tag:blogger.com,1999:blog-13998656.post3498462802857196456..comments2009-10-14T21:27:10.289-05:00Brian Hallnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-13998656.post-20182785486830260562009-10-14T21:27:10.289-05:002009-10-14T21:27:10.289-05:00Very good point. Indeed there is a great need to educate users on what to watch out for. I think at one point Moxie even mentions injecting a &quot;padlock&quot; favicon.ico to further trick the user into thinking that they&#39;re on a secure connection. Most users I know would probably fall for that.Brianhttp://www.blogger.com/profile/06967275817126310908noreply@blogger.comtag:blogger.com,1999:blog-13998656.post-90822889183552999142009-10-14T19:56:13.894-05:002009-10-14T19:56:13.894-05:00I suppose that&#39;s true, but in the same breath, he&#39;s essentially pointed out why the attack against SSL *doesn&#39;t* work: the user is signalled that the connection is insecure (by various means: a missing padlock icon, a lack of https in the URL, a non-green address bar in IE8). What he&#39;s highlighting is a lack of user-education; users don&#39;t understand https in general.<br /><br />I don&#39;t think this is a fundamental failure of browsers, but it is something that browsers need to do a better job of: alerting users that their connection is insecure. It&#39;s difficult to strike a balance between notifying users on the one hand and annoying users on the other (as witnessed by the annoyance of UAC in Windows Vista). How do you unobtrusively alert users when they&#39;re about to do something dangerous?Anonymousnoreply@blogger.com