New Tobin Paradigm wrote:as a user, have the freedom to use something else in this case
Using something else is not user freedom provided by the software being dumbed down. User freedom is about how to use something, not simply the possibility of using something or not using something. User freedom is when you can disable ESP in your car to drift around - which is of course dangerous if you don't know what you're doing. What you're talking about is the possibility of buying another car that has no ESP. Which is nonsense.
New Tobin Paradigm wrote:A user to bypass and disable them and leave them disabled forever because the USER does not bother to learn why they shouldn't disable a security feature.
Originally we were talking about a preference that can only be turned on via about:config. There is at least one warning message that tells the user that it's not recommended to tinker with those options. If a user doesn't know what the OCSP warning means, he will have to find out. Then he will learn about why it's there during the process of finding the right solution to make it disabled in about:config. You should not optimize a software product for dumb, ignorant users by even removing the fallback options for advanced users. By the way, the developer should consider implementing an option into the already existing security exception framework by enabling old OCSP responses for individual hosts only.
New Tobin Paradigm wrote:THEN they run into problems of their own doing and blame us
First, Pale Moon comes with no warranty and it's accepted by the end-user upon installation. Second, you warn the user at least twice. First time when he goes to a site with outdated SSL configured. Second when he goes to about:config.
Your argument is like of a modern corporate cybersecurity maniac saying
"we should remove the download feature of EXE files because they can contain viruses and malwares and finally they would blame us for letting them get those files onto their computers". Complete idealist nonsense.
If we can add an exception for expired certificates, we should also be able to add exceptions for old OCSP responses on a per-site basis.
The developer should implement an option into the already existing security exception framework by putting a checkbox there, which can enable old OCSP responses for individual hosts only. Then the problem for lamers leaving the global option allow_unsafe_ocsp_response on, will be sorted out.