On 21/04/14 08:50 PM, Radu Hociung wrote: > On Monday, April 21, 2014 12:32:43 PM UTC-4, Daniel Micay wrote: >> Mozilla has all the >> cards in their hands here. > > Indeed. I'm glad to see others before me reached the same conclusion, that > the appropriate response is to remove the trusted status of Startcom. > > The original bugzilla #994033 was closed, this issue has been debated in the > mailing list for a few days, but what is the resolution? > > AFAICT, Mozilla's position is "Startcom is here to stay"?
I think it's only realism to leave them in the trust store. Removing it would break sites and cause users to flee to other browsers. Having it stop being shown as a secure connection is a very realistic option. It can still be shown as https, just without the "secure" marker. It would also be great if it stopped telling users the connection is secure when the cipher lacks perfect forward secrecy. If you want servers to start supporting it, that's exactly how. We all know this OpenSSL bug is not going to be the last. Traffic captured today over connections not using perfect forward secrecy is *not secure*. Firefox should stop telling users it is.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
