[sugar] Preparing for the feature freeze

[Benjamin M. Schwartz]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eben Eliason wrote:
| On Thu, Jun 5, 2008 at 12:36 AM, Michael Stone <michael at laptop.org> wrote:
|> On Tue, Jun 03, 2008 at 11:03:44AM +0200, Marco Pesenti Gritti wrote:
|>> * Browser bookmarks and autocompletion. - priority 3
|> I'd really like to see some progress on #542/#5534 (deal with
|> non-standard SSL certificate authorities). This is going to become a
|> bigger and bigger stumbling block the longer we wait. Surely we could
|> manage some sort of 'accept this cert' button? (Keep in mind the
|> possibility of another G1G1 coming our way in the foreseeable future.)
|
| I think that a non-modal alert (akin to those used for downloads)
| would suffice.  Toss up buttons for "view" "cancel" and "accept", with
| the first of these presenting a modal alert with the detailed
| certificate information, and we'd be set.

I don't understand this at all.  If a site offers an invalid/untrusted SSL
certificate, it should simply be accepted silently.  The user should have
the same experience as if the page were not using SSL.

We know from experience that users do not know how to interpret the
certificate warning, and simply learn to click on the button that allows
them to continue.  Presenting them with an incomprehensible warning, and
then indicating that the connection is secure, is not good security, and
not good UI.

- --Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkhH9NcACgkQUJT6e6HFtqTISgCbBCObRmRVpQHGaoYEf484Qyny
c4kAniMlTZgUzUiIc8mOqDtI1BJrZcjm
=3UDw
-----END PGP SIGNATURE-----