FWIW, that's a misquote; I didn't write that.
On Aug 12, 2014 4:38 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
[Apologies if you've seen this before, it looks like up to a week's worth
of
mail from here has been lost, this is a resend of the backlog]
Chris Palmer pal...@google.com
Chris Palmer pal...@google.com writes:
FWIW, that's a misquote; I didn't write that.
Ooops, sorry, it was posted by Patrick McManus pmcma...@mozilla.com (I used
a script to try and resurrect the lost emails for re-send, I suspect something
got mangled somewhere).
So the question should have
On Wed, August 13, 2014 6:14 pm, Peter Gutmann wrote:
Chris Palmer pal...@google.com writes:
FWIW, that's a misquote; I didn't write that.
Ooops, sorry, it was posted by Patrick McManus pmcma...@mozilla.com (I
used
a script to try and resurrect the lost emails for re-send, I suspect
[Apologies if you've seen this before, it looks like up to a week's worth of
mail from here has been lost, this is a resend of the backlog]
Chris Palmer pal...@google.com writes:
Firefox 31 data:
on desktop the median successful OCSP validation took 261ms, and the 95th
percentile (looking at
On 8/10/2014 8:16 PM, David E. Ross wrote:
On 8/10/2014 4:09 PM, Matt Palmer wrote:
On Sat, Aug 09, 2014 at 04:53:46PM -0700, David E. Ross wrote:
Anyone wishing to argue this issue further -- to argue in favor of
implementing a scheme to encourage all Web sites to be HTTPS with site
On 11/08/14 04:16, David E. Ross wrote:
Rosenthal is also a reseller of X.509 subscriber certificates, which
should mean he understands Internet security. Otherwise, how is he
allowed to sell such certificates?
I don't often say this, because it's not often true, but...
LOL.
Gerv
Can we please declare this thread closed? The level of debate has gotten a
little low.
--Richard
On Aug 9, 2014, at 7:53 PM, David E. Ross nobody@nowhere.invalid wrote:
On 7/19/2014 11:54 AM, Daniel Roesler wrote:
Howdy all,
Yesterday, I created a bug proposing that Firefox switch the
Yes, I started this thread. I officially declare this thread closed...even
though I have no ability to enforce it.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Sat, August 9, 2014 4:53 pm, David E. Ross wrote:
Anyone wishing to argue this issue further -- to argue in favor of
implementing a scheme to encourage all Web sites to be HTTPS with site
certificates -- should first read
On Sat, Aug 09, 2014 at 04:53:46PM -0700, David E. Ross wrote:
Anyone wishing to argue this issue further -- to argue in favor of
implementing a scheme to encourage all Web sites to be HTTPS with site
certificates -- should first read
On 10/08/14 11:16 PM, David E. Ross wrote:
On 8/10/2014 4:09 PM, Matt Palmer wrote:
On Sat, Aug 09, 2014 at 04:53:46PM -0700, David E. Ross wrote:
Anyone wishing to argue this issue further -- to argue in favor of
implementing a scheme to encourage all Web sites to be HTTPS with site
On Sun, August 10, 2014 4:06 pm, Matt Palmer wrote:
On Sat, Aug 09, 2014 at 11:52:16PM -0700, Ryan Sleevi wrote:
At the risk of engaging what may be trolling behaviour (non-attributable
email addresses and all that good jazz), and while a point-by-point
takedown is not particularly worthy,
On Sun, August 10, 2014 8:16 pm, David E. Ross wrote:
I was a computer systems integrator for over 30 years. I fully
understand what integrator means. In my career, sopftware integration
often included dealing with secure systems and how they were made secure.
That's a very... liberal...
On Sun, Aug 10, 2014 at 08:16:42PM -0700, David E. Ross wrote:
On 8/10/2014 4:09 PM, Matt Palmer wrote:
On Sat, Aug 09, 2014 at 04:53:46PM -0700, David E. Ross wrote:
Anyone wishing to argue this issue further -- to argue in favor of
implementing a scheme to encourage all Web sites to be
On 7/19/2014 11:54 AM, Daniel Roesler wrote:
Howdy all,
Yesterday, I created a bug proposing that Firefox switch the generic
url icon to a negative feedback icon for non-https sites.
https://bugzilla.mozilla.org/show_bug.cgi?id=1041087
I created this bug because it's time we start
On Thursday, 7 August 2014 01:27:29 UTC+2, Matt Palmer wrote:
On Wed, Aug 06, 2014 at 12:02:57AM -0700, andrew.be...@gmail.com wrote:
Is there anything browser vendors can do to make SSL easier and cheaper
across the board before punishing you for not using it?
Implement support
On Aug 7, 2014, at 2:17 PM, Chris Palmer pal...@google.com wrote:
On Thu, Aug 7, 2014 at 7:11 AM, husem...@gmail.com wrote:
I second that: DANE support is the right direction to go! It considerably
raises the effort required to do MITM attacks, it allows the site ops to cut
out the CAs
On Wed, Aug 6, 2014 at 12:02 AM, andrew.be...@gmail.com wrote:
I'm all for pushing people onto SSL, and of course if you stigmatise
non-secure connections the demand for SSL increases and CDNs will need to
compete on their ability to support it at a reasonable cost. But there's a
chicken
on Tue, 22 Jul 2014 12:24:30 -0700, Brian Smith wrote:
Having said all of that, I remember that Mozilla did some user
research ~3 years ago that showed that when we show a negative
security indicator like the broken lock icon, a significant percentage
of users interpreted the problem to lie
- Original Message -
From: Chris Palmer pal...@google.com
To: Hubert Kario hka...@redhat.com
Cc: David E. Ross nobody@nowhere.invalid,
mozilla-dev-security-pol...@lists.mozilla.org
Sent: Tuesday, 22 July, 2014 1:08:57 AM
Subject: Re: Proposal: Switch generic icon to negative
On Tue, Jul 22, 2014 at 12:24 PM, Brian Smith br...@briansmith.org wrote:
On Mon, Jul 21, 2014 at 4:10 PM, Adrienne Porter Felt f...@chromium.org
wrote:
I would very much like to make http sites look insecure.
But we face a very real problem: a large fraction of the web is still
On 7/22/2014 11:27 AM, Chris Palmer wrote [in part]:
On Tue, Jul 22, 2014 at 10:49 AM, I previously wrote [also in part]:
(Your intentionally broken email address suggests that you don't
really want to communicate, so mostly this message is directed to the
public list subscribers in
[+keeler, +cviecco]
On Tue, Jul 22, 2014 at 1:55 PM, Chris Palmer pal...@google.com wrote:
On Tue, Jul 22, 2014 at 3:01 AM, Hubert Kario hka...@redhat.com wrote:
I'm pretty sure Firefox merely remembers your decision to click
through the warning, not that it pins the keys/certificates in the
On Tue, Jul 22, 2014 at 2:00 PM, Brian Smith br...@briansmith.org wrote:
Firefox's cert override mechanism uses a different pinning mechanism
than the key pinning feature. Basically, Firefox saves a tuple
(domain, port, cert fingerprint, isDomainMismatch,
isValidityPeriodProblem,
- Original Message -
From: diaf...@gmail.com
To: mozilla-dev-security-pol...@lists.mozilla.org
Sent: Monday, 21 July, 2014 4:08:30 AM
Subject: Re: Proposal: Switch generic icon to negative feedback for non-https
sites
So the general top criticism I'm seeing to this proposal
Gotta start somewhere. I actually kind of like the idea of showing the
current generic icon for self-signed ssl certificates, and the broken
lock icon for insecure connections.
On Mon, Jul 21, 2014 at 4:10 PM, Adrienne Porter Felt f...@chromium.org wrote:
I would very much like to make http
Best case: no one will notice it after the first few days.
Worst case: people notice it, and therefore start ignoring all https
authentication errors.
Is there a way to make the best case better, without ending up at the worst
case?
At least for Firefox, the gray broken lock icon option is
Not claiming to have the solution at hand, but the best first step might be
non-scolding, non-lock-related imagery that clearly and affirmatively gets
across that this is a *public* connection.
Just brainstorming a bit here:
* A charming low-fi icon of the all-seeing eye
On 22/07/14 12:58 AM, Brian Smith wrote:
On Mon, Jul 21, 2014 at 8:50 PM, Eric Mill e...@konklone.com wrote:
Not claiming to have the solution at hand, but the best first step might be
non-scolding, non-lock-related imagery that clearly and affirmativ' ely gets
across that this is a *public*
- Original Message -
From: David E. Ross nobody@nowhere.invalid
To: mozilla-dev-security-pol...@lists.mozilla.org
Sent: Sunday, 20 July, 2014 4:39:09 AM
Subject: Re: Proposal: Switch generic icon to negative feedback for non-https
sites
On 7/19/2014 11:54 AM, Daniel Roesler wrote
On 20/07/14 06:23 AM, Hubert Kario wrote:
- Original Message -
From: David E. Ross nobody@nowhere.invalid
To: mozilla-dev-security-pol...@lists.mozilla.org
Sent: Sunday, 20 July, 2014 4:39:09 AM
Subject: Re: Proposal: Switch generic icon to negative feedback for
non-https
: Sunday, 20 July, 2014 4:39:09 AM
Subject: Re: Proposal: Switch generic icon to negative feedback for
non-https sites
On 7/19/2014 11:54 AM, Daniel Roesler wrote:
Howdy all,
Yesterday, I created a bug proposing that Firefox switch the generic
url icon to a negative
Howdy all,
Yesterday, I created a bug proposing that Firefox switch the generic
url icon to a negative feedback icon for non-https sites.
https://bugzilla.mozilla.org/show_bug.cgi?id=1041087
I created this bug because it's time we start treating insecure
connections as a Bug. There is so much
On 7/19/2014 11:54 AM, Daniel Roesler wrote:
Howdy all,
Yesterday, I created a bug proposing that Firefox switch the generic
url icon to a negative feedback icon for non-https sites.
https://bugzilla.mozilla.org/show_bug.cgi?id=1041087
I created this bug because it's time we start
34 matches
Mail list logo