On 4/19/2010 1:32 PM, johnjbarton wrote: > On 4/19/2010 10:52 AM, Nelson B Bolyard wrote: >> >> The industry is largely sticking its head in the sand, saying "don't >> bother >> me with the facts, don't give me errors or warnings. I'd rather be >> ignorant of this huge security hole (and keep my users largely >> ignorant of >> it) than fix it." Someone has to watch out for the users' interest. > > You're making this up. No industry spokeperson, company representative, > or unincorporated server admin has said any such thing.
No, they say "I'd rather keep the entire world completely ignorant of it until we have a chance to fix it in secret and release the fix in oh....how about a year from now?" > But suppose that in fact someone did say exactly what you quote. Why > should you follow up by writing error messages in a console that no one > in "the industry" ever sees? You saw it. I say you can make a difference! > Direct your energy at the problem you want to solve. Talk to some server > admins. Ask them why they are reluctant to take action. Find some real > industry representatives. Ask for their help. The first thing they need > from you is a convincing argument that this is real problem. Good plan, we've been at that process since last September. http://www.google.com/search?q=ssl+tls+"project+mogul"; > Once they > understand that their users are exposed to a security threat they will > take prompt action. I thought so too. :-) And to their credit some have. It is for them that I think the process should be optimized. But in reality most users and admins are just stuck until they get a clean patch from their upstream vendor. The vast majority are waiting for it to be pushed down automatically. >> Telling us that you'd prefer that Mozilla products kept silent about it >> tells us something about where you stand on the security-vs-convenience >> issue. It's not likely to engender much sympathy here. > > I do not appreciate your continued misrepresentation of my comments on > this newsgroup. I've had this conversation with Nelson many times. I don't think he's trying to misrepresent your comments as much as he's responding to some much more general and abstract forces. Nevertheless, to the extent that he is being specific I agree with him. > I have made no comments on security-vs-convenience here. Well you're on a development list for an open source project here. The only reason I can see why you would object to the insecurity warning is that you find it 'inconvenient' to build the app for yourself with the one line that prints the warning commented out. > The only sympathy I seek concerns the repeated, pointless, obscure > messages that you are putting in my user interface about problems I did > not cause and cannot fix. Well yeah. None of us here caused this, and none of us can fix it ourselves. We've worked hard to put together a fix to the protocol and to implement the fix in code. Now we need to get people to patch in a compatible way. I advocate informing the affected parties through whatever channels are appropriate. I think a error log message is very appropriate but do not want to stop there! I don't agree at all that such a message is pointless. I have spent huge amounts of time trying to get the accurate information out so that this very serious bug is not "obscure". Obscurity only favors the bad guys here. - Marsh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
