On Feb 22, 3:56 am, Eddy Nigg <[email protected]> wrote: > On 02/21/2010 09:34 AM, Nguyễn Đình Nam: > > > The way to solve it is not to inform people of each potential attack, > > because there will be too many false positive, pushing people to just > > ignore it, rendering the scheme ineffective. The way to solve it is to > > let a small number of relevant and knowledgable people aware of the > > incident... > > Chances that this will happen are almost nil I think. I googled your name and I found https://bugzilla.mozilla.org/show_bug.cgi?id=470897 So it did happened. Actually a CA abused the trust. The proposed scheme is explicitly to prevent this case.
> there are privacy issues involved too if this would > be in a default build. I guess it's not feasible. I think it should be in the default build instead of an add-on. Yes there is a small privacy issue: if the intrusion detection server is malicious, it'll know each time a user establishes a secured connection to somewhere else the first time, but not following accesses. If the intrusion detection server is managed by the creator of browser itself (in this case, it's Mozilla), the privacy issue is solved. -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
