On Wed, July 16, 2014 11:42 pm, Falcon Darkstar Momot wrote: > When it comes to key material, it's an outstanding idea to err on the > side of caution. > > Does anyone actually require this feature in a non-debug build? If not, > then it's completely unreasonable to leave it in such builds, even if > it's not the weakest link and even if it doesn't break compliance. > > --Falcon Darkstar Momot > --Security Consultant, Leviathan Security Group
Quite a few people, especially users of Chrome and Firefox, especially those working to implement or deploy SPDY or HTTP/2.0 (which are over TLS, ergo Wireshark/pcap can be a pain). Given that the threat model requires a local attacker with same-privileges as either of these applications (or influence over NSS environment), can you describe a threat that could not be equally accomplished through other, similarly trivial means (e.g. binary compromise) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
