On Sunday, September 8, 2013 2:08:33 PM UTC-5, Erwann Abalea wrote: > I may be considered as over-paranoid, I don't mind. > > Recent news that I'm sure everybody has read have an impact on the whole > crypto world. Standards, software stacks, hardware implementations, etc. > > This program is also impacted, in a way, because it's about building trust > on severly damaged foundations (and we still don't know exactly how far > those have been damaged).
Two things made me hope for change when reading of these revelations. 1) Since no CAs are now trustworthy, perhaps we can move away from treating self-signed certs as MORE satanically evil than HTTP. 2) Perhaps this might cause the return of the "disable JS" checkbox, since the inability to trivially disable it has so categorically been demonstrated a bad thing, now. Sadly, the response in both cases has been to double-down on previous decisions, rather than to reopen discussion on them. There are plenty of papers on this psychological effect, but that doesn't make it any less disheartening when seen. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
