On Fri, Mar 16, 2012 at 8:10 PM, Ian Melven <[email protected]> wrote: > > > The other problem with relying solely on SSL, as i mentioned before, is that > it requires > trusting the full set of root certificates on the device. This is obviously > not a B2G/OWA > specific problem but it does seem to be a little worse in this case, > ESPECIALLY in hostile > environments when the government has or can easily obtain a root cert. > > This is why we sign desktop Firefox updates as well as verifying them against > a hash downloaded over SSL. Defense in depth.
thanks ian. i missed that entirely :) i've added the description above to a separate section on the wiki page, here: https://wiki.mozilla.org/Apps/Security#The_Problem_With_Using_SSL btw: i'm generally moving towards stopping repeating things in the mailing list and moving towards creating links on the wiki, and referring people to them. a) it saves typing b) it's clearer. l. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
