Stephen John Smoogen wrote: > On 10 January 2013 14:17, Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx> wrote: > > Adam Jackson wrote: > >> On Thu, 2013-01-10 at 17:56 +0100, Till Maas wrote: > >> > But why should anaconda not verify packages if secure boot is disabled? > >> > >> For the same reason Firefox doesn't automatically accept self-signed SSL > >> certs, and the same reason that ssh doesn't automatically accept new > >> host keys: it'd be creating trust from thin air. > > > > If Firefox encounters an SSL certificate that it can't verify, then it > > stops and refuses to load the web page. It won't proceed unless you > > tell it that you have checked the certificate manually and found it to > > be genuine. > > In every test I have seen on what people do.. it is a click through. > People click on it without checking the certificate. That is what > makes it theatre or CYA covering.. What the developer is saying is > that he doesn't want to pursue security theatre himself on this. If > someone else wants to and add in the pop-up etc then go ahead.. but he > isn't going to do that. And since people don't check the certificate anyway it would be better if Firefox would silently switch to plain HTTP when it can't verify the certificate? Not just use the unverified certificate but skip all the cryptography altogether without even telling the user about it? Would that improve anything? Because that's the equivalent of what Anaconda does. Yes the human is usually a weak link, we all know that. It's good to replace a weak link with a stronger one when we can. Sometimes we can't do that, and the best we can do then is to make the rest of the chain strong enough that the human link is the weakest one. Right now the presence of one weak link is being used as an excuse for leaving a gaping hole in another part of the chain. Björn Persson
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
