Ian Grigg wrote:
While you were worried about some mythical man in the middle sneaking in and stealing your password for no good purpose (the bank/fund would be covered against that in general), you were probably being robbed blind by your mutual fund.
Those banking/fund protections may apply in some cases in the USA, but they certainly don't always in other countries. If someone steals your credit card number in France, you may still be liable. So SSL security plays a much more important role than you think. I know this from experience.
I'm hoping that Mozilla can realise this. There is an opportunity here to restart the security process that has lain dormant for a decade. And a crying need - the threats today are from spoofs/ phishing, viruses, insider robbery, database hacks, and so forth - all of which need to be addressed by a wholistic approach to security, not by worrying about this cert or that CA covering a threat that doesn't exist except in the minds of cryptography academics.
Certainly other attacks exist, but attacks on certificates are one type of attacks that is possible. I agree that indeed Mozilla should be reviewed for all types of attacks, not just crypto/certificates attacks, but not that we should ignore crypto/certificates attacks.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto