On 2015-09-15 02:12, Anil Gulati wrote:
So I'd agree Firefox is not being too strict (in this scenario anyway - I
had previous issues a few months ago where Chrome worked and Firefox
didn't) but Firefox does have the additional step to install certs in it's
own certificate database instead of referring to the OS. In our case this
additional step was hard enough to prevent Firefox from working for several
days. I guess if there were any Firefox users in our organisation before it
seems unlikely there are any left now.
It seems to me that the issues are:
- The IT department wants to MITM you for some reason, and Firefox
complains like it should. You *are* actively being attacked.
- The IT department (or some contractor) knows how to deal with chrome
(and internet explorer) so it allows this, but doesn't know how to do it
with Firefox. I would argue that this isn't Firefox's problem, it has
always had the functionality to allow it.
To remove unnecessary impediments to Firefox use and adoption wouldn't it
make sense to configure Firefox to use the OS cert store by default, and
allow an option to use internal cert database? I know there's code costs
but if people are not using Firefox there's no Firefox. Even now our IT has
a working cert I'm not sure they have a way to automatically install into
Firefox for all users.
I think they can distribute the certificate for use by chrome and
internet explorer by using the group policy and so it's trivial for them
to distribute it to all the PCs. It might be a little bit more
complicated to do the same for Firefox.
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
