Thunderbird bz 579023 still not fixed even though there is an upstream fix available
Richard Zidlicky
rz at linux-m68k.org
Wed Apr 28 11:41:48 UTC 2010
On Tue, Apr 27, 2010 at 04:59:55PM -0500, Bruno Wolff III wrote:
> On Tue, Apr 27, 2010 at 17:55:39 -0400,
> Matt McCutchen <matt at mattmccutchen.net> wrote:
> >
> > Epiphany is a non-starter. In the default configuration, it doesn't
> > validate SSL certificates at all (bug 569577). An unbranded Mozilla
> > browser would be a much better choice.
>
> The way Firefox does it, is more to help companies sell certificates than to
> actually help security.
agreed.
I did recently look into the list of CAs trusted by Firefox, it looks bad. There
are CAs from countries all over the world.
I would say that 99% of users do not need a CA from some mid-eastern or far-eastern
countries. But each and every of these can give a forged certificate for anything that
will be gladly accepted by Firefox.
To me the security model of Firefox appears too permissive. I have seen online banks
which do include page elements, even javascript from 3 parties severs, different domains
and certificates. Yet there is one URL shown and the user is lead to believe everthing
is certified by the same authority.
Richard
More information about the devel
mailing list