On 4/19/2010 10:52 AM, Nelson B Bolyard wrote:
On 2010/04/19 08:33 PDT, johnjbarton wrote:
...
There are appropriate channels for advertising this problem and
educating users and servers about it. The current Error Console spam
campaign and the propose pop-up ads campaign are simply not appropriate
actions for the browser.
Your opinion is duly noted.
The browser's legitimate role here informs users on the connection they
have to a server. If Firefox is presenting a user interface that shows
a secure connection for https, but the connection is not secure
according to the browser's security experts, then Firefox is broken.
I agree with that, too. The NSS SSL library accurately tells the browser
about the reality of the situation. How the browser then informs the user
of that situation is up to the browser, not up to NSS (NSS does no UI).
If this were true, I would not be here to complain. NSS does write to
the Error Console, and that is my UI.
The legitimate action by browser developers is to fix their bug.
But that, by itself, does not provide the users with transport security.
The industry is largely sticking its head in the sand, saying "don't bother
me with the facts, don't give me errors or warnings. I'd rather be
ignorant of this huge security hole (and keep my users largely ignorant of
it) than fix it." Someone has to watch out for the users' interest.
You're making this up. No industry spokeperson, company representative,
or unincorporated server admin has said any such thing.
But suppose that in fact someone did say exactly what you quote. Why
should you follow up by writing error messages in a console that no one
in "the industry" ever sees?
Direct your energy at the problem you want to solve. Talk to some server
admins. Ask them why they are reluctant to take action. Find some real
industry representatives. Ask for their help. The first thing they need
from you is a convincing argument that this is real problem. Once they
understand that their users are exposed to a security threat they will
take prompt action.
Telling us that you'd prefer that Mozilla products kept silent about it
tells us something about where you stand on the security-vs-convenience
issue. It's not likely to engender much sympathy here.
I do not appreciate your continued misrepresentation of my comments on
this newsgroup.
I have made no comments on security-vs-convenience here.
The only sympathy I seek concerns the repeated, pointless, obscure
messages that you are putting in my user interface about problems I did
not cause and cannot fix.
In this case, Mozilla has chosen to tell the users about this problem by
this particular means. I'd prefer a more blatant means, but it's better
than nothing. I appreciate that some effort is being made.
jjb
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
