Le lun. 24 avr. 2017 à 11:00, Gervase Markham <
ge...@mozilla.org> a écrit :
> On 21/04/17 18:25, Chaddaï Fouché wrote:
> > I'm pretty sure most non-technical people don't even look at the url
> > bar and don't care about the icons that already appear there : info,
> > lock, read mode, zooming state, reload.
>
> So why do you think adding another icon will solve this problem?
>
>
Clearly _as I wrote in this quote_, I don't think it will help for
*non-technical people*, but then neither would deactivating IDN support
help either since most people only see the content of the site and if it
looks like an apple site, it must be from apple, right ? A minority has now
trained themselves to look at the lock but that won't help much here. The
only protection that would work is SafeBrowsing which is very good when it
works but obviously can't protect against every phishing website
instantaneously after its creation (and they don't want to make a blanket
block against this potential problem, from what I understand ?).
> > Adding just one more probably
> > won't suddenly overload them and it would allow every technically
> > minded people to see instantly if the domain name is in the writing
> > system they expect. Your IDN algorithm already compute this
> > information anyway.
>
> So we are trying to solve the problem only for technically minded people?
>
>
And ? How is a solution that won't inconvenience non-technical people but
help technically minded people bad ? Or are you implying that technically
minded people shouldn't be considered in Mozilla's decision ? Because in
case you've forgotten, an important minority of your public is technically
minded, and most of those who aren't installed Firefox because they were
advised so by their technically minded friend... unless you think your
enormous PR prowess and your unlimited ad budget were the main reason for
your success ?
The proposed solution is not miraculous but it solves the problem that even
technically minded people can't see that the site is fake even by looking
at the url bar, even by looking at the information from the certificate
that appears when clicking on the lock... Sure you can copy and paste the
url to an ascii editor but nobody will do that for every website, even
sensible websites. Convenience is important for technically minded people
too, even if they have a higher threshold for convenience vs security.
> > Your reaction amounting to "we give priority to our ideal of handling
> > every language equally over security (of everyone, regardless of
> > their language) because we consider 1) that it's the fault of the
> > registrars (irrelevant from the user point of view, and unlikely to
> > be fixed from that side) and 2) that our users are fragile little
> > flowers that will be scared by any additional UI element (that's
> > insulting by the way even if a cleaner UI is a worthy goal)"
>
> Well, that's basically what you just said above :-)
>
>
So the solution that propose to add an icon in the url bar to improve
security is somehow synonymous to :
1) give priority to every other ideals over security
2) it's the fault of the registrars
3) our users are fragile little flowers that will be scared by any
additional UI element
??
Words must not have the same meaning for you and I...
> Everything's a trade-off. Time, money, complexity, risk. Taking one
> particular problem and saying "this risk must be eliminated to the
> uttermost, regardless of how much time, money and added complexity is
> needed" is just not a reasonable position.
Sure, but some of the proposed solutions aren't huge time sinks, mine
(Igor's) for instance only means adding an UI element in the URL bar,
something that has already been done and can probably be reproduced without
too much innovation. What would take the most time would probably be to
find reasonable abbreviations for the writing systems and testing
afterward. The time spent discussing this issue would have been enough to
implement this several times over.
--
Chaddaï Fouché