> It is our standard security nightmare. Side A thinks it is Side B's > problem. Side B thinks it is Side A's problem. In the meantime the > user doesn't use the tech because it doesn't work, and the sides are too > busy arguing to solve the problem. So zero security is delivered. > > In this case, it is always the part closest to the user that has to do > the mostest. Maybe it's not a browser-tech or client-side-TLS issue, > but *it is a browser issue*.
It is the browder's responsibility to present an SSL error to the user in an accessible way. However, browsers usually make certificates visible to users and, therefore, it is assumed that users understand certificates and basic certificate-related issues. There is ongoing research on this topic and I am not sure if anybody can state with confidence whether this assumption is correct and whether Firefox's interface is clear enough to understand. > PS: Also, it is standard security doctrine in many places that when > something isn't quite right that no information is returned. Something > to do with security advice of not being an oracle. On the contrary, systems that fail silently can be both frustrating (to the user) and very harmful (if the user assumes that the lack of error means the success of a transaction). If no information is returned, it is still unclear whether the transaction should succeed or fail. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
