On 2009-07-03 05:29 PDT, Ian G wrote: > We desperately need some form of whitelisting in Firefox so that each site > always gets presented the same cert. If browsers can remember cookies > and username/passwords, then they can remember cert/domain combinations.
This goes double for Thunderbird and mail servers, which are configured, not browsed. Bug 155089: Need a better way to associate a certificate to a mail account for authentication just had its 7th birthday. > As an aside, does anyone have any stats about how many people use these > non-Firefox security devices? I don't have numeric statistics. Users in certain countries, and users who are customers of certain banks, use them a lot. Banks in some countries give them away to customers. But elsewhere they're mostly used in "closed" corporate or governmental environments. (I guess banks and their customers are "closed" environments, too.) > It is somewhat clear that most end-users can't use these things, only > corporates can. So Mozilla priority for these things might be lacking. The average browser user doesn't even set/use a "master password". So, the site passwords that his browser remembers are stored "in the clear". The reason is not that the user doesn't know about master passwords. It's that users don't want to be bothered with a password request, EVER, not even once per browser process lifetime. These same users complain that Firefox has a dialog that will show them their saved web site passwords. They're (rightly) afraid that others will use this feature to steal their passwords when they're not looking. (Of course, they could also set their screen savers to require a password to unlock, but they don't do that, either.) When told that setting a master password will prevent Firefox's passwords from ever being shown without entering it immediately before the display, they balk at having to set a master password. They don't understand that, as long as the passwords are stored "in the clear", they're vulnerable, whether FF displays them in a dialog or not. My point is that I think the relevant questions are: - how many end users who *want* to use them can do so? and - What are the reasons they don't? I think we'll need something that is as widely accepted as a credit card before this takes off. But that by itself won't suffice. It will also require identity theft to get a LOT WORSE before the average consumer decides that having to lift a finger to protect himself isn't such a bad idea. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
