Re: firefox and bad ssl certificates
Milan Bouchet-Valat wrote: Notifications are never read, especially by users that are not passionate by computers - they're exactly like there was no message at all, only they annoy users: click OK and then see if there's a problem is what OS have used people to for many years. And after that the lock in the adress bar still seems to confirm you're on a secure website. I think you are dead wrong. It is absolutely wrong to say they are NEVER read as people DO see them, and CAN read, ergo some do. I would go so far as to say that that vast majority of people read them, the problem is when they fail to understand. And once you accept the invalid certificate, you ARE on a secure web site. The only thing you have to worry about is that someone has intercepted your connection and is spoofing the site with their own self-signed certificate. If a user frequents a site and does not get this warning, then one day they do, they might think something is up. If not, well, they have been warned. IMHO it's not mainly about educating the user, but to force servers to use correct certificates. When freedesktop.org will understand every person that goes to their bugtracker gets to the new Firefox warning, I guess they will change their certificate. ;-) (just an example) No, they won't, and shouldn't. Why pay some idiot corporation an extortion fee just because they bribed the browser manufacturers to include their certs by default? There is NO added security to having a paid for cert. See the several incidents where bank web sites have been spoofed on a slightly misspelled version of the domain name and issued a valid cert from a CA proving they are the bank you thought you were visiting. To continue your metaphor, it's primarily intended to force GPS vendors to provide hands-free models so that then you can drive without this kind of concern. Pissing off the users by making their life harder is not a good way to get your ( wrong headed ) point across to the web site operators. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
On Tue, 13 May 2008 19:32:23 -0400 (EDT) [EMAIL PROTECTED] wrote: No, they won't, and shouldn't. Why pay some idiot corporation an extortion fee just because they bribed the browser manufacturers to include their certs by default? There is NO added security to having a paid for cert. In 8.04, CACert is included as a provider. CACert is free. The price bit is moot. Yes, but a cert from a valid CA or one you've previously accepted only helps against MITM attacks. It helps not a bit against the rather more common problem of social engineering attacks using cousin domains (e.g. paypal.com and paypa1.com). Cert recognition/validation doesn't tell you anything about how good or bad the distant end is. The rather larger problem is that the little lock is generally presumed by users to mean much more than it does. Emphasizing cert validity only compounds the problem. As an example, after today I'd be rather more concerned if I didn't get an unknown cert warning from a Debian site than if I did. Scott K -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
The rather larger problem is that the little lock is generally presumed by users to mean much more than it does. Emphasizing cert validity only compounds the problem. As an example, after today I'd be rather more concerned if I didn't get an unknown cert warning from a Debian site than if I did. Yes indeed. A web certificate, as it is used nowadays, will not do much more than get you privacy. It does not make the web site more or less secure (and I have already said that here). A self-signed is as good as one signed by a so-called trusted CA. What makes a specific public certificate more trusted is out-of-band check and validation (serial number, CN or DN verification, etc). A digital (public) certificate is nothing more than a public encryption key with some identifying data, signed by someone you do not know, but decided to trust. And, again -- it is not the web public certificate you trust, its the signer. You do not know anything about who is deploying this specific certificate, but *you* (or someone with the necessary power) decided the signer is trusted. Scott, methinks, is absolutely correct. But I doubt he, or I, or both of us, or whoever else, will be able to change the Way Things Are (TM). ..hggdh.. signature.asc Description: This is a digitally signed message part -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
On Wed, May 14, 2008 at 11:40 AM, Mackenzie Morgan [EMAIL PROTECTED] wrote: On Tue, 2008-05-13 at 16:24 -0400, Phillip Susi wrote: No, they won't, and shouldn't. Why pay some idiot corporation an extortion fee just because they bribed the browser manufacturers to include their certs by default? There is NO added security to having a paid for cert. See the several incidents where bank web sites have been spoofed on a slightly misspelled version of the domain name and issued a valid cert from a CA proving they are the bank you thought you were visiting. http://cacert.org, which has its certs included in Ubuntu by default, is free. Be advised however to use the new OpenSSL[0] to generate your CSR and private key pair, in light of DSA-1571[1]. [0] http://packages.ubuntu.com/openssl [1] http://www.ubuntu.com/usn/usn-612-1 It may also be worth considering putting off submitting CSRs to CAs (CACert included) until those CAs can confirm that they are not (or no longer) affected by the issue. Cheers, Zakame -- Zak B. Elep || http://zakame.spunge.org [EMAIL PROTECTED] || [EMAIL PROTECTED] || [EMAIL PROTECTED] 1486 7957 454D E529 E4F1 F75E 5787 B1FD FA53 851D -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
Le vendredi 09 mai 2008 à 17:02 -0400, Phillip Susi a écrit : Martin Pitt wrote: I don't consider it a new feature, but a better UI. Firefox has always complained about invalid certificates, but until version 2 it was just the well-known 'SSL yadayada cannot be verified mumblemumble click here to shut me up' popup dialog, and really everyone just clicked this away, right? Security click-through dialogs should be abolished, since they achieve nothing and are really just an excuse for the software provider: I know it is unsafe, and cannot give you something better. Of course you can't know either, but at least I can make it your problem now. Now you get at least a proper error message page. I don't doubt that the text can be improved, and make more concise/clear, etc., but the UI is much better IMHO. I could not disagree with this more strongly. You can't go around applying nerf padding to everything to protect against the possibility of someone running head first into the wall. When you try to protect people from themselves, and that protection has a negative impact on them, you aren't doing them any favors. I don't like the fact that my car won't let me ( or my passenger ) choose to fiddle with the gps while the wheels are turning, and I don't like this change to firefox. An invalid cert is something that MIGHT be cause for concern, but often is not, so a notification is quite sufficient to let the user decide if it is ok to proceed or not. Making them jump through hoops of fire to be SURE they want to proceed is a bad idea. Notifications are never read, especially by users that are not passionate by computers - they're exactly like there was no message at all, only they annoy users: click OK and then see if there's a problem is what OS have used people to for many years. And after that the lock in the adress bar still seems to confirm you're on a secure website. Now improving the existing message to be more informative and educate the user as to what is going on is something I'm all for, but you should not assume the user has no clue and must be locked up to protect him from himself. IMHO it's not mainly about educating the user, but to force servers to use correct certificates. When freedesktop.org will understand every person that goes to their bugtracker gets to the new Firefox warning, I guess they will change their certificate. ;-) (just an example) To continue your metaphor, it's primarily intended to force GPS vendors to provide hands-free models so that then you can drive without this kind of concern. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
On Sat, 2008-05-10 at 16:08 +0200, Milan Bouchet-Valat wrote: Notifications are never read, especially by users that are not passionate by computers - they're exactly like there was no message at all, only they annoy users: click OK and then see if there's a problem is what OS have used people to for many years. And after that the lock in the adress bar still seems to confirm you're on a secure website. The lock in the address bar means you have reached a web site that employs a certificate signed by one of your accepted (either by default, or by your own voluntary actions) root certificates; it also means exchanges between your computer and the web site are encrypted (and, as such, more private). It does not mean, at all, that this web site is more or less secure than any other. Please do not confuse security with privacy. IMHO it's not mainly about educating the user, but to force servers to use correct certificates. When freedesktop.org will understand every person that goes to their bugtracker gets to the new Firefox warning, guess they will change their certificate. ;-) (just an example) Why should (for example) freedesktop.org change their certificate? Because we do not deploy their root in our known roots (huh, BTW, *all* top-most roots are *always* self-signed)? What is a correct certificate? Where is the standard, RFC or otherwise, that says so? Also, please keep in mind that what we are buying in is trust in the signer of the certificate (the so-called root), not trust in the principal. By definition, your system will trust all certificates signed by an accepted root. If you really want to lock in a specific principal, you have to validate the root and check the DN or CN. Then, it really does not matter if the certificate being checked has been signed by an already known root, or it is a self-signed. In this case, we should have a way of specifying that a web site will only be accepted if the certificate is signed by a specific root (or root chain), and has a specific CN (or DN). And this brings to my mind the old key distribution problem... ..hggdh.. signature.asc Description: This is a digitally signed message part -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
CAcert doesn't even have a valid certificate? https://www.cacert.org/ Todd -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
Martin Pitt wrote: I don't consider it a new feature, but a better UI. Firefox has always complained about invalid certificates, but until version 2 it was just the well-known 'SSL yadayada cannot be verified mumblemumble click here to shut me up' popup dialog, and really everyone just clicked this away, right? Security click-through dialogs should be abolished, since they achieve nothing and are really just an excuse for the software provider: I know it is unsafe, and cannot give you something better. Of course you can't know either, but at least I can make it your problem now. Now you get at least a proper error message page. I don't doubt that the text can be improved, and make more concise/clear, etc., but the UI is much better IMHO. I could not disagree with this more strongly. You can't go around applying nerf padding to everything to protect against the possibility of someone running head first into the wall. When you try to protect people from themselves, and that protection has a negative impact on them, you aren't doing them any favors. I don't like the fact that my car won't let me ( or my passenger ) choose to fiddle with the gps while the wheels are turning, and I don't like this change to firefox. An invalid cert is something that MIGHT be cause for concern, but often is not, so a notification is quite sufficient to let the user decide if it is ok to proceed or not. Making them jump through hoops of fire to be SURE they want to proceed is a bad idea. Now improving the existing message to be more informative and educate the user as to what is going on is something I'm all for, but you should not assume the user has no clue and must be locked up to protect him from himself. -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
HggdH [2008-05-07 19:34 -0500]: On Thu, 2008-05-08 at 00:45 +0200, Martin Pitt wrote: This doesn't have anything to do with power users/n00bs. An invalid SSL certificate isn't any better or worse depending on the type of user. If a site sets up SSL with an invalid certificate, then this buys the user nothing but a false sense of security. Sorry. What *is* an invalid certificate? A certificate that does not carry the fully-qualified host name in its Common Name? It doesn't need to have the FQDN as far as I know. The domain name is sufficient, so that it matches for all hosts in that domain. I don't particularly mind if I am talking to banking.mybank.com or svr23.mybank.com. The domain name should really match, otherwise the certificate does not fit for the host name. However, I personally consider non-matching host names a much lesser evil than non-verifiable certificates. An invalid certificate is a certificate that is outside its timeframe (not valid before/after), or that does not verify against the root (all the way through the chain), or that is used outside its specified capabilities (but *this* one is oh so very tricky...), for example. Right, but also self-signed certificates (since they prove nothing). But not matching the FQHN does *NOT* make a certificate invalid. At all. Even more because there is no standard requiring it. Well, there is the common use, but it is common use also for most users to accept any certificate received on the wire. Common use does not cut it. Agreed, although it is very confusing. For large companies which do have several host names and have a lot of customers which interact with it (banks, major email providers, etc.) it shouldn't be a problem to get a properly signed certificate, and for small companies and private persons cacert is appropriate (much less strong authentication, but compared to today's practice it's much better.) 100% with you. But it all has to start with education, not just forcing a new feature down the user's throat. For most casual users, this education is -- from my own experience with casual and theoretically technical users -- not easy. And I do understand X509 friends. I don't consider it a new feature, but a better UI. Firefox has always complained about invalid certificates, but until version 2 it was just the well-known 'SSL yadayada cannot be verified mumblemumble click here to shut me up' popup dialog, and really everyone just clicked this away, right? Security click-through dialogs should be abolished, since they achieve nothing and are really just an excuse for the software provider: I know it is unsafe, and cannot give you something better. Of course you can't know either, but at least I can make it your problem now. Now you get at least a proper error message page. I don't doubt that the text can be improved, and make more concise/clear, etc., but the UI is much better IMHO. Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
Am Mittwoch, den 07.05.2008, 10:31 +0200 schrieb Peio Ziarsolo: Hello everybody, I have found different behaviours between firefox 2 and firefox3 when they detect a bad ssl certificate. Firefox 2, when detects the bad certificate warms you about it and give you the choise to carry on. Firefox 3, when detects the bad certificates, it show you a error page and doesn't allow you to look at it. I would like to know before report like a bug if this is a new security feature or if it is just a bug. It's annoniying not be able to look at a lot of web pages. It *is* different behavior; However, if you read the whole error message, you will find a way to download the bad certificate and add it to a whitelist, thus allowing to view the page. It's a bit more difficult to do than earlier, but it protects the user better from bad websites. signature.asc Description: Dies ist ein digital signierter Nachrichtenteil -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
On Wed, May 07, 2008 at 10:31:19AM +0200, Peio Ziarsolo wrote: Hello everybody, I have found different behaviours between firefox 2 and firefox3 when they detect a bad ssl certificate. Firefox 2, when detects the bad certificate warms you about it and give you the choise to carry on. Firefox 3, when detects the bad certificates, it show you a error page and doesn't allow you to look at it. I would like to know before report like a bug if this is a new security feature or if it is just a bug. It's annoniying not be able to look at a lot of web pages. This is a new security feature. The idea is to make users think and understand about what they are doing by replacing the useless click-through dialog by something that users actually has to read. If you look closely at the error page you are suggested to add an exception ...; if you follow that link you should be able to get the certificate and grand temporary/permanent exception for it. In next firefox update the page will change a bit so users don't confuse it with ordinary error page anymore. - Alexander -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
Jatorrizko mezua: az., 2008-05-07 10:57 +0200, egilea: Alexander Sack On Wed, May 07, 2008 at 10:31:19AM +0200, Peio Ziarsolo wrote: Hello everybody, I have found different behaviours between firefox 2 and firefox3 when they detect a bad ssl certificate. Firefox 2, when detects the bad certificate warms you about it and give you the choise to carry on. Firefox 3, when detects the bad certificates, it show you a error page and doesn't allow you to look at it. I would like to know before report like a bug if this is a new security feature or if it is just a bug. It's annoniying not be able to look at a lot of web pages. This is a new security feature. The idea is to make users think and understand about what they are doing by replacing the useless click-through dialog by something that users actually has to read. But for power user that know the significance of a bad certificate it's annoniying add exceptions (this morning I have to add 3 esceptions). Is there any key to toogle off this new feature? It'd be great if you could choose beetwen the actual method or a warning in the address bar, for example paintin it in red. Thanks for the soon answer. If you look closely at the error page you are suggested to add an exception ...; if you follow that link you should be able to get the certificate and grand temporary/permanent exception for it. In next firefox update the page will change a bit so users don't confuse it with ordinary error page anymore. - Alexander -- “Es imposible que una persona aprenda lo que cree que ya sabe.” Epicteto -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
On Wed, May 07, 2008 at 10:57:24AM +0200, Alexander Sack wrote: In next firefox update the page will change a bit so users don't confuse it with ordinary error page anymore. http://people.ubuntu.com/~asac/screenshots/bad_cert.png http://people.ubuntu.com/~asac/screenshots/bad_cert2.png - Alexander -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
Peio Ziarsolo [2008-05-07 13:03 +0200]: But for power user that know the significance of a bad certificate it's annoniying add exceptions (this morning I have to add 3 esceptions). This doesn't have anything to do with power users/n00bs. An invalid SSL certificate isn't any better or worse depending on the type of user. If a site sets up SSL with an invalid certificate, then this buys the user nothing but a false sense of security. The proper approach to this IMHO is to make adding exceptions in all web browsers (especially IE) as hard and explicit as in Firefox 3. This would perhaps force site admins to get a grip and stop ignoring broken SSL certs, once they get a flood of complaints. Is there any key to toogle off this new feature? I *so much* hope that there isn't. People should really start to understand that this is a SERIOUS error and shouldn't at all be considered 'normal'. Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
On Thu, May 08, 2008 at 12:45:46AM +0200, Martin Pitt wrote: Peio Ziarsolo [2008-05-07 13:03 +0200]: But for power user that know the significance of a bad certificate it's annoniying add exceptions (this morning I have to add 3 esceptions). This doesn't have anything to do with power users/n00bs. An invalid SSL certificate isn't any better or worse depending on the type of user. If a site sets up SSL with an invalid certificate, then this buys the user nothing but a false sense of security. The proper approach to this IMHO is to make adding exceptions in all web browsers (especially IE) as hard and explicit as in Firefox 3. This would perhaps force site admins to get a grip and stop ignoring broken SSL certs, once they get a flood of complaints. Is there any key to toogle off this new feature? I *so much* hope that there isn't. People should really start to understand that this is a SERIOUS error and shouldn't at all be considered 'normal'. Invalid certs are one thing. But doesn't this also affect self-signed certs? Self-signed certs are appropriate for many use cases in which the goal is primarily encryption (e.g. to protect data flowing back from the server to the user), rather than e.g. protecting bank accounts by authenticating the server to the user. E.g. connecting to a local ebox management port, or a small community wiki. In many low-security situations, this change pushes server operators into buying pricey certs from certificate vendors who often offer little or no meaningful vetting and accept zero liability. This stuff is complicated, involves politics, and can't be painted with such a broad brush. Education is a big part of it, like with most security-related issues. The current warnings are confusing, and are being improved. Let's try to see to it that they communicate as well as possible. Otherwise too many grass-roots sites will just go back to asking folks to enter passwords over unencrypted connections, or users will get used to bypassing yet another set of dialogs and phishing will continue scarcely abated. E.g. how hard is it for folks to buy in to their own web of trust and get e.g. all CACert certs accepted? http://cacert.org Neal McBurnett http://mcburnett.org/neal/ signature.asc Description: Digital signature -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
On Wed, 2008-05-07 at 17:36 -0600, Neal McBurnett wrote: E.g. how hard is it for folks to buy in to their own web of trust and get e.g. all CACert certs accepted? http://cacert.org Neal McBurnett http://mcburnett.org/neal/ As far as I am aware, Ubuntu includes CACert in Firefox by default. It's provided by the ca-certificates package. -- Mackenzie Morgan http://ubuntulinuxtipstricks.blogspot.com apt-get moo signature.asc Description: This is a digitally signed message part -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
On Thu, 2008-05-08 at 00:45 +0200, Martin Pitt wrote: This doesn't have anything to do with power users/n00bs. An invalid SSL certificate isn't any better or worse depending on the type of user. If a site sets up SSL with an invalid certificate, then this buys the user nothing but a false sense of security. Sorry. What *is* an invalid certificate? A certificate that does not carry the fully-qualified host name in its Common Name? If this is your view, I humbly beg to differ. An invalid certificate is a certificate that is outside its timeframe (not valid before/after), or that does not verify against the root (all the way through the chain), or that is used outside its specified capabilities (but *this* one is oh so very tricky...), for example. But not matching the FQHN does *NOT* make a certificate invalid. At all. Even more because there is no standard requiring it. Well, there is the common use, but it is common use also for most users to accept any certificate received on the wire. Common use does not cut it. The proper approach to this IMHO is to make adding exceptions in all web browsers (especially IE) as hard and explicit as in Firefox 3. This would perhaps force site admins to get a grip and stop ignoring broken SSL certs, once they get a flood of complaints. I fully agree. Nevertheless, we cannot be more royal than the king. I myself had one case where a generic certificate installed by a software vendor (so that only HTTPS would be feasible from the beginning) was flatly and utterly refused by epiphany-browser (wrong usage). Firefox, at least swallowed it after I added the exception. Here the point is: we do not even agree with ourselves how to deal with certificates, and we expect users to be happy? Is there any key to toogle off this new feature? I *so much* hope that there isn't. People should really start to understand that this is a SERIOUS error and shouldn't at all be considered 'normal'. 100% with you. But it all has to start with education, not just forcing a new feature down the user's throat. For most casual users, this education is -- from my own experience with casual and theoretically technical users -- not easy. And I do understand X509 friends. On this point, I wonder if we are just making it a bit harder what most users have been doing for ever. All we will get is grumbling, *unless* we also provide clear, short, nice, reasonable, explanations. Ah well. ..hggdh.. signature.asc Description: This is a digitally signed message part -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
On Wednesday 07 May 2008 20:34, HggdH wrote: 100% with you. But it all has to start with education, not just forcing a new feature down the user's throat. For most casual users, this education is -- from my own experience with casual and theoretically technical users -- not easy. And I do understand X509 friends. On this point, I wonder if we are just making it a bit harder what most users have been doing for ever. All we will get is grumbling, *unless* we also provide clear, short, nice, reasonable, explanations. Ah well. While we're on this topic, I think point number 5 in this essay bears re-reading: http://www.ranum.com/security/computer_security/editorials/dumb/ Scott K -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: firefox and bad ssl certificates
On Wed, 2008-05-07 at 22:05 -0400, Scott Kitterman wrote: On Wednesday 07 May 2008 20:34, HggdH wrote: 100% with you. But it all has to start with education, not just forcing a new feature down the user's throat. For most casual users, this education is -- from my own experience with casual and theoretically technical users -- not easy. And I do understand X509 friends. On this point, I wonder if we are just making it a bit harder what most users have been doing for ever. All we will get is grumbling, *unless* we also provide clear, short, nice, reasonable, explanations. Ah well. While we're on this topic, I think point number 5 in this essay bears re-reading: http://www.ranum.com/security/computer_security/editorials/dumb/ Scott K But point #4 says hacking is cool is dumb...though there'd be no Linux kernel or GNU tools without hackers. -- Mackenzie Morgan http://ubuntulinuxtipstricks.blogspot.com apt-get moo signature.asc Description: This is a digitally signed message part -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss