On Wed, Sep 23, 2015 at 3:17 PM, R Kent James <[email protected]> wrote:
> On 9/23/2015 1:57 PM, Eric Mill wrote: > >> I'd phrase it instead as: what can be done to educate people responsible >> for deploying/buying enterprise software deployment that a rapid update >> path for all software/protocols/ciphers/certificates is a critical >> prerequisite for performing their job responsibly? >> >> > So then what do we tell the users, who are frequently caught in the > middle? It seems like this is what we are saying (though I am sure you will > reword it). > > "I'm sorry that we broke you with our security update today so that you > cannot do your job, but breaking you so that you complain to your web (or > email) hosts is the only way we can get the attention of the people who > have the power to fix this. Thank you for suffering for the greater good." > > Might there be some alternative, like a big red popup that appears for a > couple of weeks with a warning and an option to continue? > > "Chrome does it" is no better defense against user pain than "IE doesn't > do it" is an excuse to accept garbage security. We are supposed to be user > focused, our users suffer in this, and perhaps we could be innovative in > reducing the pain and still accomplish our goals. It may be less satisfying, but I think you should channel your passion in the direction of the enterprise IT group -- or its political overlords -- that are inconveniencing you and driving their users away from secure browsers. -- Eric > > > :rkent > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
