On 4/11/2010 7:48 PM, Nelson Bolyard wrote:
On 2010-04-08 09:59 PST, Robert Relyea wrote:
On 04/07/2010 09:35 PM, Nelson B Bolyard wrote:
We plan on alerting users in a future update. This is fair warning
to server operators and those who are debugging their sites.
If this is a real threat don't users deserve a fair warning now?
I fully agree! If users are vulnerable now, they should be warned now,
(bug 535649 comment #15). The counterargument (comment #24) is that
showing the broken SSL UI for almost all sites will "quickly
neutraliz[e] the awareness/protection it might offer",
And that argument is now being successfully used by a lot of companies
who make products that directly face the end users. They use it to avoid
doing ANYTHING about this problem. They say "we can't start to warn users
until a majority of the servers on the net have gotten fixed, so that a
minority generate the errors." And so users go unwarned, and they remain
blissfully ignorant of their vulnerability. Coinsequently, they put no
pressure on servers to get fixed. Consequently, there is NO pressure on
servers to get fixed, and servers are not getting fixed at all rapidly.
What in the world are you talking about here?
You know very well what I'm talking about.
The entire internet is broken right now.
Correct. And intranets, too.
Putting a warning dialog up now would only train users
to ignore the warnings (we've seen this in the past).
It will do more than that. It will alert people to the fact that the
internet and all those intranets are entirely broken right now, a fact to
which they are otherwise ENTIRELY IGNORANT.
Case in point. I work in a small company, about 600 people. They have an
IT department that uses mostly Microsoft servers. They use SSL on every
server they can do so, yet all their servers are broken in this way. They
are completely unaware of this problem. It will do me NO GOOD to go and
tell them that all their servers are broken. They will think I'm a kook.
They will say "If our servers are broken, why don't all our client programs
complain?"
They will think you are a kook if you run in yelling "The Sky is
Falling!!!!" All you end up doing is annoying everyone. Consider a
different approach.
That is why there
is a console warning. You can still get that information from the
console log, or even set the pref to disallow those connections. In any
case to say that firefox is not doing ANYTHING about the problem is
seriously mischaracterizing the problem.
I believe our employees could not find that console report even if they were
told about it and told to go look for it. It's too well buried by
people who are deathly afraid of giving users a "bad experience".
The current response is in line with other well known and well respected
browsers out there, unless you are acusing Yngve Petterson of security
ignorance or laziness as well.
Yngve is also begging the browser community to start sounding the alarm.
The browsers are all deathly afraid of doing so. They all say "we will
start doing so when all the other browsers start doing so."
.. The warnings will come --
WHEN? In 2010? In 2011?
When we see something more than an acorn.
jjb
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
