On Tue, Jan 12, 2016 at 1:48 AM, Peter Gutmann <[email protected]> wrote:
> Paul Wouters <[email protected]> writes: > > >Or we ensure that firefox and chrome refuses to see those sites at all, > >because they refuse a downgrade attack. > > So users will switch to whatever browser doesn't block it, because given > the > choice between connecting to Facebook insecurely or not connecting at all, > about, oh, 100% of users will choose to connect anyway. > An appropriate example. May I note that Facebook has lately been turning off support for non-encrypted users? So regardless of the browser, a user cannot access Facebook without HTTPS. In any case, I think this thread is getting pretty far off-topic. --Richard > > >Let the nation state basically block all of the sites they want to MITM > and > >see how that works out. > > It'll work out just fine for them, because what you're giving users is a > choice between using the Internet and not using it, and close to 100% will > choose to use it no matter what. We've already got real-world stats on > that > for several countries, for example 700M Chinese folks use the Internet > despite > intrusive government monitoring. > > Even if every single browser vendor decides to block (which will never > happen, > who's going to consciously cut off their user base like that?), all Borat > has > to do is distribute a patched version of whatever browser or browsers they > like and/or distribute a small installer that injects Borat's CA cert, and > everything's fine, with or without the browser vendors' cooperation. > > Peter. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
