This is a resend. Don't know why my previous copy went only to Marsh. I intended it to go to the list as well.
On 2010-10-21 16:50 PDT, Marsh Ray wrote: > On 10/21/2010 05:53 PM, Nelson B Bolyard wrote: >> - Letting mozilla products become a playground for home-baked crypto >> protocols. That's a gate you'll find difficult to close once it is >> allowed to be opened. > > Since when have Mozilla products not been a playground? It IS a playground, in the sense that people can develop add-ons to do whatever their hearts desire, and Mozilla actively encourages that. I'm referring to the functionality in the base product, and particularly to the security functionality in the base product. Users expect that Mozilla product security, out of the box (so to speak), with no add-ons present, is going to be very good. And once added, features are seldom removed. Look at how long it is still taking to get browsers to be secure with respect to renegotiation out-of-the-box. It's because users have become dependent on that bad old stuff and won't let go, even if it's bad for them. > Who put up a gate in the first place anyway? > > Would you really have app developers go elsewhere for bignums? I'm talking about putting JBAKE (or whatever it is) into the base product. That's the motive behind this request. It's not for add-on developers. It's because someone wants to put > Do you really think it would inhibit anyone from baking with crypto? I don't care about what people do with add-ons. They're not even at issue here. I do care about what Mozilla offers to its users in the products that bear its name, under the pretense of "security". Security isn't about a pile of cool-sounding features. It's about assurances. There are people within Mozilla who want to add to the feature list, want to have more bragging rights, want to claim to be the first with some new buzzword. That's utterly harmless when the new buzzword is some new UI feature that changes pixels on a screen, but in the security space, more care is needed to maintain the assurances. > I want my playground and Easy Bake crypto oven. Or, more precisely, it > bugs me that an open project like Mozilla would restrict tools on the > "too dangerous for mere mortals" principle. Marsh, Most users have no idea, draw no distinction, among the various security protocols, mechanisms, schemes used within a product like their browser. They have no idea where the responsibilities of a protocol end and the responsibilities of the program's UI begin. When their security is violated, they just lump it all together. That's why SSL/TLS keep getting smeared for faults that are purely UI faults. We read, monthly if not weekly, pronouncements in the press saying that "SSL has failed" because users clicked past security warnings, or because the browser was fooled by some clever web page content (e.g. JavaScript) into displaying the wrong information to identify the source of that content, or because badly-designed browser security UI, which is utterly indistinguishable from web page content, is subverted to fool users into taking actions that harm their own security, or simply because users continue to fall for emails bearing dire warnings that appear to come from their banks, that make them SO upset that they fail to notice the web page into which they typed their bank password was NOT their bank's page. None of these problems is in any way a fault of the SSL/TLS protocols, but even readers of this group have tried to argue that they are. So, when it comes to user security, Mozilla needs to take care about who it lets into its bed. One foul piece of "security" in the base product will besmirch ALL the product's security features. > <cheap_shot> > So if Mozilla's got such high standards on authentication and such, they > can put up even one add-on that doesn't say "(Author not verified)" in > my browser: > https://addons.mozilla.org/en-US/firefox/addon/15003/ > https://addons.mozilla.org/en-US/firefox/addon/11950/ > </cheap_shot> I don't think it's a cheap shot. I'm not wild about that, either. I think it does show, however, a difference in degree of care between things that are offered as "products of Mozilla" versus "addons by whomever". That's appropriate, to some degree, in my opinion. I'm just trying to ensure that the newest comer to Mozilla's security development community is aware of some of these issues. -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto