Thunderbird bz 579023 still not fixed even though there is an upstream fix available

Richard Zidlicky rz at
Wed Apr 28 11:41:48 UTC 2010

On Tue, Apr 27, 2010 at 04:59:55PM -0500, Bruno Wolff III wrote:
> On Tue, Apr 27, 2010 at 17:55:39 -0400,
>   Matt McCutchen <matt at> wrote:
> > 
> > Epiphany is a non-starter.  In the default configuration, it doesn't
> > validate SSL certificates at all (bug 569577).  An unbranded Mozilla
> > browser would be a much better choice.
> The way Firefox does it, is more to help companies sell certificates than to
> actually help security.


I did recently look into the list of CAs trusted by Firefox, it looks bad. There 
are CAs from countries all over the world.

I would say that 99% of users do not need a CA from some mid-eastern or far-eastern
countries. But each and every of these can give a forged certificate for anything that 
will be gladly accepted by Firefox.

To me the security model of Firefox appears too permissive. I have seen online banks 
which do include page elements, even javascript from 3 parties severs, different domains
and certificates. Yet there is one URL shown and the user is lead to believe everthing
is certified by the same authority.


More information about the devel mailing list