That would have the {justifiable,entertaining,controversial} result of
causing any captive portal that uses HTTPS in captivity to fail. Sounds
like an interesting proposal if you can persuade all the browsers to do it
simultaneously, but if Mozilla does it in isolation, it would unfortunately
just drive users to other browsers.
On 21 April 2014 10:12, Phillip Hallam-Baker <[email protected]> wrote:
> Given the current Heartbleed situation, wouldn't it be appropriate to
> turn on hard fail for revocation checking so that unknown status
> results in the cert being rejected.
>
> I am seeing people suggest that a CA be dropped from the root for
> their alleged improper handling of revocation. If revocation matters
> so much that it must be enforced on CAs then it matters enough to turn
> on hardfail for a major server coding error.
>
> Every platform is vulnerable because the server key can be extracted
> in certain situations. A browser does not need to use OpenSSL to be
> vulnerable to the OpenSSL bug.
>
>
>
> --
> Website: http://hallambaker.com/
> _______________________________________________
> dev-security-policy mailing list
> [email protected]
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
