Comment 4 for bug 332176

marco.pallotta (marco-pallotta) wrote :

The friend I spoke about in my previous comment did some tests with Safari (Mac OSX) with OCSP enabled (it hasn't enable this by default, as I already sayd in this bug description), with the feature through which Safari warns the user either if OCSP server isn't reachable or if the certificate doesn't include OCSP extension or if at least one of the parent certificates hasn't the OCSP extension and the result is that almost in every SSL connection Safari warns the user that the site isn't secure (either because OCSP server isn't reachable or because the certificate hasn't the OCSP extension or because one of the parent certificate hasn't the OCSP extension or it has the extension but the OCSP server isn't reachable).
I think this behaviour is ok because if one of these conditions aren't satisfied the SSL connection is potentially unsafe. The test shows that, in spite of the various advertisements about the fact the SSL connection is today a safe mechanism (let's think about what the world banks say about on-line transactions) the reality is different. The worse thing is, for me, that, with the actual situation about browser security (apart Safari if you enable all of the option I spoke about above) the user has the percept that everything is safe because he knows that he has only to see if the padlock is closed or not.
Now Let's speak about Firefox. The question is: is "commercially" "opportune" to include these options (but Firefox doesn't include all this features) by default (let's think about a typical user that cannot establish almost any SSL connection)? They should be just because SSL connection also include, from the others, money transactions (so I think all of we can agree that they have to be safe) but to be realistic I think we could start to include these feature in Firefox as optional (as Safari does) and warn the user (it could be at his first SSL connection) that he can increase firefox security enabling all the option features in the Firefox OCSP section.