On Fri, 2010-04-09 at 09:34 -0700, johnjbarton wrote: > On 4/8/2010 12:13 PM, Matt McCutchen wrote: > > On Thu, 2010-04-08 at 09:35 -0700, johnjbarton wrote: > >> On 4/7/2010 9:35 PM, Nelson B Bolyard wrote: > >> ... > >>> Inconveniencing the users is a NECESSARY part of getting this > >>> vulnerability > >>> fixed. Without that, the servers have NO INCENTIVE to lift a finger to > >>> fix > >>> this. > >> ... > >> > >> The claim is obviously false as the recent update to Firefox 3.6.3 > >> clearly demonstrates. If servers operators believe their users are at > >> risk, then they will take immediate action to protect them. > > > > Firefox developers != server operators. > > > Both groups are committed to their users and both groups will respond to > realistic security threats to their users. Neither group should be > blackmailed into pointless action by badgering users.
Are you saying that Mozilla shouldn't encourage users to bother their server operators because if the problem were real, the server operators would already have fixed it? I think you give the server operators way too much credit. People are lazy. I trust Mozilla much more than the average sysadmin to properly assess vulnerabilities. Besides, in my view, the problem is real. For better or for worse, the goal of SSL has always been to provide complete protection against a middleman who controls the network. And for certain designs of Web apps which are not intrinsically unreasonable (see my other message), it completely fails to prevent a middleman from subverting your requests. -- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
