is trying to define all 
of security, instead of the parts that matter (protection from prying 
eyes, figuring out who you're talking to). Those don't strike me as 
categories too subtle for humans, since there are obvious human analogs 
(in a sealed envelope vs with a signature, for example). 

        Mez

Received on Thursday, 4 January 2007 23:47:01 UTC