“This isn’t against net neutrality. This is about protecting users from themselves”

“[This isn't about claiming to know better than users. This is about claiming to know better than users.]”

Net neutrality is socialism. Net Neutrality is nanny-state.

What you have proposed, Peter Hesse, is the essence of socialism. Bravo?

@IGOR

Would you have it display What WAS new? or What is NOW new for you?

I agree: it would be better to show a ‘why you might want to upgrade now’ drop down (same place as unapproved extension location)

..

A cert warning should show not merely for mismatch but ALSO for md5 signatures.

NoScript ABE has many features than should be native to the browser, much as with those in RequestPolicy

For example, they show the “What’s New” page AFTER update has been installed. Talk about common sense — you read “What’s New” to find out whether you want to update or not. There is no point in reading it after the fact when you can’t roll back to the previous version.

As for this particular “security” measure — Mr. Peter should go buy a clue if he believes that this nagging is any good for the end user let alone for the advanced ones.

Peter, you say “This is about protecting users from themselves”, but this is just bad design. Just check the choice of words:

1. “Failed” — this is misleading, the connection has not failed, you refused to make it.

2. “Not trusted” — you don’t trust it but what about me?

3. “Could be a problem with the server’s configuration” — misleading again.

4. “may be temporary, and you can try again later” — as if that will actually fix the problem! Misleading yet again.

5. “Or you can add an exception…” — Translation: “If we haven’t convinced you to give up by outright lying about what is going on in the above 5 paragraphs of big, fat, and misleading text then damn you Average Joe — you can proceed but we will make it as hard for you as possible.”

So Peter, it is not just a matter of creating exceptions (and some of us would need to create a lot of them) — it is about turning what used to be a warning sign into an obstacle.

As it was already pointed out, it is much harder to impersonate than to spy.

Remember, if someone goes through so much trouble to impersonate someone else, they will do it using a trusted certificate so this message won’t even get shown and thus it won’t be able to protect the user from an impostor.

Therefore, one can conclude that it is only preventing people from using SSL so their communication can be freely snooped by the third parties.

It’s like posting a warning sign outside of a swamp in German. You know there is something in the lake, but ignore the sign since you can’t really make heads or tails of it. Is it a cougar, a crock, or just a no-littering sign?

I like the “phishing” bar (used in IE) which seems to be more effective and understandable to the average Joe or Jörn

Even older versions of Firefox would present a warning or error message when an invalid certificate is presented, allowing you to click something to continue. IE also has a quickly dismissible warning. All this is doing is making the user have to make a serious security decision before continuing. It is no different than “Vista UAC”:http://securitymusings.com/article/177/why-you-dont-want-to-disable-uac which I have previously ranted on — it’s a *good* thing!