On Tue, Apr 27, 2010 at 04:59:55PM -0500, Bruno Wolff III wrote:
On Tue, Apr 27, 2010 at 17:55:39 -0400, Matt McCutchen matt@mattmccutchen.net wrote:
Epiphany is a non-starter. In the default configuration, it doesn't validate SSL certificates at all (bug 569577). An unbranded Mozilla browser would be a much better choice.
The way Firefox does it, is more to help companies sell certificates than to actually help security.
agreed.
I did recently look into the list of CAs trusted by Firefox, it looks bad. There are CAs from countries all over the world.
I would say that 99% of users do not need a CA from some mid-eastern or far-eastern countries. But each and every of these can give a forged certificate for anything that will be gladly accepted by Firefox.
To me the security model of Firefox appears too permissive. I have seen online banks which do include page elements, even javascript from 3 parties severs, different domains and certificates. Yet there is one URL shown and the user is lead to believe everthing is certified by the same authority.
Richard