Correct. This isn't going to change any time soon. Anyone who's up against "national technical means" had better do their research. It's a bit of a stretch to say that Mozilla or any browser or any other app should protect people against *all* threats.
This reply is also directed to Ben, I doubt self signed certs without some kind of notification will work, in fact would leave us more open to government MitM then under a CA model, I can not see any way to defend against that kind of attack unless you know the person in person and swap fingerprints. Sure this works for PGP under a limit set of circumstances but then what, how do you do business with someone in another country with no connection to you prior, lots of people do business with companies in the US/UK all the time, do you think they'd take the time and effort to verify signatures or would they just click through warnings.
Yes the security model for SSL is flawed but self-signed isn't the answer for large scale use either, if anything the trust would become so weak even your ISP could walk over 95% of the population that hasn't a clue about security.
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
