Re: [gentoo-user] Is this a bug in firefox-36.0?
On Wednesday 18 Mar 2015 03:53:57 Fernando Rodriguez wrote: On Tuesday, March 17, 2015 4:49:54 PM walt wrote: I get a certificate verification error when visiting https://www.att.com using firefox-36.0, but not when using chrome-41.0.2272.76. Anyone else see the same with firefox-36? BTW, I tried the latest firefox in a Win7 virtual machine and I was shocked to see that firefox was updating itself when I was logged in as an unprivileged user (i.e. *not* an Administrator). Are the idiots at M$ *really* that stupid? They've learned nothing, apparently, since Win 95 :( BTW, the Win7 firefox also flagged an error when visiting the web site I mentioned above, but the error was displayed so subtly that I would have missed it if I hadn't been looking for it specifically. Very bad behavior. Technically the issue is with att's SSL certificate. It may be that they got a cheap certificate (meaning it's provides encryption but the CA did not verificy that ATT is a legit company) or it may be an issue with the certificate. It doesn't give any warning for me, it just shows an exclamation next to the address and the latest chromium does the same (it shows a triangle) and it gives you more info: The identity of this website has been verified by Verizon Akamai SureSever CA G14-SHA1 but does not have public audit records. If you're concerned about it contact ATT and let them know. I also don't see a (pop-up) warning on Firefox 31.5.0 and Chromium 41.0.2272.76, but both browsers complain for two things by means of exclamation marks in their address bar: 1. Some components on the page (pictures) are not secure. It is common practice to load pictures from a picture library on a different server to where the main web page content is served, but they should secure all content with the same keys to avoid confusion. 2. The lack of Audit records for the wildcard certificate the site is using. This is a new security check and relates to certificate transparency, which aims to protect us from rogue or compromised CAs: http://www.certificate-transparency.org/what-is-ct -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Is this a bug in firefox-36.0?
On Tuesday, March 17, 2015 4:49:54 PM walt wrote: I get a certificate verification error when visiting https://www.att.com using firefox-36.0, but not when using chrome-41.0.2272.76. Anyone else see the same with firefox-36? BTW, I tried the latest firefox in a Win7 virtual machine and I was shocked to see that firefox was updating itself when I was logged in as an unprivileged user (i.e. *not* an Administrator). Are the idiots at M$ *really* that stupid? They've learned nothing, apparently, since Win 95 :( BTW, the Win7 firefox also flagged an error when visiting the web site I mentioned above, but the error was displayed so subtly that I would have missed it if I hadn't been looking for it specifically. Very bad behavior. Technically the issue is with att's SSL certificate. It may be that they got a cheap certificate (meaning it's provides encryption but the CA did not verificy that ATT is a legit company) or it may be an issue with the certificate. It doesn't give any warning for me, it just shows an exclamation next to the address and the latest chromium does the same (it shows a triangle) and it gives you more info: The identity of this website has been verified by Verizon Akamai SureSever CA G14-SHA1 but does not have public audit records. If you're concerned about it contact ATT and let them know. -- Fernando Rodriguez signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Is this a bug in firefox-36.0?
On Tuesday, March 17, 2015 4:49:54 PM walt wrote: BTW, I tried the latest firefox in a Win7 virtual machine and I was shocked to see that firefox was updating itself when I was logged in as an unprivileged user (i.e. *not* an Administrator). Are the idiots at M$ *really* that stupid? They've learned nothing, apparently, since Win 95 :( At the risk of being flamed, the security model of NT operating systems is actually far superior to that of Linux with all the disaster kits. The problem is that Windows users don't want to be bothered with security settings. When the set the default to ask for password on vista they where flooded with negative feedback. MS being a commercial company would indeed be stupid not to give them what they want. As a user you could use an unprivileged account and use runas just like sudo on Linux but that's too much for Windows users so they took it a step further, even if you got admin rights it will ask for permission (optionally password) before doing anything privileged, still users blindly click OK on those dialogs (like you did with firefox). If firefox follows MS guidelines it won't let an unpriviliged user (unless an user with admin rights explicitly sets an option allowing it, probably during install) update it even technically it can cause you allowed it to install. -- Fernando Rodriguez
Re: [gentoo-user] Is this a bug in firefox-36.0?
On 03/17/2015 07:49 PM, walt wrote: I get a certificate verification error when visiting https://www.att.com using firefox-36.0, but not when using chrome-41.0.2272.76. Anyone else see the same with firefox-36? BTW, I tried the latest firefox in a Win7 virtual machine and I was shocked to see that firefox was updating itself when I was logged in as an unprivileged user (i.e. *not* an Administrator). Are the idiots at M$ *really* that stupid? They've learned nothing, apparently, since Win 95 :( BTW, the Win7 firefox also flagged an error when visiting the web site I mentioned above, but the error was displayed so subtly that I would have missed it if I hadn't been looking for it specifically. Very bad behavior. I don't know if the test include log in the page. As I don't have a login information I was able only to access the site: Everything normal here. Best Regards
Re: [gentoo-user] Is this a bug in firefox-36.0?
On 03/17/2015 04:49 PM, walt wrote: I get a certificate verification error when visiting https://www.att.com using firefox-36.0, but not when using chrome-41.0.2272.76. Anyone else see the same with firefox-36? I haven't tried, honestly. But I have had problems with Firefox not including some intermediary certificates before. That breaks the whole chain of trust. BTW, I tried the latest firefox in a Win7 virtual machine and I was shocked to see that firefox was updating itself when I was logged in as an unprivileged user (i.e. *not* an Administrator). Are the idiots at M$ *really* that stupid? They've learned nothing, apparently, since Win 95 :( Remove the 'Mozilla Maintenance Service' from Programs Features (or whatever it's called) and it won't auto update. Mozilla installs a privileged service that auto updates its software. Dan
[gentoo-user] Is this a bug in firefox-36.0?
I get a certificate verification error when visiting https://www.att.com using firefox-36.0, but not when using chrome-41.0.2272.76. Anyone else see the same with firefox-36? BTW, I tried the latest firefox in a Win7 virtual machine and I was shocked to see that firefox was updating itself when I was logged in as an unprivileged user (i.e. *not* an Administrator). Are the idiots at M$ *really* that stupid? They've learned nothing, apparently, since Win 95 :( BTW, the Win7 firefox also flagged an error when visiting the web site I mentioned above, but the error was displayed so subtly that I would have missed it if I hadn't been looking for it specifically. Very bad behavior.