On 9/23/2015 1:57 PM, Eric Mill wrote:
I'd phrase it instead as: what can be done to educate people responsible for deploying/buying enterprise software deployment that a rapid update path for all software/protocols/ciphers/certificates is a critical prerequisite for performing their job responsibly?
So then what do we tell the users, who are frequently caught in the middle? It seems like this is what we are saying (though I am sure you will reword it).
"I'm sorry that we broke you with our security update today so that you cannot do your job, but breaking you so that you complain to your web (or email) hosts is the only way we can get the attention of the people who have the power to fix this. Thank you for suffering for the greater good."
Might there be some alternative, like a big red popup that appears for a couple of weeks with a warning and an option to continue?
"Chrome does it" is no better defense against user pain than "IE doesn't do it" is an excuse to accept garbage security. We are supposed to be user focused, our users suffer in this, and perhaps we could be innovative in reducing the pain and still accomplish our goals.
:rkent _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
