On 4/19/2010 1:42 AM, Nelson B Bolyard wrote:
On 2010-04-18 21:16 PST, johnjbarton wrote:
I see nothing wrong with users contacting sysadmins. I object to using
the browser as a platform for badgering Web developers to contact
sysadmins on your behalf.
You continue to make the mistake of assuming that users have no vested self
interest in having access to secure servers, and that they are merely
doing a favor for some set of developers, rather than acting in their own
self interest, by asking server admins to fix their servers.
So by this argument we should warn users whenever they access
pornographic sites, radical right wing sites, socialist sites, religious
and atheist sites. We need to inform them, for their own self interest,
that the server admins need to fix their servers. But why stop there?
Users self interest surely extent beyond the browser. Should we send
them messages to lobby against air pollution, poverty, government
intrusion, and so on? Is it really true that CVE-2009-3555 is the only
issue worthy of their attention?
There are appropriate channels for advertising this problem and
educating users and servers about it. The current Error Console spam
campaign and the propose pop-up ads campaign are simply not appropriate
actions for the browser.
The browser's legitimate role here informs users on the connection they
have to a server. If Firefox is presenting a user interface that shows a
secure connection for https, but the connection is not secure according
to the browser's security experts, then Firefox is broken. The
legitimate action by browser developers is to fix their bug.
jjb
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
