Is having it in by default useful enough to outweigh the risk? When the Dual_EC_DRBG news stories were blowing it, it was revealed that you could switch to it by just changing the Windows Registry. It's a Windows-supported backdoor - no malicious code needs to stay running on your system - just flip that bit, and delete yourself. After that, you're all set.
Similarly, having this feature provided by default seems like it provides a very easy, supported way to extract sensitive key data to the filesystem or some other covert channel - without invalidating package signatures, hashes of libraries or binaries, etc. Don't get me wrong, it's invaluable to be able to use it for debugging, but I question to need to have it enabled by default... -tom On 13 July 2014 19:23, Patrick McManus <pmcma...@mozilla.com> wrote: > I looked into this once, and iirc the change was made intentionally and I > guess the documentation not updated. I just updated the wikis. Thanks. > > > On Sun, Jul 13, 2014 at 10:30 AM, Роман Донченко <d...@corrigendum.ru> wrote: > >> Hello, >> >> <https://developer.mozilla.org/en-US/docs/Mozilla/ >> Projects/NSS/Key_Log_Format> states that: >> >> "Obviously this is only a debugging measure and is only enabled if NSS is >> built with DEBUG and TRACE defined." >> >> Analogously, <https://developer.mozilla.org/en-US/docs/Mozilla/ >> Projects/NSS/Reference/NSS_environment_variables> says: >> >> "SSLKEYLOGFILE: [...] Note: The code must be built with TRACE defined to >> use this functionality." >> >> However, the actual responsible code (<https://hg.mozilla.org/ >> projects/nss/file/65605e800fd1/lib/ssl/sslsock.c#l2840>) doesn't seem to >> be protected by any compile-time conditions (except for NSS_HAVE_GETENV). >> And I've checked with a stock Ubuntu NSS package that SSLKEYLOGFILE works, >> even though SSLDEBUGFILE doesn't. >> >> So who's in the wrong here? Is it a bug in the code, or in the >> documentation? >> >> Roman. >> >> -- >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto >> > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
