On 09/14/2011 07:51 PM, Tony Mechelynck wrote:
> On 15/09/11 03:27, Richard Owlett wrote:
>> Provocative enough subject line?
>> Actually I'm *serious* !
>>
>> I personally suspect that all these "security" features are trying to
>> protect users from there own culpable acts.
>>
>> I take responsibility for my own well being by:
>> 1. *DISABLING* {user.js *IS* your friend}
>> JavaScript
>> Cookies
>> 2. *NOT* using an "always live" connection
>> 3. a local *always LIVE* firewall set to _paranoid_
>> 4. my ISP provides some firewall and anti-virus email protection
>>
>> and "other" measures
>
> Well, even with those measures, security updates are useful. The latest
> case in point is the DigiNotar certificate authority, which was recently
> broken into and used without its managers' knowledge to issue several
> hundreds of bogus certificates for various domains such as google.com,
> cia.gov, mossad.il, etc. etc. etc.
Well, let's not forget that it also affected Mozilla addons...
<http://www.theregister.co.uk/2011/09/08/mozilla_certificate_authority_audit/>
<quote>
DigiNotar's omissions came as a personal affront to Mozilla, since one
of the domains they imperiled was https://addons.mozilla.org/, home of
tens of thousands of addons that add powerful capabilities to the
default versions of Firefox and Thunderbird.
</quote>
So lets consider the Mozilla auto update policy that is set by default
in all current Mozilla products. Given the policy, and given the serious
nature of the DigiNotar hack, why does Mozill continue to enable auto
update by default?
SeaMonkey users have offered valid complaints regarding this policy on
this list, yet the policy remains. I just encountered the same issue on
a system with Firefox; I noticed that Firefox was in the process of
downloading an update without my permission. I stopped it. Yes, I
eventually updated the Firefox version, but did so at *my* disgression,
and via a direct download of Firefox from Mozilla. Ditto for a SeaMonkey
version.
Yes, Mozilla users can turn off the auto updates (program and addons),
but have to jump through hoops (IMO) to do so. Reminds me of the opt-out
settings from Google/Yahoo/et al.
What if any addons were compromised during the DigiNotar certificate issue?
...
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
