I’ve updated to the latest Firefox (6.02) a few days ago. I found I couldn’t distrust DigiNotar as reported by some of my caring forummers.

Also, I tend to conclude that you (and Mozilla) is not trying to protect your users, rather, you’re trying to protect governments and politicians who seldom browse the internet anyway. Those politicians in turn will deplete your customer base, because either they’ll be jailing or torturing us (i.e. no internet access), or better still, we’ll be shot dead. (btw, i’m NOT an iranian, but understand how it feels like if I were put in the same situation)

I repeat. I’ve updated to Firefox 6.02 a few days ago. But today, I’ve just downloaded Google Chrome. And it’s the first time ever I’ll be using Chrome. And I’ll probably be sticking with Chrome until they start making screwed up decisions as to support governments instead of its users (hopefully not!).

I’ve updated to the latest Firefox (6.02) a few days ago. I found I couldn’t distrust DigiNotar as reported by some of my caring forummers.

Also, I tend to conclude that you (and Mozilla) is not trying to protect your users, rather, you’re trying to protect governments and politicians who seldom browse the internet anyway. Those politicians in turn will deplete your customer base, because either they’ll be jailing or torturing us (i.e. no internet access), or better still, we’ll be shot dead. (btw, i’m NOT an iranian, but understand how it feels like if I were put in the same situation)

I repeat. I’ve updated to Firefox 6.02 a few days ago. But today, I’ve just downloaded Google Chrome. And it’s the first time ever I’ll be using Chrome. And I’ll probably be sticking with Chrome until they start making screwed up decisions as to support governments instead of its users (hopefully not!).

I am using Firefox 6.0.2 and have “The USERTRUST Network” certificates listed under the “Others” tab om my MacBook Air and the same is listed under the “Servers” tab on my Mac Desktop.

Diginotar and Diginotar B.V. are listed under the “Authorities” tab on both.

Could Mozilla please clarify exactly what the updates were supposed to do and verify that this is indeed what is happening upon upgrade.

i am referring to the “server exceptions” in “FF/tools/options/advanced/view certificates/servers”..

I think it’s a very good pro-active security
decision. It’s unfortunate for DigiNotar,
but in my view is justified by the risks that
would follow from doing nothing.

I’m not understanding the connection between this CA root certificate being revoked and Iranians being jailed, tortured, or even killed. Could somebody please explain this?

Have you not been paying attention? The Iranian government is presently (and has been for a few decades) violently suppressing any dissent amongst its citizens. By the means listed above.

Being able to do MitM attacks allows the Iranian government to intercept what people THINK are secure communications and use them to root out dissenters more easily.

> The Dutch government, the owner of the Staat der Nederlanden roots, asked that we
> not revoke their certs.

So you decided to trust some politicians? Never heard that politicians sometimes not exactly tell the truth? You have a compromised registrar, you have root certs from that registrar, and yet you trust a few politicians if they telly you “don’t worry, everything is fine”? Stupid.

Which interests do you represent? The interests of the worldwide users of firefox, their lives sometimes being in danger, or the interests of some who-gives-a-toss government?

This is not a question of being fair, this is a question of being firm.

Cut out the cancer to make sure it doesn’t do any damage any more. Stop working in the interests of governments and CAs. Start, just once, start working in the interests of your users.

DigiNotar did give us a list of the fraudulent certificates that they caught and revoked, including several variants on an addons.mozilla.org certificate. Neither we nor they know which ones they did NOT catch (only that there are some out there). They can’t revoke certs they don’t know about; the only remaining way to invalidate those certificates is to invalidate the root.