[cap-talk] SSL protection racket (was: Re: High level dissonance)

John Carlson john.carlson3 at sbcglobal.net
Mon Feb 25 22:44:49 EST 2008 

Best bet:  Download the firefox source, modify it to suit your needs,  
and provide
it for download to your customers.

Isn't open source wonderful?

John
On Feb 25, 2008, at 10:11 AM, Jonathan S. Shapiro wrote:

> It's a disaster for another reason. Those of us who run multiple  
> domains
> from a single machine run into nasty problems getting the SSL keys
> configured correctly.
>
> The awful truth is that SSL, at best, provides a secure channel.  
> Because
> of various well-known attacks, it does not, in reality, authenticate  
> the
> server side host at all.
>
> So the net result of this change is that instead of telling the user  
> the
> truth and getting out of their way, we instead tell an even bigger lie
> and make Firefox even more of a pain in the ass unless the people
> running servers are willing to significantly multiply their costs.
>
> Why did this make sense again?
>
> shap
>
> On Mon, 2008-02-25 at 17:59 +0000, Stiegler, Marc D wrote:
>>
>>> -----Original Message-----
>>> From: cap-talk-bounces at mail.eros-os.org
>>> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Jed  
>>> Donnelley
>>> Sent: Sunday, February 24, 2008 9:22 PM
>>> To: General discussions concerning capability systems.
>>> Subject: [cap-talk] SSL protection racket (was: Re: High
>>> level dissonance)
>>>
>>> At 11:16 PM 2/23/2008, Ivan Krstić wrote:
>>>> ...in Firefox 3, the dreaded "there's a SSL certificate
>>> problem with
>>>> this website" dialog is no more. Instead, access to the site
>>> is denied
>>>> by default, and the user asked to add a manual  exception
>>> for the site
>>>> if she wishes to override this security  decision. This is
>>> _exactly_ as
>>>> it should be, and exactly as a number of people, myself
>>> included, have
>>>> been saying for years. -- Ivan Krstiç
>>
>> Since neither the old way nor the new way gives the user  
>> appropriate information so that he can make a sensible decision, it  
>> would be even better if there were an option to "always click ok".  
>> Since that is what people do anyway, this would be a popular  
>> option, and would inform security architects about the real shape  
>> of the world for which they should be designing security.
>>
>> Is there an "always click ok" plugin for firefox? Seems like a  
>> winner.
>>
>> --marcs
>>
>> _______________________________________________
>> cap-talk mailing list
>> cap-talk at mail.eros-os.org
>> http://www.eros-os.org/mailman/listinfo/cap-talk
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list