Security issues such as specific security problems or ideas for making the code as a whole more secure can be discussed here

Gervase Markham | 3 Mar 2009 00:14

Re: Work-around for Moxie Marlinspike's Blackhat attack

On 28/02/09 00:32, Jonas Sicking wrote:
> It'd be good to have a separate pref, network.IDN.blacklist_chars_extra,
> where users can add additional characters without having to worry about
> not receiving updates to the list we maintain.

If users have to add chars to this list manually, that's Really Bad - 
because most won't. What's easier - getting loads of users to modify 
this pref, or shipping an automatically-installed security update to all 
of them?

Gerv

headers

Jonas Sicking | 5 Mar 2009 22:18

Re: Work-around for Moxie Marlinspike's Blackhat attack

Gervase Markham wrote:
> On 28/02/09 00:32, Jonas Sicking wrote:
>> It'd be good to have a separate pref, network.IDN.blacklist_chars_extra,
>> where users can add additional characters without having to worry about
>> not receiving updates to the list we maintain.
> 
> If users have to add chars to this list manually, that's Really Bad - 
> because most won't.

i agree we shouldn't rely on it. But it's IMHO always good if users can 
be proactive before we roll out patches, or if they want to be more 
restrictive than we dare to be.

> What's easier - getting loads of users to modify 
> this pref, or shipping an automatically-installed security update to all 
> of them?

Is there anything that makes this an either-or situation?

/ Jonas