On 2010/04/19 08:33 PDT, johnjbarton wrote: > On 4/19/2010 1:42 AM, Nelson B Bolyard wrote: >> On 2010-04-18 21:16 PST, johnjbarton wrote: >> >>> I see nothing wrong with users contacting sysadmins. I object to >>> using the browser as a platform for badgering Web developers to >>> contact sysadmins on your behalf. >> >> You continue to make the mistake of assuming that users have no vested >> self interest in having access to secure servers, and that they are >> merely doing a favor for some set of developers, rather than acting in >> their own self interest, by asking server admins to fix their >> servers. > > So by this argument we should warn users whenever they access > pornographic sites, radical right wing sites, socialist sites, religious > and atheist sites.
That's silly. https doesn't protect users from site content. It protects users from interception and modification or falsification of content while in flight, provided that the client AND the server are both implementing SSL correctly. Users care about that because they don't want their passwords and other secrets stolen, as can now be done when used with broken servers. > We need to inform them, for their own self interest, that the server > admins need to fix their servers. Right. We've fixed the SSL code in the browser. Now it's the servers that need to be fixed. The users won't be fully protected until the servers are fixed. > But why stop there? Users self interest surely extent beyond the > browser. Should we send them messages to lobby against air pollution, > poverty, government intrusion, and so on? Is it really true that > CVE-2009-3555 is the only issue worthy of their attention? That's silly. It has nothing to do with the charter of https. The issues I'm discussing have everything to do with the charter of https. > There are appropriate channels for advertising this problem and > educating users and servers about it. The current Error Console spam > campaign and the propose pop-up ads campaign are simply not appropriate > actions for the browser. Your opinion is duly noted. > The browser's legitimate role here informs users on the connection they > have to a server. If Firefox is presenting a user interface that shows > a secure connection for https, but the connection is not secure > according to the browser's security experts, then Firefox is broken. I agree with that, too. The NSS SSL library accurately tells the browser about the reality of the situation. How the browser then informs the user of that situation is up to the browser, not up to NSS (NSS does no UI). > The legitimate action by browser developers is to fix their bug. But that, by itself, does not provide the users with transport security. The industry is largely sticking its head in the sand, saying "don't bother me with the facts, don't give me errors or warnings. I'd rather be ignorant of this huge security hole (and keep my users largely ignorant of it) than fix it." Someone has to watch out for the users' interest. Telling us that you'd prefer that Mozilla products kept silent about it tells us something about where you stand on the security-vs-convenience issue. It's not likely to engender much sympathy here. In this case, Mozilla has chosen to tell the users about this problem by this particular means. I'd prefer a more blatant means, but it's better than nothing. I appreciate that some effort is being made. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
