Ubuntu
firefox-3.0 package

Bug #332176
Comment #25

Comment 25 for bug 332176

Revision history for this message

In Mozilla Bugzilla #496661, Johnath (johnath) wrote on 2009-06-09:

#25

The last browser to insist on successful revocation checks in order to activate SSL indicators, iinm, was Opera's experiment a year or two ago. They quickly reverted it because it broke too much of the web.

I am keenly interested in ensuring that users are safe online, but you will reliably find me opposed to introducing new details to users if I think that:

a) they will not understand it, and hence it will tend to undermine their ability to make informed security decisions, or

b) false positives are likely to be frequent, and inevitable, harming the trust they have in our UI and their ability to rely on it when making security decisions

The treatment we gave to expired/self-signed made me uncomfortable because it toed that second point pretty hard, but that's why we defaulted to permanent exceptions - it lets people express their security decisions once and, for most users, never see the error page again.

If we receive revocation information saying that a cert should no longer be trusted, fine, obviously we respond to that. Once we get CRLDP support into the product, our ability to detect those revocations will improve substantially, and as more of the mainstream CAs start supporting OCSP at scale, things will get better again. When that happens, revisiting this makes sense to me although, even then, I suspect my impulse will be to just remove trust indicators, rather than trying to invent a new one that expresses the concept of "We didn't get word that the certificate was revoked, but we also didn't get word that it wasn't revoked."

Right now, though, I don't think that taking such a step will help users be safer. It *would* help the much smaller group of people who understand what revocation checking means, but Firefox's defaults need to be appropriate for a quarter of a billion people. Any constituency which is substantially smaller than that is better served through an add-on. I'd actually really love to see some of the energy and ideas here expressed as an add-on, to see how popular they become, and how the user interface evolves.

The last browser to insist on successful revocation checks in order to activate SSL indicators, iinm, was Opera's experiment a year or two ago.  They quickly reverted it because it broke too much of the web.

I am keenly interested in ensuring that users are safe online, but you will reliably find me opposed to introducing new details to users if I think that:

a) they will not understand it, and hence it will tend to undermine their ability to make informed security decisions, or

b) false positives are likely to be frequent, and inevitable, harming the trust they have in our UI and their ability to rely on it when making security decisions

If we receive revocation information saying that a cert should no longer be trusted, fine, obviously we respond to that.  Once we get CRLDP support into the product, our ability to detect those revocations will improve substantially, and as more of the mainstream CAs start supporting OCSP at scale, things will get better again.  When that happens, revisiting this makes sense to me although, even then, I suspect my impulse will be to just remove trust indicators, rather than trying to invent a new one that expresses the concept of "We didn't get word that the certificate was revoked, but we also didn't get word that it wasn't revoked."

Ubuntufirefox-3.0 package

Comment 25 for bug 332176

Ubuntu
firefox-3.0 package