I was just reading Dan Kaminsky's blog and saw something I found shocking. Let me quote it.
Moxie’s putting his energy on the old positive feedback attacks — simply disabling the security, and seeing if anyone notices. And here he shows up with some pretty astonishing data: Nobody noticed. To be specific, absolutely 0% of users presented with missing encryption on important web sites, being asked to provide sensitive financial data to those websites, refused on the basis of missing security.
Wow. 0%. Seriously.
Why don't users "get it"?
My first thought was "how do you not notice the address bar's not green?" Then I realized that a lot of people probably don't know why the address bar changes colours or what the different colours mean. Here's a hint: if it's a financial-anything, and that bar's not turning green, run away. I didn't know how it worked, to be honest. I knew it was more than certificate verification, designed to get around URLs that look like what you want but aren't, and that it involved paperwork. He's got the scoop on Extended Validation. Also, you can click the green bar to get more information about how the site is validated.
And by the way, that thing where phishers get a fake URL with a valid cert: that doesn't work (without a bunch of legal hula hoops to jump through) for the green bar. When a cert is the only valid thing going on, you'll see blue. Blue can still be phishing. Green is the good one.
Now, I know we're Linux users, and we're not likely to get viruses or trojans or things like that, but phishing is OS-agnostic. Phishing is about stupid users. Don't be a stupid user! When Firefox tells you a site is bad, be careful. When Firefox doesn't explicitly tell you a site is good, be careful. When I say be careful, I mean treat it as if its mode was 444 (read-only).
Oh, and use NoScript for Pete's sake!
/* Insert standard "do not click on login links in email" "do not use search engines to replace bookmarks" "do not use the same crappy password on every website" etc. warnings */