On Tuesday 17 May 2016 03:19:22 Peter Gutmann wrote: > Matt Palmer <mpal...@hezmatt.org> writes: > >On Mon, May 16, 2016 at 02:22:08PM +0200, Richard Z wrote: > >> knowingly issuing/tolerating certificates for sites known to inject > >> malware is > >> * contrary to user expectaions > > > >[Citation needed] > > So you're saying users expect CAs to certify malware sites? > > (There have been plenty of user studies showing that users expect the > padlock to protect them from malware, hackers, and all sorts of other > stuff. Please produce a study showing that users expect CAs to > certify malware sites and virus authors).
then users expect impossible Go to Firefox and check what the connection information dialog says. Does it say that the party you're communicating with is trustworthy? CAs certify identity, always had, and unless they themselves start hosting those websites, they have no way to certify trustworthiness of the data served. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy