On 4/9/2010 6:06 PM, Matt McCutchen wrote:
On Fri, 2010-04-09 at 09:34 -0700, johnjbarton wrote:
On 4/8/2010 12:13 PM, Matt McCutchen wrote:
On Thu, 2010-04-08 at 09:35 -0700, johnjbarton wrote:
On 4/7/2010 9:35 PM, Nelson B Bolyard wrote:
...
Inconveniencing the users is a NECESSARY part of getting this vulnerability
fixed. Without that, the servers have NO INCENTIVE to lift a finger to fix
this.
...
The claim is obviously false as the recent update to Firefox 3.6.3
clearly demonstrates. If servers operators believe their users are at
risk, then they will take immediate action to protect them.
Firefox developers != server operators.
Both groups are committed to their users and both groups will respond to
realistic security threats to their users. Neither group should be
blackmailed into pointless action by badgering users.
Are you saying that Mozilla shouldn't encourage users to bother their
server operators because if the problem were real, the server operators
would already have fixed it? I think you give the server operators way
too much credit. People are lazy. I trust Mozilla much more than the
average sysadmin to properly assess vulnerabilities.
Your assessment of the relative commitment and competence of these two
groups of people is unjustified by facts.
Besides, in my view, the problem is real. For better or for worse, the
goal of SSL has always been to provide complete protection against a
middleman who controls the network. And for certain designs of Web apps
which are not intrinsically unreasonable (see my other message), it
completely fails to prevent a middleman from subverting your requests.
I appreciate your commitment to improving Web security. Please channel
this passion in a respectful fashion. Rather than arrogantly asserting
superiority over server admins and irresponsibly exhorting users to
harass them, build a clearer case for the potential dangers here. Then
contact the communications people in Mozilla, large international Web
service companies, professional organizations of server administrators,
news organizations, slash.dot, and so forth. Explain the problem and the
fix. This procedure will prepare you and the people you contact for
future similar problems and strengthen our entire system.
jjb
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
