Ben Bucksch wrote:
(You *may* be thinking of DV (Domain Validation) and Class 1 SSL
certs. These are indeed insecure and make SSL a joke. They were a
really bad idea and that is one of the reasons behind EV.)
Ben, the reason behind EV (or any higher verification in that respect)
is about the
Heikki Toivonen wrote:
Alaric Dailey wrote:
than doing things right. For example SSL for identification is
worthless without DNS being secured, and no-one on any list wants to
talk about that. Unfortunately, the number people who actually
I don't understand how you can claim this.
Ben Bucksch wrote:
I would much rather have more information about the existing certs ...
At very least this gives ME the chance to decide rather than giving me
a false sense of security.
You already have that info with Tools | Page Info (in Firefox; Seamonkey
in View menu IIRC), Security tab.
Ben Bucksch wrote:
(You *may* be thinking of DV (Domain Validation) and Class 1 SSL certs.
These are indeed insecure and make SSL a joke. They were a really bad
idea and that is one of the reasons behind EV.)
Well, even DV certs are supposed to be only issued to the person in
control of the
Eddy Nigg (StartCom Ltd.) wrote:
Well, what I don't understand really, why you list the various bugs
multiple times?
Because it means that each line gives, unambiguously, the certs for that
version of the product. You don't need to add up all the lines before it.
Additionally 338552 was
Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
This is why I asked how to continue from here. But there is a general
proposal on the table, which can be taken as the basis to form a new
policy etc. So which steps would you propose? Shaping and refining
the proposal could be one of
Gervase Markham wrote:
Oh, and I'm sure we're taking patches for DNSSec support in Firefox.
Aren't we?
This however would be a very good idea!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Phone: +1.213.341.0390
___
dev-security mailing
Oh, and I'm sure we're taking patches for DNSSec support in Firefox.
Aren't we?
No, but its a good idea.
Yes, and actually, SSL goes much further than DNSsec. The latter is
good to prevent DNS spoofs and is much-needed, but it does nothing to
protect the content.
Actually, you could
This is probably my last response in this thread, since I'm about to stop
reading it altogether (as so many others already have, I should note), but I do
have to respond to this, because there's hope that a reasoned response would
have effect, unlike in some of the other subthreads.
Alaric
Boris Zbarsky wrote:
Alaric Dailey wrote:
If DNS were secure, then attempts to use a stolen cert would be thwarted.
Not particularly. As someone pointed out, anyone who steals a cert and
can affect the routing of your packets can screw you.
Not if we were to strengthen the rules by saying
Alaric Dailey wrote:
As far as a fix for DNS, everyone hates hearing it, but the fix is
already out there no one wants to use it though
http://www.dnssec.com
I wouldn't say nobody wants to use it. I'd love to use it. See, e.g.,
https://bugzilla.mozilla.org/show_bug.cgi?id=342242 . I think
Alaric Dailey wrote:
Sure even if we don't
steal the cert, most users don't read error boxes so you could redirect
them and use a fake cert.
This is again an orthogonal problem. Browser handling of things like
hostname/cert mismatches is abysmal. If they don't match, we should not show
12 matches
Mail list logo
