[cryptography] Preserve us from poorly described/implemented crypto

Nico Williams nico at cryptonector.com
Tue Jun 7 15:31:43 EDT 2011


On Tue, Jun 7, 2011 at 2:25 PM, Marsh Ray <marsh at extendedsubset.com> wrote:
> I dunno. Seems like more often than not these days it's security taking a
> back seat to the user experience.
>
> For example, Mozilla is removing the status bar and the SSL lock icon along
> with it. A perfect opportunity for a phishing site to paint one of their
> own. Now they're talking about removing the address bar too.

Agreed.

> With every pixel valuable on mobile displays, browsers want to dedicate the
> whole frame to the page itself. Consequently, there is no chrome with which
> to communicate security information out-of-band, i.e., not under the control
> of the web page.

FWIW, the webkit-based browser on my phone (an Evo) does give me a way
to get to the menu via touch buttons at the bottom of the phone, and
thence to the status bar.  Think of that as a secure attention
sequence (SAS).  So, it is possible to have a good UI, even on a
button-deprived smartphone.

Nico
--



More information about the cryptography mailing list