On Tue, Aug 06, 2013 at 01:50:31PM +0300, Nadim Kobeissi wrote: > Yes, to be absolutely clear, I think Tor should issue advisories for > confirmed security issues in Tor Browser, since Tor Browser is a fork > of Firefox and is independently maintained. This is exactly what Tor > did this time, except next time you shouldn't wait five weeks for the > situation to explode.
This is insane advice. Every ESR point release of firefox 17 has fixed multiple CVEs. Your advice would have them doing a RED BLINKING LETTERS blogpost on *every* TBB release. This is not sustainable and will create security fatigue in users, exactly similar to how SSL warning dialogs trained everybody to "just click accept" back in the ninetys and the bad old oughties. We have to move past the "bug the user again" model of security system deployment. -andy -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
