Re: Growing Bad Practice with Login Forms

["David Wall @ Yozons, Inc." <dwall () yozons com>]

>   * The difference between a non-SSL and a SSL site should
>     be more visible to the user. SSL-enabled connections should
>     be made to look more important. The small image in the corner
>     does not cut it. I would like to see a red border around the
>     whole browser window. Or a red border until you explicitely
>     choose to trust a site, at which point it changes to green.
>     Something like that.

That's a good idea, though color alone wouldn't suffice.

>     Also, why not display the contents of a certificate on
>     the screen at all times (e.g. organization name & address).

Another good idea.

>   * Browsers should remember the public key of a visited server,
>     and compare the stored key with the key received upon
>     the next visit. Just as SSH does.

This is yet another good idea.  The beauty is that the first time you visit,
you look at the cert details.  If someone takes you to a spoof site that you
visit all the time (PayPal, Citibank, etc.) and the popup arises, at least
you'll look again (even if they just changed their keys).

Both Mozilla and IE browsers fail to display the most interesting tidbits
(domain name and organization name) on the first click, with Mozilla making
the info even less obvious than IE.  Requiring that people click on the
lock, then click another button to examine the cert is simply asking users
to do too much.  It needs to be automatic, perhaps with a special SSL-mode
display as suggested that shows this info all the time.

David