Waterfox: Improving the security UX of a browser
Since HTTPS is the norm with most web sites nowadays, the meaning of the "lock" icon is practically diluted and I think it should just be removed for those web sites that are simply domain validated (DV) like those using LetsEncrypt or StartCom.
Instead, there should still be an icon if a connection is insecure much like Firefox Quantum. In that scenario don't load a favicon since it won't be rendered.
In addition, a warning triangle should be shown for sites that are DVed and not using the standard HTTPS port of 443.
In addition, some sites that actually paid for a higher class of certificate should have their name shown with a lock like it is with Firefox Quantum.
As a bonus, the browser should also detect that it may be sending a credit card number and warn users that a site is only domain validated and cannot be linked to a specific organization.
trajano
>All comments
I think it should just be removed for those web sites that are simply domain validated (DV) like those using LetsEncrypt or StartCom.
In addition, some sites that actually paid for a higher class of certificate should have their name shown with a lock like it is with Firefox Quantum.
That's not really a deciding difference. In both cases, one has to trust a CA, and the practice shows that they can be only trusted so much. Paid or not paid, it doesn't matter. Therefore can we please not manipulate site owners to buy paid certificates, thereby doing CA's marketing job for them.
magicgoose
on 15 Nov 2017
Related issues
grahamperrin
路
4Comments
sutex
路
3Comments
iGlitch
路
3Comments
GitCurious
路
3Comments
9jkh
路
4Comments
Most helpful comment
That's not really a deciding difference. In both cases, one has to trust a CA, and the practice shows that they can be only trusted so much. Paid or not paid, it doesn't matter. Therefore can we please not manipulate site owners to buy paid certificates, thereby doing CA's marketing job for them.