WebKit 1.1.x [LSARC/2009/409 FastTrack timeout 08/04/2009]

[Mark Martin]

Mark Martin wrote:
> Darren J Moffat wrote:
>>
>> Also this is really no different several other similar cases with SSL.
>>
>> If HTTPS is not enabled then I will derail this case and call for a 
>> vote.
>>
>
> I don't think the only issue is the lack of a handy, well known cert 
> repository;  the fact that the underlying implementation doesn't 
> validate properly would probably surprise folks.
>
> The choices that I saw were:
> a) Deliver with HTTPS disabled by default.  Principle of least 
> astonishment.
> b) Deliver with (incomplete and ostensibly unsafe) HTTPS enabled by 
> default.
>
> If you're insisting on B, how do you advise managing the gap?  Log a 
> bug?  Document a warning?  Assume developers will be diligent or just 
> know?
Apologies for the reply to self, but I forgot to mention that option A 
was the behavior from the first case, and since the classification was 
changed from consolidation private, I believe the exposure is increased.