Am 19.04.2014 10:44, schrieb Stephan von Krawczynski:
On Sat, 19 Apr 2014 10:20:39 +0200 Reindl Harald h.reindl@thelounge.net wrote:
and where does it lead to trigger warnings all over the planet and train people to ignore them? in case of a mailserver that's not a real big problem because they amount of users is limited
on a public website it is insane to present a browser warning as welcome message
if there is a working replacement, widely supported by client-software and useable or the ordinary enduser - fine - let us adopt it - until that does not exist you are talking bullshit
well, i have an offer for you: you pay the support calls caused by certificate warnings, you pay also the harm of other ignored warnings as result of train monkeys, you go out and make *every* enduser to a tech person understand certificates and SSL before and after that we all start to drop CA certificates
deal?
So you like market behaviour
no, but after more than 11 years working in the IT as software developer and sysadmin building any admin backends, automation tools and cms-systems at my own while dealing with the endusers and their software i have learned which fights i can't win and better spend my time to work on things gaining a result
Don't you think that the market of client software will react faster if everybody is aware of the currently unsolved problems?
only in a perfect world
in the world i sadly live i had to turn SSL3 on again after a complaint of big customer that one of his customers can't use his shop with MSIE6 and is not willing to enable TLS in the settings which is one click i did 13 years ago in times using Windows, well now after Heartbleed and EOL of WiNXP now i had the arguments to disable it forever -> done
in the world i sadly live i had recently a customer using a 10 years old Eudora mail-client on MacOSX which don't work with SHA256 certificates - the reply to "please update your OS and your mail-client, this one is unsupported and higly insecure" was "but i was happy with it until *you* changed something"
My word is: make them aware
mine too, but make aware and try to force end-users to understand things are different worlds - you can't win the fight against users ignorance, careless and their outdated software
Your word is: safe money and give a damn
my word is safe time where it is wasted and use it to improve things in areas where i can win a fight - fighting a lost battle leads to nowehere and eats the time to improve other things
i spent hundrets of hours in security the last few years looking at a big picture of all sort of network services and operating systems to work as secure as possible with each other
if i would have wasted that time with lost battles i would have gained nothing
Lets stop it here, it is obvious we disagree and I guess people on the list have heard enough to take their own decisions
agreed