Paul Wouters <[email protected]> writes: >Or we ensure that firefox and chrome refuses to see those sites at all, >because they refuse a downgrade attack.
So users will switch to whatever browser doesn't block it, because given the choice between connecting to Facebook insecurely or not connecting at all, about, oh, 100% of users will choose to connect anyway. >Let the nation state basically block all of the sites they want to MITM and >see how that works out. It'll work out just fine for them, because what you're giving users is a choice between using the Internet and not using it, and close to 100% will choose to use it no matter what. We've already got real-world stats on that for several countries, for example 700M Chinese folks use the Internet despite intrusive government monitoring. Even if every single browser vendor decides to block (which will never happen, who's going to consciously cut off their user base like that?), all Borat has to do is distribute a patched version of whatever browser or browsers they like and/or distribute a small installer that injects Borat's CA cert, and everything's fine, with or without the browser vendors' cooperation. Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
