On 4/19/2010 12:52 PM, Nelson B Bolyard wrote: > On 2010/04/19 08:33 PDT, johnjbarton wrote: >> The legitimate action by browser developers is to fix their bug. > > But that, by itself, does not provide the users with transport security.
Right, both the client and server have to be patched. It's not a bug in either one, but in the protocol itself. > The industry is largely sticking its head in the sand, saying "don't bother > me with the facts, don't give me errors or warnings. I'd rather be > ignorant of this huge security hole (and keep my users largely ignorant of > it) than fix it." Someone has to watch out for the users' interest. I think many vendors have been quite concerned, but have been blocked on shipping a patch until the underlying library made it available. In some cases they could move faster because they wrote their own. In other cases the vendor really is taking it seriously but simply has a zillion products affected. For example, Opera was the first to ship a patch and they lead the way in accurately reflecting the security of the connection. Opera will currently decline to turn the address bar green for EV certs if the connection is vulnerable. That is a great first step, and they intend to make that more prominent over time, too. Mozilla also has the benefit of an internally developed TLS stack which implements a fix. Yet using Firefox 3.6.3 I don't see any visible indication of my https being vulnerable even in the "Technical Details" section of the Page Info dialog. It's not going to look so great for Mozilla when another prominent browser vendor ships another patch which also notifies the user of the insecure connection. People might legitimately ask at that point how such a prominent open source product as Mozilla ended up putting other considerations ahead of their user's security, whereas multiple commercial closed source vendors are really taking it seriously. It might be hard to come up a good answer for that one. Better start thinking about it now. - Marsh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
