On 4/2/2010 2:22 AM, Jean-Marc Desperrier wrote:
johnjbarton wrote:
Closely related to bug 554594 is
https://bugzilla.mozilla.org/show_bug.cgi?id=535649
Web developers using Firefox Error Console or tools like Firebug that
use nsIConsoleService are now bombarded with pointless messages like:
services.addons.mozilla.org : potentially vulnerable to CVE-2009-3555
No, what's closely related to this is
https://bugzilla.mozilla.org/show_bug.cgi?id=555952
Implement RFC 5746 for mozilla.org SSL sites, to avoid Mozilla warning
about CVE-2009-3555
As soon as the proper version of Zeus is deployed, this should be fixed.
Sorry, but your statement misses exactly the problem here.
Bug 535649 emits a warning message for every https site you visit. The
only people who can see this message are Web developers and users who
have problems with Firefox. These people are almost never in a position
to prevent the message. Only the people who maintain the server software
itself can prevent this message, and they of course never look at the
Firefox Error Console.
While it is embarrassing that one hand of Mozilla would announce to
developers that Mozilla sites are insecure before the other hand fixed
the sites, that entirely misses the point. This obscure message comes
for all https sites and is directed at the wrong people. It causes work
and anxious concern among people who have no control over the problem.
The appropriate way to address this security problem starts by
contacting the major providers of server software. By contacting just
the top 10 teams you can cover >99% of the worlds servers:
http://news.netcraft.com/archives/web_server_survey.html
Web server providers are very concerned about user security and they
would respond promptly to any real security threat. This is not true for
Web devs being spammed with this message: it's not their problem.
jjb
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
