On Tue, Apr 27, 2010 at 04:59:55PM -0500, Bruno Wolff III wrote:
On Tue, Apr 27, 2010 at 17:55:39 -0400,
Matt McCutchen <matt(a)mattmccutchen.net> wrote:
>
> Epiphany is a non-starter. In the default configuration, it doesn't
> validate SSL certificates at all (bug 569577). An unbranded Mozilla
> browser would be a much better choice.
The way Firefox does it, is more to help companies sell certificates than to
actually help security.
agreed.
I did recently look into the list of CAs trusted by Firefox, it looks bad. There
are CAs from countries all over the world.
I would say that 99% of users do not need a CA from some mid-eastern or far-eastern
countries. But each and every of these can give a forged certificate for anything that
will be gladly accepted by Firefox.
To me the security model of Firefox appears too permissive. I have seen online banks
which do include page elements, even javascript from 3 parties severs, different domains
and certificates. Yet there is one URL shown and the user is lead to believe everthing
is certified by the same authority.
Richard