L. David Baron @dbaron@w3c.social · Dec 15, 2018 · 1:04 AM UTC

L. David Baron @dbaron@w3c.social

L. David Baron @dbaron@w3c.social @davidbaron

15 Dec 2018

At least it sounds like this vulnerability has an easily-deployable fix. One of the reasons Mozilla folks have opposed standardizing particular libraries as part of the Web platform is the risk that a security vulnerability might not be fixable without breaking compatibility.

This tweet is unavailable

Marc Espie · Dec 15, 2018 · 12:59 PM UTC

Marc Espie @espie_openbsd

15 Dec 2018

That's a fallacious argument. Watch google. they push hard at standardizing protocols, while not giving a second thought to breaking compatibility for security reasons.

Marc Espie · Dec 15, 2018 · 1:00 PM UTC

Marc Espie @espie_openbsd

15 Dec 2018

Standardization shouldn't stand in the way of security, unless you have a prominent culture of "design by committee". there's NEVER a good reason to compromise security.

L. David Baron @dbaron@w3c.social · Dec 15, 2018 · 5:40 PM UTC

L. David Baron @dbaron@w3c.social · Dec 15, 2018 · 5:40 PM UTC

L. David Baron @dbaron@w3c.social @davidbaron

15 Dec 2018

Replying to @espie_openbsd

Other than leading to the end state of all browsers using a single library, the standardization has little to do with it. The problem isn't about the standards process, it's about the compatibility constraints when websites can assume all browsers behave exactly the same.

Dec 15, 2018 · 5:40 PM UTC

Marc Espie · Dec 15, 2018 · 6:13 PM UTC

Marc Espie @espie_openbsd

15 Dec 2018

Replying to @davidbaron

well, it's more like having IE5 all over again, is it ? I still do not follow your reasoning if any.