On 04/07/2010 09:35 PM, Nelson B Bolyard wrote: > >>>> We plan on alerting users in a future update. This is fair warning >>>> to server operators and those who are debugging their sites. >>>> >>> If this is a real threat don't users deserve a fair warning now? >>> >> I fully agree! If users are vulnerable now, they should be warned now, >> (bug 535649 comment #15). The counterargument (comment #24) is that >> showing the broken SSL UI for almost all sites will "quickly >> neutraliz[e] the awareness/protection it might offer", >> > And that argument is now being successfully used by a lot of companies > who make products that directly face the end users. They use it to avoid > doing ANYTHING about this problem. They say "we can't start to warn users > until a majority of the servers on the net have gotten fixed, so that a > minority generate the errors." And so users go unwarned, and they remain > blissfully ignorant of their vulnerability. Coinsequently, they put no > pressure on servers to get fixed. Consequently, there is NO pressure on > servers to get fixed, and servers are not getting fixed at all rapidly. > What in the world are you talking about here? The entire internet is broken right now. Putting a warning dialog up now would only train users to ignore the warnings (we've seen this in the past). That is why there is a console warning. You can still get that information from the console log, or even set the pref to disallow those connections. In any case to say that firefox is not doing ANYTHING about the problem is seriously mischaracterizing the problem.
The current response is in line with other well known and well respected browsers out there, unless you are acusing Yngve Petterson of security ignorance or laziness as well... The warnings will come -- when they can have the most effect (that is pointing the user's wrath at the website rather than the browser). We are already getting action from websites from the console log warnings. AFAIK, Microsoft still has not released any renegotiation patches. NSS's patches are only 1 month old. > Inconveniencing the users is a NECESSARY part of getting this vulnerability > fixed. Without that, the servers have NO INCENTIVE to lift a finger to fix > this. > And allowing the security updates on servers to perculate out is also a necessary part. Don't worry, the hammer of noisy warnings are still in the tools shed, we just need to use it when it will do the most good. (Just before those last websites get turned off...). >> but I think my proposal for a yellow Larry button (comment #62) >> partially addresses this concern. >> > Maybe, but you'll have to sell it to product makers who'd prefer not to > annoy their users at all if their lives don't depend on it. > The yellow larry is a good proposal, and probably implementable much sooner than noisy warnings.
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
