f you're interested in pursuing this further, I'd be glad to correspond
with you via email to give you and your lawyer my personal opinions on
the situation.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
dev-security mailing list
dev-
t
remember at the moment exactly what they apparently were trying to
accomplish by doing this.)
Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
quot; to
the policy itself. My primary goal is to address the EV-related policy
changes, and to do so as expeditiously as possible.
Anyway, if you have comments on this general topic please feel free to
post them here. In the meantime I'll work to come up with an initial
draft of proposed
ou connect to
the net using DHCP (which is almost always the case for consumer Macs)
then the network operator can supply their own DNS server information,
and pull tricks like the one you encountered.
Do you see this on your home network, or when you're on a "foreign"
network, e.g
r content being inserted
into the page by means of https URLs. How to handle this in an
understandable manner is not IMO a trivial problem.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
RNG, hash
functions, etc.), and include the non-encryption parts by default,
leaving -disable-crypto to govern only the encryption functionality.
However I don't know whether this would be practical or useful.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
Boris Zbarsky wrote:
Frank Hecker wrote:
Maybe it's just my ignorance, but I'm confused: Did you
actually mean to write that Python and other languages are equivalent
to JavaScript, e.g., for the "checks in glue" model checks would be
done at entry from Python into C++, j
ecks would be done at
entry from Python into C++, just as would be done for JavaScript?
Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
ords. For "legacy" CA certs
(i.e., inherited from the AOL/Netscape regime) we haven't yet gone
through and subjected them to the same process. Instead we're adopting a
"management by exception" policy where we'll look at a particular CA if
someone reports a potent
sue, and I don't have time to try to summarize all the differing
positions and their pros and cons.)
There are not as
many Microsoft secure sites with this problem as there were even six months
ago.
That's because over time Microsoft has reconfigured its servers t
oops199 wrote:
Well now based on what Frank Hecker has posted, this is really getting
interesting. First he stalwardly defends FF. Then he acknowledges
that much of what was reported and commented on is in fact not wrong.
And now he begs off as not being an expert.
I'm sorry, I
Frank Hecker wrote:
2. I then used the "Delete" button to attempt to delete the root CA
certificate that was pre-loaded . The operation attempted to succeed and
the root CA cert disappeared from the displayed list.
Sorry, I meant to write "The operation appeared to suc
by the user.
This is a relatively uncommon thing, which may be why we don't split
intermediate CAs out as a separate list in the Firefox UI. However I'm
not really the expert on this particular aspect of Firefox, so I'll
defer to others more knowledgeable than I.
Frank
--
Fran
you or anyone else thinks there are security problems with a
particular CA, please file a bug in Bugzilla or send a message to
[EMAIL PROTECTED], along with *specific* evidence of the problem and
the resulting threat to users. Please also include any evidence related
to what the CA has or hasn&
e list. Note that there is
substantial (though not 100%) overlap between the various lists; for
example, the Thawte, USERtrust, and Quo Vadis CAs mentioned in the PSC
newsletter are in both the Mozilla list and the Windows list.
I hope this answers the questions raised by the PSC newsletter. I
West are well-known banks in California, Capital
One is a major Visa card issuer that (I think) does a fair amount of
advertising to students, and Tele-BEARS is the Berkeley class enrollment
system.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
dev
This really should be required reading for anyone interested in
anti-phishing defenses, the SSL UI, and related topics:
http://www.deas.harvard.edu/~rachna/papers/why_phishing_works.pdf
Frank
--
Frank Hecker
[EMAIL PROTECTED]
___
dev-security
17 matches
Mail list logo
