On 2010/04/07 10:43 PDT, Matt McCutchen wrote: > On Wed, 2010-04-07 at 09:55 -0700, johnjbarton wrote: >> On 4/4/2010 10:41 PM, Daniel Veditz wrote:
>>> We plan on alerting users in a future update. This is fair warning >>> to server operators and those who are debugging their sites. >> >> If this is a real threat don't users deserve a fair warning now? > > I fully agree! If users are vulnerable now, they should be warned now, > (bug 535649 comment #15). The counterargument (comment #24) is that > showing the broken SSL UI for almost all sites will "quickly > neutraliz[e] the awareness/protection it might offer", And that argument is now being successfully used by a lot of companies who make products that directly face the end users. They use it to avoid doing ANYTHING about this problem. They say "we can't start to warn users until a majority of the servers on the net have gotten fixed, so that a minority generate the errors." And so users go unwarned, and they remain blissfully ignorant of their vulnerability. Coinsequently, they put no pressure on servers to get fixed. Consequently, there is NO pressure on servers to get fixed, and servers are not getting fixed at all rapidly. Inconveniencing the users is a NECESSARY part of getting this vulnerability fixed. Without that, the servers have NO INCENTIVE to lift a finger to fix this. > but I think my proposal for a yellow Larry button (comment #62) > partially addresses this concern. Maybe, but you'll have to sell it to product makers who'd prefer not to annoy their users at all if their lives don't depend on it. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
