Well now based on what Frank Hecker has posted, this is really getting interesting. First he stalwardly defends FF. Then he acknowledges that much of what was reported and commented on is in fact not wrong. And now he begs off as not being an expert.
Not ragging you, Frank. Just pointing out the irony of an aggressive defense that does not stand up under scrutiny. So please lets get a Mozilla Security expert in here. Originally I got interested in this as a result of a post in the GRC newsgroups. And I was reluctant to believe that my favorite browser came "preloaded to trust" certifs from sites that have been publishing improperly attributed certs and ones that are pretty much unheard of. Now I am glad I did. This needs some additional review. If FF lets you "delete" an item and then puts it back...??? well certainly makes sense and we can be sure every user will spend lots of time assuring that the delete was deleted. So can we get a discussion of how this relates to improving phishing. So that the next time I go to my bank and end up at "check free", I can beleive the cert that is the ssl from my own bank??? Sounds like the pathway here is muddled enough so as to be way too exploitable. So regardles of the proceeedure that seems to be referenced as a defense for including the listed root certs, the results are munged and users stuck with "push". more disappointed oops199 _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
