ssp is currently certified at Master level.

Name: Søren Sandmann
Member since: 2002-04-20 20:12:43
Last Login: 2010-01-07 06:47:10

FOAF RDF Share This

Homepage: http://www.daimi.au.dk/~sandmann/

Recent blog entries by ssp

Syndication: RSS 2.0

6 Aug 2008 (updated 6 Aug 2008 at 08:25 UTC) »

Self-signed certificates

Johnathan Nightingale explains why Firefox makes you jump through a series of annoying hoops before it will show you a self-signed web page. As he points out, the jump-through-hoops design is actually old. It is only the number of hoops that has changed in Firefox 3.

The main problem with this design is well known: People are trained to just do whatever it takes to get the web page to display. When they finally do get a malicious page, they do what they always do, which then results in a completely normal-looking bank page where they type in their password as usual.

Here is a better idea:

Show the page without asking questions, but draw it with a weird red glow and a yellow warning. If the user actually enters any kind of information, then show a speech bubble saying that the information could be intercepted. Like this:

If the user then goes ahead and submits the information, show a final warning, then send it.

The big benefits:

  • Users get to see the page without being grilled

    This means they are not trained to override the certificate because that won't usually be necessary to do what they want.

  • The page looks wrong

    If a familiar bank page is suddenly annotated with yellow warning bars and red speech bubbles, that will get people's attention. Much more so than having to first click OK to a gobbledigook question. Imagine that: Web security that actually has a chance of working ...

  • Technical users are not frustrated

    Because the details window would have an override button for people who have to use a self-signed web page on a regular basis.

    • 17 Jun 2008 (updated 17 Jun 2008 at 22:13 UTC) »

    The weird thing about the decadence discussion is all the talk about how we made this "awesome desktop" which is like totally awesome and the only reason nobody uses it that they are just happy enough with Windows or OS X.

    The problem with that is that GNOME is not awesome; it is in fact a pile of junk where basic stuff DOES NOT WORK. It is not not even competitive with Windows 95, let alone Windows XP or OS X.

    Maybe that has something to do with why nobody cares.

    10 Oct 2007 (updated 10 Oct 2007 at 21:36 UTC) »

    Power Information

    The AC Power has been unplugged. The system is now using battery power. To celebrate, let's frantically seek the harddisk for several seconds.

    "o hai i made u a notafication bubble"

    9 Sep 2007 »

    An extremely interesting blog about algorithms, data structures, parallel programming etc.

    10 Dec 2006 »

    Sysprof 1.0.8 is out with a fix for an embarrassing bug that caused panics and lockups on preemptive kernels.

    7 older entries...

     

    Others have certified ssp as follows:

    [ Certification disabled because you're not logged in. ]

    New Advogato Features

    FOAF updates: Trust rankings are now exported, making the data available to other users and websites. An external FOAF URI has been added, allowing users to link to an additional FOAF file.

    Keep up with the latest Advogato features by reading the Advogato status blog.

    If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

    X
    Share this page