On Wed, 2010-04-07 at 09:55 -0700, johnjbarton wrote: > On 4/4/2010 10:41 PM, Daniel Veditz wrote: > > On 4/3/10 9:30 AM, johnjbarton wrote: > >> If the *users* of Firefox are truly in jeopardy, then this alert should > >> be provided to *users*. Since this alert is not shown to users I can > >> only assume that in fact there is no practical threat here. You're > >> putting this message in the Error Console because you can. > > > > We plan on alerting users in a future update. This is fair warning > > to server operators and those who are debugging their sites. > > If this is a real threat don't users deserve a fair warning now?
I fully agree! If users are vulnerable now, they should be warned now, (bug 535649 comment #15). The counterargument (comment #24) is that showing the broken SSL UI for almost all sites will "quickly neutraliz[e] the awareness/protection it might offer", but I think my proposal for a yellow Larry button (comment #62) partially addresses this concern. -- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto