Closed taltman closed 9 years ago
@taltman I like the background color idea, plus the initial greeting can inform the user as to what kind of source they have without asking them to click on anything. Clickable banners informing you of what you already know are a user interface no-no.
I disagree, however, with your security classification. Here's why. The current PassLok browser extension is hosted by Google and available from the Chrome store. It is secure in the sense that Google signs it and Chrome won't accept it if the signature fails (at least in theory). But Google has been known to comply with secret requests from the NSA. It is conceivable that they might give a third party access to the source, and then provide a signature for tampered code. It doesn't look that the signature happens until I have uploaded the code to their server, which makes the above a dangerous possibility. What I just say about Google also goes for Firefox and (not so sure, since it looks like a form of signature is applied on my end, not sure if it's the final one) the Apple store as well.
I have a user who won't use PassLok until he's inspected the code and saved it to his flashdrive, so I guess this is the most trustworthy source in this guy's mind.
Hosting site? I've made sure all hosts use SSL/TLS, and there are four of them delivering identical code, which can be checked against each other. I don't think this is less secure than Google.
This is being implemented in v2.1.03 in the following way:
PassLok can be used, in order of increasing security, as:
PassLok should make an intuitive way of informing the user about the relative security differences. I recommend: