TGOS wrote:
On 25 Nov 2002 16:12:49 GMT [EMAIL PROTECTED] (Thomas Dodd) wrote in
netscape.public.mozilla.security:
Build a debug version of mozilla,Building Mozilla at all, no matter what version, is Mission Impossible
for me.
Why is that? I though it would build with cygwin + gcc.
They just haven't gotten it done yet. And I imagine what they would write is not at the level you want.If you really want to help, once you figure it out, write up a 1That's what the developer should have done before even using the lib.
or 2 page doc about the flow for other to use.
Welcom to OSS :)
Thats your opinion. I had no truble getting it running, the installer worked fine, and the performance was good. So you don't need to BUY and Xserver. And I use it for non free apps. Expensive CAD tools running on Solaris, displayed to PCs. While the comercial Xservers are a litle faster, and easier to configure, XFree86 is fine.systems. I run commercial X servers in M$, andThe free version of Windows is horrible slow on a 1 GHz CPU, horrible to
XFree86/cygwin is a fairly workable combination.
install, horrible to configure, instable and pretty much useless for non
computer cracks. And why should I anyone have to pay to buy a XServer
just to run a XServer app that he can get for free?
The XServer is a very slow graphics system (as you can see by variousThat's only for remote display. For local machines it fine. Try getting Win95, 98, ME, or MacOS to run an app on one machine and do IO on another. Work has been done to reduce the demands, especially for modem connections, and is working well, and getting better.
new additions to XFree86 to circumvent the standard XServer data flow),
that has high needs to the network stack of a system and very high
hardware demands (memory for example). If I want to run the app on aX11 has pretty low hardware requirements. I've used it on i486's with 32MB. I've also used it on 680x0 system running HP-UX and Solaris, with 8bit color (and 1bit) graphics. It's the newer toolkits like QT, GTK+ and GNOME, and apps like nautilus and mozilla, that are the resource hogs.
server only system that only has terminal access, you are out of luck ifYou don't need a server, just the libs. The tell the app to display on another machine, one that does have an Xserver. If you have someplace to write data files, you can add the Xlibs.
it requires XServer and you can't install an XServer to this computer
(because it can't handle it or because you have no permission to do so).
The only graphical system that you can use safely is Java AWT, as JavaAWT has plenty of problems too. #1 is performance. Java is slow on every system I've used, with every JVM I've used.
is supported (with AWT) by some platforms that will never support
XServer and it's really platform indepedent, however, it limits you to
platforms with JVM and it limits you to using Java as language.
You can alway store your passwords unencrypted. It's your choice. You have lot's of choices, but don't appear to be willing to accept the trade offs associated with them. You also don't appear to be interested in help make things better either.More to the subject, the mozilla developers, never intended the NSS code to be used on non mozilla systems.Then they should never have used NSS right from the start to encrypt the
web passwords. If they use it to have SSL support or to sign E-mails,
okay, these are internal functionality where it doesn't make much sense
to give external apps access to anything.
E.g. I have an USB key device that comes with a software that allows youThat's up to the people that write the software for it. Depending on how you access the device, it might be done by a programmer that has one.
to move IE user data to the USB key and back again (at the same computer
or a different one). How much do you want to bet that this device will
never support the same functionality with Mozilla?
Do you think any picture format has any chance to survive if the formatI disagree with that. If the code for a library exits, I'd prefer to use it. If it doesn't work, it's probably a better starting point that starting from the ground up. The best I can tell the files do store the user and password data. You just need to access it correctly.
is not documented and if you ask for a doc, you are told "Why not use
our lib that has been ported to different platforms?". Well, there are
thousand reasons why not to use it. And like a picture file stores an
image, a password file should store passwords, but that's not what it
does in case of Mozilla. It's neither self-existing, nor is it easy to
access without using the NSS lib.
That's what you got. Using a standard interface for security modules. Read the specs for PCKS#11 to figure out how to use it.I know, that's why the web passwords MUST be in Mozilla's database soI thought it makes sense to store WEB passwords into a WEB BROWSER,And mozilla does that.
after all that's the client that will need the passwords later on and
that's the client that can pre-fill the passwords for me (something
the functionality works, but Mozilla does not allow my app to write any
such password there on its own. That means if I write a password
managers and users have all their passwords there, but would like to
have Mozilla pre-fill these... the user if fucked!
Do you think that PKCS #(5. 7, 11, and 12) support is
a bad thing?
No, but there is a difference between having support for something or using it where it it's not necessary. There's nothing wrong with giving Mozilla a general interface, so people can plug-in their own security extensions, smartcard or USB encryption device hardware, whatever.
E.g. Mozilla could have just offered an interface with functions like:
initMasterPassword(password);
storeWebPassword(url, name, value);
value = loadWebPassword(url, name);
They uses existing, industry standards instead of a new one.
And how these are then implemented in the library below can vary. But
the default implementation should be as simple as possible and as well
documentation as possible. And for me, the simplest way is to store all
key pairs in XML format (Mozilla stores EVERYTHING ELSE in XML as well,
history, cache information, skin data, overlay extensions, etc. so why
not the passwords???) and encrypting it with the master password (that's
secure enough unless the user chooses a poor master password, but that
would then be his own fault).
Have you looked at the unencrypted password files?
Itr works for the sites I've wanted to use. What online services are you trying to use that require login but don't use SSL?That not mozilla's fault. It warns you *BEFORE* it send data over an insecure connection, unless you tell it not to.Which will not help me at all, because if I refuse to send it, I won't
be able to log in at all to the service!
Personaly, I don't.Then you can't use 90% of all online services.
I've seen a few that don't offer plain text, or <128bit encryption, but none that offer no encryption.
-Thomas
