[security] Please convince me not to ban SSL (OP's)
SitG Admin
sysadmin at shadowsinthegarden.com
Fri May 8 19:04:04 UTC 2009
>You're welcome to lock users out of your site, but I suspect this
>trade-off doesn't make sense for most RPs.
Then again, I'm not most RP's. I'm me. Just as in webpage design,
what worked well for others won't necessarily make sense for everyone.
>> and if their URI *doesn't* use SSL then
>> the user has an illusion of security, one which may be reinforced by their
>> OP.
>
>You're making fairly specific assumptions about what the user does and
>doesn't understand about security. Without a user study, we have no
>way of knowing whether these assumptions are accurate.
I think they understand that SSL is safer (e-commerce, et all).
By "reinforcement" I mean "specific advertisement": if the OP uses
its support of SSL as a feature to attract users, but not educating
the user about how this security measure fits in among the larger
picture, they are effectively misleading the user into a mistaken
idea of how secure they are.
>You haven't offered any justification for these very specific
>assumptions. I bet they won't hold that widely if you tested them on
>real users.
I'm not concerned about "real users" so much as "MY users"; not drawn
from the average pool ;)
-Shade
More information about the security
mailing list