<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/3.18.3"> </HEAD> <BODY> This is my first post to the mailing list so, please excuse me if I am not handling this correctly.  I wanted to add comments to an old thread (from April 08) with the same Subject line but could find no instructions on how to accomplish that.  Since it was an old thread, perhaps starting a new one is a better idea anyway except that I prefer not to have to rehash a lot of what has already been said. I am a fairly new user of Firefox and Ubuntu and recently ran into a case which I have had come up numerous times under other browsers, a web-site with a self-signed security certificate.  As you no-doubt know, Firefox gives one just two choices in such a situation: create a security exception to accept the certificate as trusted; or forget about going to the website.  I find both of these choices to be problematic.  I may have a very valid reason for going to the website, but that does not mean that I want to make a permanent exception to a very important security system.  If I know the website is not trusted, I will not enter any information there for which I woulld feel the requirement of a trusted website.  Often when this comes up, I am simply researching something and only plan to read the website -- I am not planning to enter any information there, at all.  But if I make an exception and now indicate that I wish to  trust the website, I will lose any warnings that it is not trusted and may forget about that status, thus making me even less safe -- what value is there in that?  Even if I can revoke that trust when I am done with the website, the fact that I have to remember to remove the trust makes me vulnerable to not doing so and perhaps revisiting the site in the future without recognizing that I should not trust it.  If I am reasonably certain of the authenticity of the website, plan to visit it often, and cannot persuade the website owener that they should obtain a certificate from a trusted CA,  I might choose to make an exception but, in general, even in these cases, in the past, I have generally chosen to just continue to see the warnings each time to remind me that the site is not fully trusted. For background on the problem, I just spent 2 to 3 hours reading through the lengthy debate, found here: <A HREF="https://bugzilla.mozilla.org/show_bug.cgi?id=327181">https://bugzilla.mozilla.org/show_bug.cgi?id=327181</A> which, apparently, provided the foundation for this behavior.  Though I was happy to see the security issues discussed in such detail, a couple of the cornerstones of the argument troubled me.  First, there was the presumption (based on some security study) that users, when presented with error messages, will simply "click through" those messages without consideration, leading them into a possible disaster.  Second, it is incumbent upon Firefox to protect the users from this behavior at nearly any cost (to the user). On the first point, I don't know anything about the cited security study but in addition to being a user, I have been observing users for many years in conjunction with doing software support, and while I would agree that there is some validity to the claims, users have largely been trained to act this way by too many useless error messages: mesages which indicate something is a problem which actually is not; messages which cite a valid problem but in language which is unintelligible to the user; messages which are triggered by a valid problem but which fail to identify it or to suggest a solution; or even messages which signal a problem with no suggestion of what the user can or should do about it, even treating it with an almost cheerful resignation (e.g. the ubiquitous Microsoft message boxes with something on the order of, "Data corruption detected.  The file could not be recovered. OK[?]"  (No, it is not OK).  It is not true, however, that every user will simply dismiss errors without reading them but if you blanket them with messages with which they are more-or-less powerless to comprehend or cope, they will pretty much respond by not coping.  I, for one, read and consider all error messages I receive -- but if the message makes no sense or is unintelligible to me, fails to suggest a proper response, suggests, without explanation, a response which seems wrong or risky, or anything of the like, I am nearly as likely as a novice user to simply ignore it and move on.  If it sounds ominous enough I will try to research it but given the massive number of near-useless messages generated it's not going to happen with every message.  So, it seems to me, rather than worrying about whether users will ignore one's messages, one should  worry about whether the messages say something worth reading. As to whether the users should be protected at any cost, I would simply ask, why?  If you have cited the problem, explained why it is an issue, offered alternatives as well as what consequences might occur related to each possible action, it seems to me that you have done plenty -- if people still choose to ignore your warnings they either have good reasons or they have no one to blame but themselves.  Throwing road blocks in their way to force them to consider their actions is not likely to help -- whether because they considered their ignorance bliss or they simply had a legitimate reason to ignore the warnings, the extra steps will likely be greeted as just another annoyance which might make another browser more attractive.  Offering an alternative, llike making an exception for the certificate will also likely have little positive effect if taking advantage of it makes things less secure than an alternative not offered, like continuing on to the site forewarned of what behaviors will be risky and what the consequences of ignoring that risk might entail. Ultimately, foolishness likely has no cure and there is little point in treating it -- ignorance is worth treating and generally responds well to quality information provided in a timely and accessible manner.  I really think Firefox should be changed to allow one a relatively easy way of temporarily visiting an untrusted website -- before accessing it they should be apprised of the risks and how to minimize those risks.     --  Les </BODY> </HTML>