On 04/19/2010 12:33 PM, Marsh Ray wrote: > > Opera will currently decline to turn the address bar green for EV certs > if the connection is vulnerable. That is a great first step, and they > intend to make that more prominent over time, too. > That's an interesting option.... > Mozilla also has the benefit of an internally developed TLS stack which > implements a fix. Yet using Firefox 3.6.3 I don't see any visible > indication of my https being vulnerable even in the "Technical Details" > section of the Page Info dialog. >
There's an error logged to the java console.... it logs all unsafe websites, not just EV. > It's not going to look so great for Mozilla when another prominent > browser vendor ships another patch which also notifies the user of the > insecure connection. > Mozilla is phasing in, just like Opera. You can see some in the list is violently opposed to any kind of notification. If you are really worried, Mozilla gives you the option of only making safe connections;). You'll see more of this over time. If you want to complain about keeping the internet from being safe, I suggest talking to some of the vendors who haven't even released renogotiation patches yet. > People might legitimately ask at that point how such a prominent open > source product as Mozilla ended up putting other considerations ahead of > their user's security, whereas multiple commercial closed source vendors > are really taking it seriously. It might be hard to come up a good > answer for that one. Better start thinking about it now. > On this issue, Mozilla is far from dragging it's feet. The criticism may hold more water if more major browsers actually implemented the renegotiation extension! You were told this will be a slow process. We're working are way through it Marsh. bob > - Marsh >
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
