On Wed, 24 Feb 2016 14:58:37 +0000 Gervase Markham <g...@mozilla.org> wrote:
> > They had ample opportunity to avoid a crisis. It is not > > Mozilla's responsibility to dig them out of the hole they have dug > > for themselves, > > It is not our responsibility; on the other hand, the damage which may > happen if we do not (i.e. if we refuse, Symantec will not issue to > Worldpay, and it's Worldpay's merchant customers who will be unable to > take payments) does not accrue to Worldpay but to others. If Mozilla declines to make this exception, it will not be that choice which harms Worldpay's customers. It will be the numerous bad choices made by Worldpay. Worldpay has significant resources at their disposal: in 2014, their revenue was 3.6 billion GBP and their EBITDA was 375 million GBP[1]. If Worldpay cannot get new payment terminals to their affected merchants in time, then they can overnight credit card imprinters and their merchants can accept cards the old fashioned way. If Worldpay does not want to take care of their customers, Mozilla should feel no guilt for not doing that for them. It takes far too long to deprecate insecure practices on the Internet: consider 1024-bit RSA roots, weak DH, RC4, and MD5. How many times has Firefox (and other browsers) been forced to delay a deprecation in order to accommodate the needs of large companies? These companies have the resources to do better, but they don't because they do not see a cost to continuing their insecure practices. Instead, they are happy to have the cost be borne by the hundreds of millions of Firefox users, who are forced to use a browser that is less secure than it should be. Bailing Worldpay out of the predicament they put themselves in will reinforce the perception that there are no economic consequences for failing to properly invest in security that affects the entire Internet. No Firefox users will be adversely affected if an exception is not made. But if an exception is made, companies will continue under-investing in the migrations that are necessary to move the security of the Internet forward. That will harm Firefox users in the long run. Regards, Andrew [1] http://www.worldpay.com/us/about/financial-results _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
