On 2010/04/19 11:32 PDT, johnjbarton wrote: > On 4/19/2010 10:52 AM, Nelson B Bolyard wrote: >> On 2010/04/19 08:33 PDT, johnjbarton wrote:
>>> The browser's legitimate role here informs users on the connection they >>> have to a server. If Firefox is presenting a user interface that shows >>> a secure connection for https, but the connection is not secure >>> according to the browser's security experts, then Firefox is broken. >> >> I agree with that, too. The NSS SSL library accurately tells the browser >> about the reality of the situation. How the browser then informs the user >> of that situation is up to the browser, not up to NSS (NSS does no UI). > > If this were true, I would not be here to complain. NSS does write to > the Error Console, and that is my UI. Not true. Go find the line of code that writes to the error console. You will find that it is not in mozilla/security/NSS. > But suppose that in fact someone did say exactly what you quote. Why > should you follow up by writing error messages in a console that no one > in "the industry" ever sees? Why should I? I do not, and have not. I work on NSS, a crypto library used in browsers and servers, which does no UI and calls no browser error console functions. The code about which you complain is not in NSS. You are complaining to the wrong person. > Direct your energy at the problem you want to solve. Talk to some server > admins. Ask them why they are reluctant to take action. Find some real > industry representatives. Ask for their help. The first thing they need > from you is a convincing argument that this is real problem. Once they > understand that their users are exposed to a security threat they will > take prompt action. I am a supplier of software. My relationship with any such people is like a person on the supplier's end of a rope. I can't get very far by pushing. The rope must be pulled. The people who will pull it from me will do so when others pull on a similar rope from them. Those others are the users. The users will pull their end of their ropes with their suppliers when they perceive they have a problem. But they don't read RFCs or CVEs where they'd see Marsh's name and mine. Someone must put this in their faces. I don't do UI. I am at the mercy of Firefox browser developers to inform the users of the problem. They have chosen to bother you about it rather than to bother the end users about it. That doesn't make me any happier than it makes you because the users who remain unaware of the problem will continue not to pull on the ropes between themselves and their server sys admins, and you complain to me, not to the Firefox developers who chose to annoy you. I repeat: >> In this case, Mozilla has chosen to tell the users about this problem by >> this particular means. I'd prefer a more blatant means, but it's better >> than nothing. I appreciate that some effort is being made. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
