This is not a rhetorical question; do you think people would ignore the warning and continue to use the site?
An easier phishing technique would be to manipulate the address to appear legitimate using pushState.
I actually made this demo back in April but just got around to posting about it now. In the meantime, Firefox and Chrome have made their warning messages more prominent. Still, I think it's a pretty major issue.
Experienced web users won't be fooled by something like this. But, even if 1% of users are fooled by this technique, that's still potentially thousands of innocent web users, which I think is unacceptable.
This attack triggers no 'warning' that would cause the user unease. The most obnoxious case is Firefox presenting "Allow or Deny Fullscreen?" a question that doesn't imply any danger or downside. A number of victims might even see it as a new kind of convenience, since their phone and tablet already do everything in fullscreen.
"Get me out of here!" is the only visible button and the obvious action. To override the SSL check, you have to click "I Understand the Risks" to expand the page, revealing both an "Add Exception..." button and a further warning (in bold). "Add Exception..." brings up a dialog which again warns you in bold: "Legitimate banks, stores, and other public sites will not ask you to do this." And finally "Confirm Security Exception".
Firefox steers you toward the safe choice and makes you very, very aware of the gravity of the situation before doing something dangerous. That's good UI.
Chrome on the other hand has a "Proceed anyway" button right there that within less than a second you've clicked on and now the warning is gone. Developers who would blame dumb users for this are mistaken. People are busy, they're distracted, and Chrome makes it way too easy to do the wrong thing while Firefox gets this right.
I was mostly disagreeing with the general "blame the users" mentality apparent upthread and among developers in general, not with you specifically. I've edited my post to make that clearer.
Absolutely. My eyes were opened to that when I was troubleshooting my father's webcam over the phone. It kept not working when everything looked like it should. He just failed to let me know about the alert that kept popping up that said "camera is locked by <foo>". Instead, without reading, he just hit the "X", even though I was asking for every step he was performing. Closing a rogue alert isn't even a "step" to most people.
If you are relying on dialogs to keep your users safe, you are doing it wrong. Unfortunately, I don't know what the right answer here is.