Nelson B Bolyard:
This incident has shown that FF3, with its all-too-easy-to-defeat MITM
reporting, is NOT suitable for high-value web transactions such as
online banking.
FF3 is suitable for people on this list. It appears that it's not yet
suitable for the average user. At least FF3 succeed
Nelson B Bolyard wrote, On 2008-10-19 19:03:
> Be careful not to confuse and conflict the MITM detection properties
> of SSL with the MITM resistance properties of the browser UI.
s/conflict/conflate/ :(
___
dev-tech-crypto mailing list
dev-tech-crypto
Ian G wrote, On 2008-10-19 05:50:
> [...] I would like to figure out a nice story that says
> "use Firefox for all your general browsing ... but use for your
> online bank". I just don't know what is.
As much as it pains me to say it, I agree. That is what is needed.
This incident has
Ian G wrote, On 2008-10-18 12:32:
> This is the pathological problem with MITM protection that has
> existed from day 1 of SSL: it was a solution in advance of a
> problem. Given that the solution was theoretical, and the problem
> had no practical existence (until recently), the solution could
Ian G wrote, On 2008-10-19 15:17:
> Nelson B Bolyard wrote:
>> KCM would have accepted those certs without any complaint.
>
> Ahhh, not exactly! With KCM, it is not up to it to accept any certs
> any time: unfamiliar certs are passed up to the user for validation.
Yes, but the users are condi
Eddy Nigg:
PKI wasn't meant to facilitate certificates issued from "random". PKI is
mean disallow anything it doesn't know and doesn't chain to the root. In
the browser we have many roots, but it's the browser fault to allow the
user to ignore and click all th way through to heaven...or hell. :
Ian G:
If the user does not validate, then she has done a bad thing. Yes,
KCM would be at its weakest at that point, but no software tool is
perfect; at some stage we have to ask the user, and then by
definition the software is weak, dependent on the user.
Chiming in here
PKI wasn't me
Nelson B Bolyard wrote:
> Ian G wrote, On 2008-10-19 05:09:
>> Ian G wrote:
>>> Nelson B Bolyard wrote:
KCM would not have helped.
>>> I agree, KCM would not have helped. In both cases, the warnings are
>>> delivered, and the user is given the responsibility for the overrides.
>> I was thinki
Nelson B Bolyard:
Eddy Nigg wrote, On 2008-10-18 20:10:
Requiring a change to about:config would facilitate your needs (because
you have the knowledge to do both - change the config and know what it
means), while still protecting the standard user who neither cares about
security nor has any
Eddy Nigg wrote, On 2008-10-18 20:10:
> Requiring a change to about:config would facilitate your needs (because
> you have the knowledge to do both - change the config and know what it
> means), while still protecting the standard user who neither cares about
> security nor has any clue what ce
Ian G wrote, On 2008-10-19 05:09:
> Ian G wrote:
>> Nelson B Bolyard wrote:
>>> KCM would not have helped.
>>
>> I agree, KCM would not have helped. In both cases, the warnings are
>> delivered, and the user is given the responsibility for the overrides.
>
> I was thinking about this, and actuall
Ian G wrote:
> Steffen Schulz wrote:
>> I find it amazing that someone shows this level of ignorance but then
>> manages to file a bugreport... :-)
>
>
> [...] play with compilers, flags, build own browser,
To provide the output shown at the end of
https://bugzilla.mozilla.org/show_bug.cgi?id=46
Nelson B Bolyard wrote:
> Kaspar Brand wrote, On 2008-10-18 00:18:
>> Nelson B Bolyard wrote:
>
>>> Yes. Bad response, ugly errors, no fun.
>> With the default settings in Firefox 3, it isn't that bad... remember
>> that it's the "graceful failure" mode which is selected by default:
>>
>
> Don't
Steffen Schulz wrote:
> On 081018 at 20:30, Nelson B Bolyard wrote:
>> FF3 had utterly failed to convey to her any understanding that she was
>> under attack. The mere fact that the browser provided a way to override
>> the error was enough to convince her that the errors were not serious.
>
> I
Ian G wrote:
> Nelson B Bolyard wrote:
>> KCM would not have helped.
>
>
> I agree, KCM would not have helped. In both cases, the warnings are
> delivered, and the user is given the responsibility for the overrides.
I was thinking about this, and actually, KCM would have helped here.
If you l
David E. Ross wrote:
I visit some Web sites with self-signed certificates. None of those
sites request any input from me. The only reason they have site
certificates is that the site owners want to show off how technically
astute they are. Hah! However, those sites do indeed contain
informat
16 matches
Mail list logo