

Firefox’s SSL policy is not bad, you idiot - psyklic
http://noahsmark.com/2008/08/19/firefoxs-ssl-policy-is-not-bad-you-idiot/

======
Zev
The problem with Mozilla's policy is that their UI is horrendous and gives off
the wrong impression. It throws a bunch of information that will look like
technobabble at the user without a clear definition of what any of it actually
means.

//edit: Did a quick mockup for what _i think_ would be a better SSL error
page, <http://tinyurl.com/6qn24p> (compared to the current SSL error page,
<http://tinyurl.com/6j6ymx> )

"Until you sit down with my grandma for 2 hours painfully explaining how to
use some feature in Microsoft Word, you don’t get to preach to the world about
how Mozilla trying to keep my grandma safe is somehow against the freedom of
the web."

Shame. He seems to be the only person in existence with technological
illiterate relatives. Right?!?! Wait. No. I'd be willing to bet that everyone
in here has had a similar experience of having to explain how to do something
that we consider simple to someone else.

Technical people understand technical things because they know about other
technical things to relate things to. Non-technical people don't understand
things as well because its harder to relate things to them. Try explaining
things in a way they (the person you're explaining something to) understands.
Maybe it wont take you two hours next time.

If I had to explain SSL certificates to my grandmother (who travels a lot), I
would compare them to airline tickets. First class is a SSL Certificate from
Verisign (or some other company). It's the best you can buy (trust +
encryption), but it's the most expensive as well. Coach seats would be the
certificate created by a non-profit. It's not a first class ticket, but you're
still on the plane (you still have encryption). Not having a certificate would
be missing the flight after buying a non-refundable ticket. You wasted your
money (no trust/encryption, its likely someone's trying to scam you).

~~~
nickf
I guess you haven't read any of the other discussions on this topic. If you
don't have the identity verification, the encryption is worthless. If my
grandma went to a site with a self-signed certificate - you're damn right I'd
want an error message stopping her, as there's no guarantee she isn't giving
away the last of her pension money to a scammer somewhere.

To use your ticket analogy: a self-signed certificate would be a ticket in
coach. You have no idea what plane you're getting on, or where the plane is
going. I wouldn't put my grandma on a plane where I didn't know she was going.
You would? :)

------
stcredzero
If $20/year for a cert breaks a nonprofit, what are they doing with a website
to begin with?

~~~
Zev
Looking at Verisign's prices ( [http://www.verisign.com/ssl/buy-ssl-
certificates/secure-site...](http://www.verisign.com/ssl/buy-ssl-
certificates/secure-site-services/index.html) ), certs range from $400 to
$1500. And other certs (Digicert, etc) range from $150/single domain/year to
$500/wildcard for domain/year.

~~~
stcredzero
Okay, more like $23/month. Still, if a non profit can't afford that for a
website, why does it need that much website? Why not a static page parked
somewhere for free?

