Ian G wrote:
Nelson B wrote:
By now you've read that this branding idea was actually implemented,
at least partially, for a limited set of CAs, in the old
Netscape 4.x browsers.
OK, thanks for the confirmation. I wonder
if those discussions are anywhere around?
I was referring to yesterday's posting in this newsgroup
news://news.mozilla.org:119/[EMAIL PROTECTED]
So where do the "controllers of the chrome
real-estate" hang out?
Each product has its own. One for FF, One for TB. Etc.
Those people are only now, very reluctantly, giving any space to
security. They're among the people who had to learn the hard
way after ignoring the advice of others. They don't hang out here.
They should (but don't seem to) hang out in n.p.m.security.
I am thankful for Gervase's presence here. It is most welcome.
And while we are on that subject, who or what
is the security team / security director for
Mozilla? Would would coordinate a security
bug of this broad a nature?
Frank, maybe?
I cannot name a single person (or group of persons) among the mozilla
core developers who (IMO) thinks he owns or directs the crypto-related
security development efforts in mozilla. The mozilla code that does
crypto UI is called PSM. PSM is an orphan, with only one or two
serious security issues (IMO) having been fixed in the last year.
https://bugzilla.mozilla.org/show_bug.cgi?id=249004
https://bugzilla.mozilla.org/show_bug.cgi?id=139473
I think that if the browser is going to continue to let the user
override security errors, then when the user does so, it should tell
the user in no uncertain terms that the user has overridden security,
and that the user will have NO security thereafter, and should turn
off the lock to make the point.
The reason it doesn't do these things is
because whenever these things get coded
in, people start switching to other tools.
People switch to other tools when the tool they have does not let them
do what they want. I'm saying the tool they have lets them do it, but
it does not warn them adequately of the security consequences of their
decisions. It does not even turn off the lock. It should.
There is a bug filed about this. But PSM is an orphan. Nobody works on it.
Those sort of checks are just too much and
too costly.
For whom? Seems to be the absence of such notices to the user
a) prevent the user from *learning* the consequence of his actions, and
b) ultimately costs the user.
Users need to learn.
Agreed.
They need to hurt themselves, it's part of growing up.
Some people learn from being told
"your hand will hurt if you put it on the stove",
others only learn when they do it. In this case, I'm saying
mozilla doesn't adequately say "it will hurt if you do this".
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
