The concern Gerv and Adam are raised are for active network attackers. Someone using Firesheep hasn't really compromised the connection; but is only looking at the traffic. That said, we don't know if this is a real problem. Maybe this is good enough for the current active network attackers. If so, it is still useful.
Re Yvan's point > If you mean malware as in something running on the computer, then the entire > issue is a moot point. I was talking about malware running on the computer. I am not sure it is moot; storing all the user's data in a single place for `security' has a certain creep factor and makes the job of malware easier. I think Mark was bringing up a related point when he talked about "offline attacks" being easier. -dev On 23 March 2012 11:20, Kevin Chadwick <ma1l1i...@yahoo.co.uk> wrote: > On Thu, 22 Mar 2012 13:15:59 -0700 > Yvan Boily wrote: > > If you were going to do this, it should be global. A fingerprint > checked self-signed is actually more secure than a CA signed one. Also > someone's bios battery might have just run out of juice giving a > default date. > > _______________________________________________ > dev-security mailing list > dev-security@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security