Nelson B Bolyard wrote:
[...] This incident has shown that FF3, with its all-too-easy-to-defeat MITM reporting, is NOT suitable for high-value web transactions such as online banking.
You know Nelson the reason why you are taking this the wrong way is that you have *no* direct experience of how "average" users interact with broken ssl sites.
Let me explain how I had the revelation FX 3 is broken *because* it tries too much to block acces to web sites with invalid certificates.
It happened when one of my collegue came to me to talk about this new FX 3 browser. He told me it was nice but SSL support was broken. Broken ? Yes, instead of accessing to the web site, he got some error screen, and had to run IE instead. This was a developer with already around two years of writing SSL related softwares.
Since then I'm definetively convinced the current firefox method is broken *and makes the average joe unsecure* because it blocks access to the site (and just not only the average joe, but a lot many users who should know better).
Now, the answer about what to do next is not easy. But it's *not* to block even more access to those web sites. Whilst I have no magic bullet, it definetively lies in the line of finding a way to *explain* to the user *what* is broken exactly, and provide him an effective and easy way to check if it's an error or an attack.
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
