On 6/1/09 23:40, Johnathan Nightingale wrote:
Hey Ian,
I appreciate the understanding of the situation, but I'm not quite ready
to call the job impossible just yet, despite the array of forces being
very much as you describe them.
:) My point was very much oriented to the embarrassment of ONE GUY
being an entire human shield.
That is, if Phishing and Malware and XSS and website hacks and
identity-is-credit and any number of other things are causing so many
losses in the good ol' US of A and the other identity-fraught markets
... so much so that the FBI bothers to measure them ... then ...
Why is there only one guy?
Which digit in BILLIONS does Mozilla have trouble understanding?
What is comparatively rarer is helpful, balanced
suggestions for moving forward.
Well.
As we all know, the situation is *very complex*. Fixing it is rather
difficult. It is ok for us outsiders to point out obvious flaws, but
that only goes so far. Outsiders cannot see all the picture.
One reason for that might be Mozilla's old policy of having an "invite
only" security group. Those who are critical, and those who come from a
different school of thought, simply don't get invited to join. After a
while, inevitably, this results in the monoculture trap, and then those
with different views don't actually want to be invited to join such a
narrow group.
Insiders don't see all the picture either.
Just one example is that Mozilla does not see the liability aspects,
which is unsurprising given that developers don't tend to have legal
experience, and no lawyer would accept any invite.
(I should say that the monoculture trap is either explicitly or
implicitly run by pretty much all open source groups. Mozilla has no
monopoly on monoculture.)
In the meantime though, it's worth
remembering that Firefox 3.1, when it comes out, will have private
browsing mode, better clear private data support,
That sounds positive, I am keen!
<user>
Right now, to log into my online bank, I do this:
* I use a Mac computer that does nothing else,
* with a user that does nothing else.
* I shut down Firefox before and after,
* and I clear all the data before and after,
If I could think of another way to firewall it safely I'd do it. I've
experimented with different users on the Mac but this is too much of a pain.
The worst part of it all is that I cannot possibly advise users to do
this, it's too technical. My desk is now covered with postit notes, I
need three postit notes to log into my bank, and a dongle. We've come
full circle...........
</user>
SSL errors that
interrupt user workflow explicitly instead of being ignored away,
anti-malware and anti-phishing protection,
Now I'm listening!
fewer "You are submitting a
search to Google" useless dialog boxes, an identity indicator that
actually calls out the names of CAs issuing certs, and a much better
mixed mode detection story than we had a little while ago, among others.
OK, that all sounds good, but...
I want KCM. I see no mention of KCM. Tell us about KCM? I want to be
able to lock my online bank's SSL cert down.
<user>
The online bank puts the whole liability on ME.
</user>
There's no way that I can recommend that people risk their own money on
some green box on a display. However, if KCM allows me to isolate and
tie down one green cert, that could work.
We are always short-staffed on this stuff though, so it's great to see
people like Kyle eager to help.
I think the ball is in Mozilla's court, and has been for all the time
I've known it.
People do want to code up the stuff, but they want to code up the stuff
they believe in. While Mozilla pursues a monoculture model to security
architecture, it's difficult to attract the guys who see other stuff. I
would rather spend time on the exciting work that is being done in the
p2p world, if I still coded, because security is an architecture issue
there.
It's really up to you who you invite in... Perhaps if we express an
open invitation to code up the next generation KCM modules then this
might get more attention?
So Jon goes to CAB Forum with a mandate to speak for the end-users,
without any input from Mozilla, the browser vendor?
Obviously I'm there representing a browser, but Mozilla's interests tend
to align with end users most of the time.
I think this is a great description. It avoids the unfortunate
marketing nonsense of the security industry (who wouldn't know a user if
they married one).
We are who we are, hopefully we can deal with our biases, but it starts
with recognising them.
We don't, for instance, have a
profit motive creating potential conflicts of interest. To give you a
somewhat recent example, we were strong proponents of mandatory OCSP
support by 2010 because we think it's better for the health of the net
to have high-availability revocation information available for
high-assurance certs, despite the arguments from some quarters that it
would be too costly to support on high-traffic sites.
Forget the advocacy, where's the announcement? Have you announced the
END OF MD5 yet?
Maybe that's why they don't invite me to these things anymore :)
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
