Mailinglist Archive: opensuse-factory (837 mails)

< Previous Next >
Re: [opensuse-factory] Chromium as the default browser in the next release?
Andrew Joakimsen schrieb:
On Wed, Mar 23, 2011 at 22:45, Robert Kaiser<KaiRo@xxxxxxxx> wrote:
Andrew Joakimsen schrieb:

With Chromium, Safari, Internet Explorer, etc, if you visit a website
with an "invalid security certificate" the bypass is 1 click.

Which is a security problem by itself. No user should be able to override
the security certificate unless (s)he knows exactly that this breaks every
security assumption and is very probably an attack if it happens on a
high-volume site.


No, because all of the browsers that I cited (except Internet
Explorer) that do SSL warnings the right way make the warning very
clear it's something out of the ordinary.

That doesn't matter as most people just click-through and don't read any text. That's why _any_ way to click through those warning is a security bug.

(And nobody needs to remind me of the Comodo cert stuff, I read all about it on our internal Mozilla security group mailing list and I personally think the whole SSL system is flawed but we don't have anything better that is widely established in the website space.)

Robert Kaiser
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups