[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: SSL in KDE2
From: Matthias Kalle Dalheimer <kalle () dalheimer ! de>
Date: 2000-09-04 8:32:01
[Download RAW message or body]
On Mon, 04 Sep 2000, Andreas Pour wrote:
> Martin Jones wrote:
> > On Mon, 04 Sep 2000, George Staikos wrote:
> > > On Mon, 04 Sep 2000, Kurt Granroth wrote:
> > > > George Staikos wrote:
> > > > >... Right now, SSL is > really not much better than useless in
> > > > > >KDE2...
> > > >
> > > > [snip]
> > > >
> > > > > ...I think we'd be better off to remove SSL altogether if we don't
> > > > > at least fix some of this by release time....
> > > >
> > > > Well, I am not going to venture an opinion at this time about your
> > > > other points.. but I do have a comment on these. While our SSL
> > > > support may be iffy, it *does* exist and it works well enough to use
> > > > for me (and I imagine for others).
> > > >
> > > > Right now, I am using Konqueror to do all of my SSL-needed stuff
> > > > (reading hotmail for testing, visting my banking sites, accessing
> > > > some ISP related stuff, etc). It works.
> > >
> > > Not 100% it doesn't. I suspect it is mostly OpenSSL's fault, but
> > > that is irrelevant. We chose OpenSSL so we should provide a work
> > > around.
> > >
> > > > So while I do think we need to make it clear about our SSL
> > > > shortcomings, disabling it would be a HUGE mistake.
> > >
> > > What do we do when people start hitting pages with frames that load
> > > without ssl, while the main page is ssl? It looks like ssl. It acts
> > > like ssl. it's not all ssl though. What about a site that has an
> > > SSL order form that posts to a non-ssl cgi? At least with certain
> > > other browsers, we know it is happening and can keep our finger off the
> > > launch key....
> > >
> > > I can just see the bugtraq threads now....
> >
> > I agree. You do this stuff properly and completely or not at all.
> > Its just not worth the risk.
>
> Hi,
>
> If I can add some points from the public relations and legal
> perspectives: having a non-reliable (i.e., not 100% reliable) SSL mode
> would be a huge blunder. It will devastate mindshare, and it will
> definitely make bad headlines (does the word "Firestone" ring a bell?).
> There should never be a situation where the user is misled into
> believing there is a secure transport when in fact there isn't (does the
> word "Firestone" ring a bell?). If MS did something like that everyone
> would be all over it, and rightly so.
>
> I can also mentiont that there is a legal liability issue here.
> Disclaimer of warranties, at least in the US, does not apply in cases of
> gross negligence. If in fact people know that SSL does not work
Same in the European Union.
Kalle
--
Matthias Kalle Dalheimer
President & CEO / Verkställande direktör
Klarälvdalens Datakonsult AB
email: kalle@dalheimer.de, fax: +46-563-540028
>> Visit http://master.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic