Let me clarify: I think it is ridiculous (for software engineering as a whole) that we need marketing or propaganda to get a bug like heartbleed fixed. And it's even more ridiculous because it doesn't work, or... maybe... did you get a repaired processor for free?
If you didn't, you are right and I sincerely apologize to all professional clowns for comparing them to the state of our field! They are artists! They make us laugh... on purpose!
I didn't mention JS-blocking extensions (e.g. NoScript) to avoid asking you to read the bug report more carefully. Since you insist... please read the bug report more carefully. AFAIK they wouldn't prevent these attacks, unless you totally disable JavaScript everywhere. Remember, the JavaScript can be "customized" after gaining your trust! Also installing such extensions assumes you already understand the risks (that so far browsers' vendors have not admitted), while most of people do not understand them. As programmers, it's up to us to build secure software like it's up to civil engineers build safe bridges.
The same goes for HTTPS: anyone can buy a certificate, these attacks leave no evidences and they can target a single specific person among thousands users of a web site.
Now... are you going to pretend that my sarcasm here can justify the silence of Mozilla?
And honestly, I still can't see how this affects people who aren't attacked by actors with massive resources [...]
If you can't think of cheap attacks, please trust me: there's no need for massive resources.
All you need is to attract the victim on a website you control.
But even if you were right about this (and you are not), you should also consider another important aspect of this vulnerability: if you were an actual criminal you could use the mere existence of these undetectable attacks to gain plausible deniability.
Even if these attack were "only" putting users' privacy at risk (and they are not), this is something no legal system can allow.
Now that you called me "arrogant", you could consider to go back on the bug reports I wrote and to the related Lobste.rs thread and count how many dismissive, condescending and insulting response I got. Try to count how many time it has been said that I was trolling, how many times it has been said that I was absurd or bizarre.
Compare them with my responses.
Have I ever called someone Troll? Absurd? Bizarre?
Even read my responses to Frederik Braun that first began with "Okay, I’ll bite." and later explained me what "Turing complete" means, I just kept asking a single question: are Firefox users vulnerable to such attacks?
That's because all I care about are the people that can be damaged by these attacks.
I find it disturbing that a programmer like me doesn't have the balls to answer such an important question that affects millions of people.
Thus, sorry for my previous comment. Really.
It was intentionally abrasive just to make you understand a little how I feel.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Very interesting.
Let me clarify: I think it is ridiculous (for software engineering as a whole) that we need marketing or propaganda to get a bug like heartbleed fixed. And it's even more ridiculous because it doesn't work, or... maybe... did you get a repaired processor for free?
If you didn't, you are right and I sincerely apologize to all professional clowns for comparing them to the state of our field! They are artists! They make us laugh... on purpose!
I didn't mention JS-blocking extensions (e.g. NoScript) to avoid asking you to read the bug report more carefully. Since you insist... please read the bug report more carefully. AFAIK they wouldn't prevent these attacks, unless you totally disable JavaScript everywhere. Remember, the JavaScript can be "customized" after gaining your trust! Also installing such extensions assumes you already understand the risks (that so far browsers' vendors have not admitted), while most of people do not understand them. As programmers, it's up to us to build secure software like it's up to civil engineers build safe bridges.
The same goes for HTTPS: anyone can buy a certificate, these attacks leave no evidences and they can target a single specific person among thousands users of a web site.
Now... are you going to pretend that my sarcasm here can justify the silence of Mozilla?
If you can't think of cheap attacks, please trust me: there's no need for massive resources.
All you need is to attract the victim on a website you control.
But even if you were right about this (and you are not), you should also consider another important aspect of this vulnerability: if you were an actual criminal you could use the mere existence of these undetectable attacks to gain plausible deniability.
Even if these attack were "only" putting users' privacy at risk (and they are not), this is something no legal system can allow.
Caught! :-D
Now that you called me "arrogant", you could consider to go back on the bug reports I wrote and to the related Lobste.rs thread and count how many dismissive, condescending and insulting response I got. Try to count how many time it has been said that I was trolling, how many times it has been said that I was absurd or bizarre.
Compare them with my responses.
Have I ever called someone Troll? Absurd? Bizarre?
Even read my responses to Frederik Braun that first began with "Okay, I’ll bite." and later explained me what "Turing complete" means, I just kept asking a single question: are Firefox users vulnerable to such attacks?
That's because all I care about are the people that can be damaged by these attacks.
I find it disturbing that a programmer like me doesn't have the balls to answer such an important question that affects millions of people.
Thus, sorry for my previous comment. Really.
It was intentionally abrasive just to make you understand a little how I feel.