On May 21, 1:46 am, Kurt Seifried wrote:
> m...@mattmccutchen.net wrote:
> > I'm not claiming that the user knows. I only said that if there is in
> > fact no impersonation, then the error is a false positive.
[...]
> For you to claim that the browser should be able to determine the
> intent of a
When I hit reply the mozilla groups bounces my email, so replying off list.
m...@mattmccutchen.net wrote:
> I'm not claiming that the user knows. I only said that if there is in
> fact no impersonation, then the error is a false positive.
If you're going to redefine what a false positive is than
On Fri, 2010-05-21 at 04:02 +0300, Eddy Nigg wrote:
> On 05/21/2010 03:23 AM, From Matt McCutchen:
> > On May 19, 11:28 am, Eddy Nigg wrote:
> >
> >> Well, just for the record, lets get this strait - there are no false
> >> positives. I have NEVER encountered an error with a web site and there
> >
The way that commercial "certifying authorities" have gone about
things thus far is completely antithetical to how business is
transacted on the commercial internet. (hint: banks require *two*
forms of ID in order to open a bank account, and CAs provide only
*one*. How would you solve this proble
On 05/21/2010 03:23 AM, From Matt McCutchen:
On May 19, 11:28 am, Eddy Nigg wrote:
Well, just for the record, lets get this strait - there are no false
positives. I have NEVER encountered an error with a web site and there
was no reason for it. Either the certificate was not trusted or the
On May 19, 11:28 am, Eddy Nigg wrote:
> Well, just for the record, lets get this strait - there are no false
> positives. I have NEVER encountered an error with a web site and there
> was no reason for it. Either the certificate was not trusted or the
> domain did not match or other reasons. Those
When
"security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref"
is off, Firefox will refuse to perform a server-initiated
renegotiation with a non-RFC-5746 server. What is the purpose of this
behavior? It doesn't mitigate the vulnerability because in the attack
scenario, the
On Mon, 2010-05-17 at 13:25 -0500, Marsh Ray wrote:
> Imagine how fast sites would fix their certs if the scary page proposed
> keyword alternative sites that did not have cert issues.
You can't assume that it's the site's fault. A competitor could be
MITM-ing the connection and showing a bad cer
On 5/20/2010 4:28 AM, Gervase Markham wrote:
On 18/05/10 15:54, johnjbarton wrote:
I mean that starting a design from the point of view that the users have
faulty judgment will almost certainly lead to software that fails.
If users did not have faulty judgement, and always made correct securit
On 05/19/2010 07:44 PM, From Marsh Ray:
Perhaps one identifiable improvement here is that this ability to get
acceptable certs easily could be made more widely known?
Yes, perhaps...but it might be difficult for Mozilla to do so too
openly...not sure.
--
Regards
Signer: Eddy Nigg, Star
>Does your module attempt to force the user to (re)authenticate to it every
>time it needs to use the private key?
>Does it attempt to do this by (re)entering a read-only state such as
>CKS_RO_PUBLIC_SESSION after it performs a private key operation?
>If so, that's your problem.
The module enters
On 18/05/10 15:54, johnjbarton wrote:
I mean that starting a design from the point of view that the users have
faulty judgment will almost certainly lead to software that fails.
If users did not have faulty judgement, and always made correct security
decisions, then there would be no phishing.
12 matches
Mail list logo
