[ADMIN] This list is now closed!
If all goes according to plan, this should be the last post you receive on the mailing list version of this group. All subscribers to the mailing list should shortly receive a subscription notice for [EMAIL PROTECTED] If you are reading this via the netscape.public.mozilla.security newsgroup, this newsgroup is now considered officially abandoned. We have moved to mozilla.dev.security, which is available via the news.mozilla.org news server. -- Dave Miller System Administrator, Mozilla Corporation http://www.mozilla.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
[ADMIN] mozilla-security is moving!
It should be no secret these days that the Mozilla Foundation and its related projects are no longer a pet project of Netscape, yet the newsgroups we are using for public discussions still bear the Netscape name. We've been planning for years to move from netscape.public.mozilla.* to just mozilla.*, and the time has finally come! In August, we announced a partnership with Giganews Newsgroups (http://www.giganews.com/) to provide NNTP services for our news.mozilla.org domain. It's taken a few months of planning to make it happen, but we're now in the process of moving all of those newsgroups over to the new hierarchy. For general information and frequently asked questions about the move to the new news and list servers, see http://www.mozilla.org/community/giganews-migration.html This group will be moving to a new newsgroup and new mailing list: Old newsgroup: netscape.public.mozilla.security New newsgroup: mozilla.dev.security Old mailing list: mozilla-security@mozilla.org New mailing list: [EMAIL PROTECTED] When is it moving? This group will be moving in the afternoon (PST) on Sunday, January 22. What do you need to do to maintain your subscriptions? If you read this newsgroup via NNTP, you will need to change your subscriptions manually after today to point at mozilla.dev.security. Please note that at this time, these newsgroups will NOT be propagated to Usenet in general, so you must be using news.mozilla.org to access them (see the FAQ link near the top of this message). If you read this list via the email list, your subscription will automatically be moved for you to the new mailing list. You may need to adjust your mail filters if you filter your list mail. If you have any questions that aren't answered here, and aren't answered in the above FAQ, please ask in the mozilla.dev.mozilla-org newsgroup or on the [EMAIL PROTECTED] mailing list (https://lists.mozilla.org/listinfo/dev-mozilla-org) -- Dave Miller System Administrator, Mozilla Corporation http://www.mozilla.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
How to add extra property to window object
Hi all, I'm trying to write a Firefox extension that adds an extra property to the window object that Web pages' scripts have access to. As you know, currently, scripts in Web pages can access such objects as window window.document window.navigator window.netscape ... I'd like to add my own property onto this window object that all Web pages' scripts can access window.foo I will provide the implementation of foo as necessary. I'm hoping that someone here can tell me how to do this. I've tried a number of methods (such as overloading the browser XBL binding), but I don't see how to do this cleanly from within an extension. (The major issue is probably security, hence, my posting here.) Many thanks in advance! David ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Sonorisation et effets lumi�res � prix discount
SonoBoulevard.com vous souhaite une bonne AnnÊe 2006 ! DÊcouvrez sans plus attendre notre sÊlection de produits pour fËter la nouvelle annÊe... www.SonoBoulevard.com : MatÊriel de Sonorisation, Êclairage, musique... - BOOST DANCER LIGHT : Projecteur de lumiÉre demi sphÉre, effet couleur, dÊtection musicale... 39 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=2 - Micro sans fil BOOST WK-360 : Micro dynamique sans fil. PortÊe 30 m. Fonctionne avec ou sans cable... 24,9 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=334 - Amplificateur KARAOKE KA-200 : Puissance 2 X 100 Watts, 2 entrÊes Micro, RÊglage de volume, balance, Êcho, bass-medium-aigus par micro... 99 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=96 - Amplificateur BOOST XPA-250 : Nouvelle esthÊtique en aluminium brossÊ, Puissance maximum (W) 2 * 250W, Sorties : Turnlock/Bornes , Ventilation, Protection : courant continu surchauffe, softstart et court circuit... 189 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=1341 - BOOST Voice CHANGER : Truqueur de voix, gÊnÊrateur deffets, 8 effets sonores avec contrÆleur de vitesse... 46 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=268 - Double micro sans fils BOOST HF-260 : Micro HF haute qualitÊ, 2 canaux, 2 antennes, 2 micros main, gamme de frÊquence 160 - 250 MHz, portÊe 100m, bande passante 40Hz-20KHz rÊglages indÊpendants du volume de chaque micro... 76 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=332 Gagnez de l'argent en vous affiliant sur www.SonoBoulevard.com Faites comme moi, affiliez vous et gagnez 5% du montant des commandes... Pour vous affilier, cliquez ici : http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=affilde ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Sonorisation et effets lumi�res � prix discount
SonoBoulevard.com vous souhaite une bonne AnnÊe 2006 ! DÊcouvrez sans plus attendre notre sÊlection de produits pour fËter la nouvelle annÊe... www.SonoBoulevard.com : MatÊriel de Sonorisation, Êclairage, musique... - BOOST DANCER LIGHT : Projecteur de lumiÉre demi sphÉre, effet couleur, dÊtection musicale... 39 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=2 - Micro sans fil BOOST WK-360 : Micro dynamique sans fil. PortÊe 30 m. Fonctionne avec ou sans cable... 24,9 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=334 - Amplificateur KARAOKE KA-200 : Puissance 2 X 100 Watts, 2 entrÊes Micro, RÊglage de volume, balance, Êcho, bass-medium-aigus par micro... 99 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=96 - Amplificateur BOOST XPA-250 : Nouvelle esthÊtique en aluminium brossÊ, Puissance maximum (W) 2 * 250W, Sorties : Turnlock/Bornes , Ventilation, Protection : courant continu surchauffe, softstart et court circuit... 189 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=1341 - BOOST Voice CHANGER : Truqueur de voix, gÊnÊrateur deffets, 8 effets sonores avec contrÆleur de vitesse... 46 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=268 - Double micro sans fils BOOST HF-260 : Micro HF haute qualitÊ, 2 canaux, 2 antennes, 2 micros main, gamme de frÊquence 160 - 250 MHz, portÊe 100m, bande passante 40Hz-20KHz rÊglages indÊpendants du volume de chaque micro... 76 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=332 Gagnez de l'argent en vous affiliant sur www.SonoBoulevard.com Faites comme moi, affiliez vous et gagnez 5% du montant des commandes... Pour vous affilier, cliquez ici : http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=affilde ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Sonorisation et effets lumi�res � prix discount
SonoBoulevard.com vous souhaite une bonne AnnÊe 2006 ! DÊcouvrez sans plus attendre notre sÊlection de produits pour fËter la nouvelle annÊe... www.SonoBoulevard.com : MatÊriel de Sonorisation, Êclairage, musique... - BOOST DANCER LIGHT : Projecteur de lumiÉre demi sphÉre, effet couleur, dÊtection musicale... 39 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=2 - Micro sans fil BOOST WK-360 : Micro dynamique sans fil. PortÊe 30 m. Fonctionne avec ou sans cable... 24,9 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=334 - Amplificateur KARAOKE KA-200 : Puissance 2 X 100 Watts, 2 entrÊes Micro, RÊglage de volume, balance, Êcho, bass-medium-aigus par micro... 99 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=96 - Amplificateur BOOST XPA-250 : Nouvelle esthÊtique en aluminium brossÊ, Puissance maximum (W) 2 * 250W, Sorties : Turnlock/Bornes , Ventilation, Protection : courant continu surchauffe, softstart et court circuit... 189 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=1341 - BOOST Voice CHANGER : Truqueur de voix, gÊnÊrateur deffets, 8 effets sonores avec contrÆleur de vitesse... 46 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=268 - Double micro sans fils BOOST HF-260 : Micro HF haute qualitÊ, 2 canaux, 2 antennes, 2 micros main, gamme de frÊquence 160 - 250 MHz, portÊe 100m, bande passante 40Hz-20KHz rÊglages indÊpendants du volume de chaque micro... 76 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=332 Gagnez de l'argent en vous affiliant sur www.SonoBoulevard.com Faites comme moi, affiliez vous et gagnez 5% du montant des commandes... Pour vous affilier, cliquez ici : http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=affilde ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Sonorisation et effets lumi�res � prix discount
SonoBoulevard.com vous souhaite une bonne AnnÊe 2006 ! DÊcouvrez sans plus attendre notre sÊlection de produits pour fËter la nouvelle annÊe... www.SonoBoulevard.com : MatÊriel de Sonorisation, Êclairage, musique... - BOOST DANCER LIGHT : Projecteur de lumiÉre demi sphÉre, effet couleur, dÊtection musicale... 39 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=2 - Micro sans fil BOOST WK-360 : Micro dynamique sans fil. PortÊe 30 m. Fonctionne avec ou sans cable... 24,9 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=334 - Amplificateur KARAOKE KA-200 : Puissance 2 X 100 Watts, 2 entrÊes Micro, RÊglage de volume, balance, Êcho, bass-medium-aigus par micro... 99 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=96 - Amplificateur BOOST XPA-250 : Nouvelle esthÊtique en aluminium brossÊ, Puissance maximum (W) 2 * 250W, Sorties : Turnlock/Bornes , Ventilation, Protection : courant continu surchauffe, softstart et court circuit... 189 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=1341 - BOOST Voice CHANGER : Truqueur de voix, gÊnÊrateur deffets, 8 effets sonores avec contrÆleur de vitesse... 46 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=268 - Double micro sans fils BOOST HF-260 : Micro HF haute qualitÊ, 2 canaux, 2 antennes, 2 micros main, gamme de frÊquence 160 - 250 MHz, portÊe 100m, bande passante 40Hz-20KHz rÊglages indÊpendants du volume de chaque micro... 76 Euros http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=detailprodId=332 Gagnez de l'argent en vous affiliant sur www.SonoBoulevard.com Faites comme moi, affiliez vous et gagnez 5% du montant des commandes... Pour vous affilier, cliquez ici : http://www.sonoboulevard.com/index.php?action=affilchoix=setaffilid=479IdAffPage=87naction=affilde ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: 401 user authentication window does not indicate protocol in 1.5
It was actually the windows machine that I was using at work. I will try to update the information when I get a chance. Nelson B wrote: Jack wrote: When I got the popup window due to 401 in 1.0.x, it used to indicate whether it was http versus https. 1.5 does not seem to indicate this as 1.0.x did. Is this intentional? This is a problem because one can't tell whether redirection occured or not and so one can't be sure that one is sending the user name and password over a secure channel. Is there a settings to enable display of the protocol (http v. https) as well? I posted https://bugzilla.mozilla.org/show_bug.cgi?id=320851 about this. If true, this seems like a significant security regression to me. I gather the problem was being reported against linux, and reported it against the linux version. If some other version is involved, please correct that bug report. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
security fixes in thunderbird 1.5 RC2
I was reading about thunderbird 1.5 RC2 at: http://www.mozilla.org/products/thunderbird/releases/1.5.html It says Many security enhancements. How does one find out the specifics? I do not want everybody to upgrade needlessly when it is working fine as that is a waste of time and money. I do not see any critical issues with thunderbird 1.0.7 at: http://www.mozilla.org/projects/security/known-vulnerabilities.html I do realize that enhancements does not equate to security bug fixes. Anyway, just wondering how one gets more details. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: 401 user authentication window does not indicate protocol in 1.5
Jack wrote: When I got the popup window due to 401 in 1.0.x, it used to indicate whether it was http versus https. 1.5 does not seem to indicate this as 1.0.x did. Is this intentional? This is a problem because one can't tell whether redirection occured or not and so one can't be sure that one is sending the user name and password over a secure channel. Is there a settings to enable display of the protocol (http v. https) as well? I posted https://bugzilla.mozilla.org/show_bug.cgi?id=320851 about this. If true, this seems like a significant security regression to me. I gather the problem was being reported against linux, and reported it against the linux version. If some other version is involved, please correct that bug report. -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security bug policy
* Heikki Toivonen: Florian Weimer wrote: where can I find an updated security bug policy? It seems that it's been decided that crash bugs are not worth releasing advisories for, but I couldn't find any confirmation. The policy hasn't changed AFAIK, and it's still here: http://www.mozilla.org/projects/security/security-bugs-policy.html The policy does not really define what a security bug is. Definitions tend to vary, especially with respect to crash-only bugs. Unexploitable crashers (like null pointer access) have never been categorized as security issues in the Mozilla client products. Okay, thanks. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: 401 user authentication window does not indicate protocol in 1.5
This is a problem because one can't tell whether redirection occured or not and so one can't be sure that one is sending the user name and password over a secure channel. Is there a settings to enable display of the protocol (http v. https) as well? Jack wrote: Include general news group as well. Jack wrote: When I got the popup window due to 401 in 1.0.x, it used to indicate whether it was http versus https. 1.5 does not seem to indicate this as 1.0.x did. Is this intentional? ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Security bug policy
Hi, where can I find an updated security bug policy? It seems that it's been decided that crash bugs are not worth releasing advisories for, but I couldn't find any confirmation. Florian ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: 401 user authentication window does not indicate protocol in 1.5
Include general news group as well. Jack wrote: When I got the popup window due to 401 in 1.0.x, it used to indicate whether it was http versus https. 1.5 does not seem to indicate this as 1.0.x did. Is this intentional? ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Fist time using newsgroup
FACE wrote: On Sat, 25 Dec 2004 16:59:39 -0300, Alejandro Fuentes [EMAIL PROTECTED] in netscape.public.mozilla.browser wrote: _at@ wrote: Remline wrote: http://www.newzbot.com/ Dobi Yonkoff wrote: Can anyone help me find other news servers? I'm a beginner with newsgroups. Thanks! I also just started newsgroups. It seems there aren't that many free news servers. Your ISP's website may give you info on using one of your ISP's news servers though. My isp doen´t have nntp server , my isp is Fibertel , i´m from Argentina and i can´t find a good server ,,, G... what a pitty :D The best free server I know of -- text only newsgroups -- is News.Individual.net in Berlin. Google will cough up the exact site for signup. FACE Their accounts are no longer free (as of April '05) ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Fist time using newsgroup
Once upon a time *Elric* wrote: FACE wrote: On Sat, 25 Dec 2004 16:59:39 -0300, Alejandro Fuentes [EMAIL PROTECTED] in netscape.public.mozilla.browser wrote: _at@ wrote: Remline wrote: http://www.newzbot.com/ Dobi Yonkoff wrote: Can anyone help me find other news servers? I'm a beginner with newsgroups. Thanks! I also just started newsgroups. It seems there aren't that many free news servers. Your ISP's website may give you info on using one of your ISP's news servers though. My isp doen´t have nntp server , my isp is Fibertel , i´m from Argentina and i can´t find a good server ,,, G... what a pitty :D The best free server I know of -- text only newsgroups -- is News.Individual.net in Berlin. Google will cough up the exact site for signup. FACE Their accounts are no longer free (as of April '05) No, not free any more, but less than a US dollar a month is a fair price since they are still good. :) -- /Arne * How to quote: http://www.netmeister.org/news/learn2quote.html#toc2 * From Google: http://www.safalra.com/special/googlegroupsreply/ - ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Cleaning worm from Netscape 7.2 mail folders
My virus program keeps detecting the following infections, but does not clean them. I hate to delete myu mail folders and loose several years of saved messages, so is there a way to clean the infections without deleting the folder? If not, is there a way to export the messages into annother directory so thjt I can keep them? I've tried going through the messages, deleting those that contain attatchments, but either I'm missing the infected messages, or the infection lies in the directory, not within a particular message. Any help would be greatly appreciated. By the way, the virus software company has NOT answered my e-mail requests for help with this problem. Number of archives containing infected files: 3 Number of infections: 3 Number of infected files not cleaned/deleted/renamed: 3 C:\Documents and Settings\Greg\Application Data\Mozilla\Profiles \Greg\196gq4tp.slt\Mail\pop-server\inboxmidgets.zlq (Win32.Hybris.B worm) C:\Documents and Settings\Greg\Application Data\Mozilla\Profiles \Greg\c8t8k095.slt\Mail\pop-server\inboxmidgets.zlq (Win32.Hybris.B worm) C:\Documents and Settings\Greg Rice.GREG\Application Data\Mozilla \Profiles\Greg\196gq4tp.slt\Mail\pop-server\inboxmidgets.zlq (Win32.Hybris.B worm) eTrust EZ Antivirus Version 6.2.1.1 Started scanning: 11:11:32 PM, 11/13/2005 Dat file v9507z ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Internet Keywords on Firefox
* Jack: That just sends terms typed in the browser to your URL specific by config property keyword.URL. It has some sort of logic to see whether or not it is a host name. If it is not a hostname (or URL form), then it make the query to keyword.URL. I do not understand how this would violate a user's privacy. On X11 systems, pressing the middle mouse button in a Window has three functions in Firefox: On a hyperlink, the hyperlink is opened in a new window/tab. On an input control, the X selection (= clipboard) is pasted into the control. On some unused space of the window, the X selection is entered into the location bar. It's easy to trigger the third action accidentally when you click on the wrong part of the window. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Internet Keywords on Firefox
I was a little slow there. You just want a way for the third action to be disabled. I find it annoying more than anything because I use browsers on many different systems and I some times get surprised by this action. Yes, you are correct that it can violation a users privacy if one has highlighted private text and accidently hits the middle mouse button on an unused portion of the window. I just found and tested that if middlemouse.contentLoadURL is set to false, then nothing happens. Florian Weimer wrote: On X11 systems, pressing the middle mouse button in a Window has three functions in Firefox: On a hyperlink, the hyperlink is opened in a new window/tab. On an input control, the X selection (= clipboard) is pasted into the control. On some unused space of the window, the X selection is entered into the location bar. It's easy to trigger the third action accidentally when you click on the wrong part of the window. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Internet Keywords on Firefox
Remove the keyword field (or leave it blank) for all your bookmarks. Florian Weimer wrote: Is there an easy way to disable Internet Keywords on Firefox 1.0.x? I'm asking here because this feature might violate user privacy, especially if you don't trust Google. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Internet Keywords on Firefox
* Jack: Remove the keyword field (or leave it blank) for all your bookmarks. I haven't set any keywords on bookmarks. But I recalled the term Internet Keywords only when writing my question. Going back to the browser configuration, I see that there is a keyword.enabled property, which defaults to true. Setting it to false seems to disable Internet Keywords. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Disabling Internet Keywords on Firefox
That just sends terms typed in the browser to your URL specific by config property keyword.URL. It has some sort of logic to see whether or not it is a host name. If it is not a hostname (or URL form), then it make the query to keyword.URL. I do not understand how this would violate a user's privacy. Florian Weimer wrote: * Jack: Remove the keyword field (or leave it blank) for all your bookmarks. I haven't set any keywords on bookmarks. But I recalled the term Internet Keywords only when writing my question. Going back to the browser configuration, I see that there is a keyword.enabled property, which defaults to true. Setting it to false seems to disable Internet Keywords. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Elimina el elemento seleccionado de los procedimientos de plataformas.
Elimina el elemento seleccionado de los procedimientos de plataformas.
cannot load libpipnss.so on Digital UNIX 4.0F
Dear all, I have built mozilla 1.7.12 on Digital UNIX 4.0F. Running mozilla from the local build directory fails to load libpipnss.so. However, when I use make DESTDIR=/tmp install, package the tree, install it as root, run regxpcom and regchrome as root, but then run mozilla as normal user, loading libpipnss.so *does* work. Can anyone shed some light on this behaviour? Is this a file/direcory permission problem of some kind or do I need to run some additional utility in the build directory? Thankx in advance for your help Urs -- -bash-2.05b$ pwd /home/urs/ports/mozilla/builds/osf1_V40_debug/dist/bin -bash-2.05b$ registering libpipnss.so as user urs fails -bash-2.05b$ LD_LIBRARY_PATH=`pwd`:`pwd`/.. ./regxpcom Type Manifest File: /var/tmp/home/urs/ports/mozilla/builds/osf1_V40_debug/dist/bin/components/xpti.dat +++ JavaScript debugging hooks installed. nsNativeComponentLoader: autoregistering begins. nsNativeComponentLoader: SelfRegisterDll(libpipnss.so) Load FAILED with error: dlopen: cannot load /var/tmp/home/urs/ports/mozilla/builds/osf1_V40_debug/dist/bin/components/libpipnss.so nsNativeComponentLoader: autoregistering succeeded nNCL: registering deferred (0) +++ JavaScript debugging hooks removed. nsStringStats = mAllocCount: 1351 = mReallocCount: 960 = mFreeCount: 1351 = mShareCount: 1690 = mAdoptCount: 202 = mAdoptFreeCount: 202 -bash-2.05b$ ... doing this as root works. However bash-2.05b# LD_LIBRARY_PATH=`pwd`:`pwd`/.. ./regxpcom Type Manifest File: /usr/users/urs/ports/mozilla/builds/osf1_V40_debug/dist/bin/components/xpti.dat +++ JavaScript debugging hooks installed. nsNativeComponentLoader: autoregistering begins. *** Registering NSS components (all right -- a generic module!) nsNativeComponentLoader: autoregistering succeeded nNCL: registering deferred (0) +++ JavaScript debugging hooks removed. nsStringStats = mAllocCount: 3213 = mReallocCount: 961 = mFreeCount: 3213 = mShareCount: 3593 = mAdoptCount: 236 = mAdoptFreeCount: 236 bash-2.05b# ... running mozilla under user urs still cannot load libpipnss.so -bash-2.05b$ ./mozilla Gtk-WARNING **: Unable to locate loadable module in module_path: libxfce.so, Gtk-WARNING **: Unable to locate loadable module in module_path: libxfce.so, Gtk-WARNING **: Unable to locate loadable module in module_path: libxfce.so, Gtk-WARNING **: Unable to locate loadable module in module_path: libxfce.so, Gtk-WARNING **: Unable to locate loadable module in module_path: libxfce.so, Gtk-WARNING **: Unable to locate loadable module in module_path: libxfce.so, Gtk-WARNING **: Unable to locate loadable module in module_path: libxfce.so, Gtk-WARNING **: Unable to locate loadable module in module_path: libxfce.so, Type Manifest File: /var/tmp/home/urs/ports/mozilla/builds/osf1_V40_debug/dist/b in/components/xpti.dat +++ JavaScript debugging hooks installed. nsNativeComponentLoader: autoregistering begins. nsNativeComponentLoader: autoregistering succeeded nNCL: registering deferred (0) GFX: dpi=118 t2p=0.083 p2t=12 depth=24 ++WEBSHELL == 1 ++DOMWINDOW == 1 LoadPlugin() /var/tmp/home/urs/ports/mozilla/builds/osf1_V40_debug/modules/plugi n/samples/default/unix/libnullplugin.so returned 1402f0d70 GetMIMEDescription() returned *:.*:All types ++WEBSHELL == 2 ++DOMWINDOW == 2 Note: styleverifytree is disabled Note: frameverifytree is disabled WARNING: freetype not compiled in, file nsFT2FontNode.cpp, line 52 Note: verifyreflow is disabled ++WEBSHELL == 3 ++DOMWINDOW == 3 Error loading URL http://www.mozilla.org/start/ : 804b0002 nsNativeComponentLoader: GetFactory(libpipnss.so) Load FAILED with error: dlopen : cannot load /var/tmp/home/urs/ports/mozilla/builds/osf1_V40_debug/dist/bin/com ponents/libpipnss.so nsNativeComponentLoader: GetFactory(libpipnss.so) Load FAILED with error: dlopen : cannot load /var/tmp/home/urs/ports/mozilla/builds/osf1_V40_debug/dist/bin/com ponents/libpipnss.so WARNING: no registered socket provider, file ../../../../../netwerk/base/src/nsS ocketTransport2.cpp, line 752 we don't handle eBorderStyle_close yet... please fix me ++WEBSHELL == 4 ++DOMWINDOW == 4 frame: DocElementBox(dialog)(-1) (140f44178) style: 140f44098 {} Has parent context: style: 140f43c58 :-moz-canvas {} Should be null WARNING: nsTimeoutImpl::Release() proceeding without context., file ../../../../ ../dom/src/base/nsGlobalWindow.cpp, line 5593 --WEBSHELL == 3 Error loading URL https://sourceforge.org/ : 804b0033 --DOMWINDOW == 3 GetPrimaryFrameFor() called while nsFrameManager is being destroyed! nsPluginHostImpl::Observe quit-application WARNING: requested removal of nonexistent window , file ../../../../../../embedding/components/windowwatcher/src/nsWindowWatcher.cpp, line 967 GetPrimaryFrameFor() called while nsFrameManager is being destroyed! --WEBSHELL == 2 --WEBSHELL == 1 --WEBSHELL == 0 nsNativeComponentLoader: GetFactory(libpipnss.so) Load
permissionmanager.add() fails
I don't know where to put this, but this call: permissionManager.add(URI, document, permission); no longer works. Is this a bug or a feature (I sure hope not)? Thank you, Michael ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Interesting fishing attempt that fails with Mozilla mail
I just received an obvious fishing message that was directing me to https://signin.ebay.com. It looked really interesting, fishing using an https site rings a bell, but this was the real ebay login site (I had a doubt at first, was that the comeback of some i18n trick ?), so I really wondered what happened. Until I saw the source of the message : htmlpfont face=ArialA HREF=https://signin.ebay.com/ws/eBayISAPI.dll?SignInsid=verifyco_partnerId=2siteid=0;map name=mlhcsfarea coords=0, 0, 646, 569 shape=rect href=http://61.145.119.80/bbs/templates/.../;/mapimg SRC=cid:part1.02030507.09050505@support_id_6906286@ebay.com border=0 usemap=#mlhcsf/A/a/font/ppfont color=#F8my name is Solar Eclipse Freeware in 1981 how much /font/p/html Mozilla mail goes to the URL in the A tag, but there must be some other software that goes to the url in the area tag, and maybe while displaying the A url. Or is that a trick to get through anti-fishing software ? ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Solution for FF vulns
Hire a few hackers, in order to determine the persons skills just setup up a server and let everyone go at it. Seems logical...of course the question remains, can you trust them? ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Tips on server-side URL sanitizing?
Thanks for the info! Frank -- Frank Hecker [EMAIL PROTECTED] ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Tips on server-side URL sanitizing?
Frank Hecker wrote: First, I won't be allowing HTML tags in submitted comments. My plan was to simply use the Perl CGI::EscapeHTML function (Blosxom is written in Perl) to convert '', '', double quote, and 0x8b and 0x9b to the corresponding HTML character entities prior to the submitted comment being saved and displayed. Is this sufficient, or should I be escaping other characters as well? That is sufficient. Second, and more important (because I'm still unclear on this): I'll be accepting URLs submitted with comments (as part of a email/URL text field), and I obviously need to do something with them to avoid XSS problems. The question is, what? I've gotten the impression that url encoding characters like '' that might appear in submitted URLs is not a total solution, and that retaining characters like '' in the URL, even in encoded form, could be a problem. In encoded form, they should be safe. In fact, assuming that your HTML delimits the href= with double quotes, you can simply escape double quotes to %XX and that _should_ be sufficient. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: I see a lot of Hits on Port 80 TCP what are they ?
!:?) wrote: Hello, I have Netscape for my ISP and they use AOL Servers. (They are owned by AOL) Using Netscape 7.2 Browser Email Client, Netscape ISP Dial-up. I switched ISP's several Months ago. I see a large number of Hits on Port 80, some are Web Sites, most are users and never Seen so many hits on that Port before. Most of the IP's are AOL IP Blocks but not all. Rule Default Block HTTP Port 80 TCP blocked (compaq,http). Details: Inbound TCP connection Local address,service is (compaq,http) Remote address,service is (172.134.0.64,3837) Process name is N/A They hit no matter if I have a Browser\Email Client up or not. I have been seeing this for several Months now. The Firewall stops them and I'm not Worried about them but wondered what they all were. Kevin They want to know if you are running a server they can exploit. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
OpenSSL certs on Mozilla
I see mozilla browsers allow import of PKCS12 certs (I'm using mozilla on linux). There's a lot of documentation on creating certs for apache, but I'm looking for the command for creating a cert for mozilla that the web site owner can sign and then use for access to the private web page. I imagine the command starts something like openssl pkcs12, but I'm not finding the rest of the command syntax. Can anyone tell me how to use openssl to create a self-signed cert for my mozilla browser to import (and to also be signed by the web site's own CA)? ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
I see a lot of Hits on Port 80 TCP what are they ?
Hello, I have Netscape for my ISP and they use AOL Servers. (They are owned by AOL) Using Netscape 7.2 Browser Email Client, Netscape ISP Dial-up. I switched ISP's several Months ago. I see a large number of Hits on Port 80, some are Web Sites, most are users and never Seen so many hits on that Port before. Most of the IP's are AOL IP Blocks but not all. Rule Default Block HTTP Port 80 TCP blocked (compaq,http). Details: Inbound TCP connection Local address,service is (compaq,http) Remote address,service is (172.134.0.64,3837) Process name is N/A They hit no matter if I have a Browser\Email Client up or not. I have been seeing this for several Months now. The Firewall stops them and I'm not Worried about them but wondered what they all were. Kevin ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
Using CTRL-N creates a new window with the same session-id, indeed. So my question takes on an other course (knowing that all browser have this kind of behaviour): If a user asks for his personals on tab A and tab B in FF (for example), deletes his data on tab B and then tries to edit it on tab A, than I have a situation that I don't want. How can I act? thanks Jean-Marc Desperrier [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] RML wrote: Yes, IE gives me 2 session id's. That what I expected to get on a multi-tab browser too. Are you *sure* of that ? If you click twice on the blue e, you'll get two instances of the application, and then two different session id. But if you get a new windows of the same instance with CTRL-N, connecting from that windows should get you the same ID. Just tested that and that worries me even more... Got the same session-id too. Which means that an administrator uses the same session id as a regular user does. Doesn't sound too good. If you start FF as a different user on XP, you'll get separate instance and separate ids. If you talk about identifying differently on your site, you will not be ablt to do that with cookie based identification. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
Ok, this suggest a solution in the application and not in the environment it runs in. Is that realy how it works? I would like to think this problem is best dealt with on the level where you can control it all in one procedure like in the webserver/webclient. But if this is how it works... Justin Wood (Callek) [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] RML wrote: Using CTRL-N creates a new window with the same session-id, indeed. So my question takes on an other course (knowing that all browser have this kind of behaviour): If a user asks for his personals on tab A and tab B in FF (for example), deletes his data on tab B and then tries to edit it on tab A, than I have a situation that I don't want. How can I act? Depending on what exactly your application does, one of the following two possibilities may work. 1) Your personal data has been deleted, by you in a different browser context. 2) Same as 1 with the added bonus, It is possible, however to linkrestore/link your personal data based on the edits you attempted to make if you'd like. Note, I'm a poor UI designer, but the theory is sound. ~Justin Wood (Callek) ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
RML wrote: Yes, IE gives me 2 session id's. That what I expected to get on a multi-tab browser too. Are you *sure* of that ? If you click twice on the blue e, you'll get two instances of the application, and then two different session id. But if you get a new windows of the same instance with CTRL-N, connecting from that windows should get you the same ID. Just tested that and that worries me even more... Got the same session-id too. Which means that an administrator uses the same session id as a regular user does. Doesn't sound too good. If you start FF as a different user on XP, you'll get separate instance and separate ids. If you talk about identifying differently on your site, you will not be ablt to do that with cookie based identification. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
Planet Internet Nieuws wrote: I'm currently writing a .NET application and I run into a problem using multi-tab browsers (like FireFox). I'm using the unique ASP.NET session-id to keep track of security issues with a logged-in user. The session id is one-on-one with his/her security account. However, when using 2 tabs in FireFox, one session-id is used by both tabs. It undermines my procedures. How can I deal with this problem? How do I make each tab-session unique? Store a session cookie with that session id and check if that cookie is stored ;) Michael ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
Next question: differs a cookie with individual tab in FireFox? Michael Vincent van Rantwijk [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] Store a session cookie with that session id and check if that cookie is stored ;) Michael ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
Planet Internet Nieuws wrote: I'm currently writing a .NET application and I run into a problem using multi-tab browsers (like FireFox). I'm using the unique ASP.NET session-id to keep track of security issues with a logged-in user. The session id is one-on-one with his/her security account. However, when using 2 tabs in FireFox, one session-id is used by both tabs. It undermines my procedures. How can I deal with this problem? How do I make each tab-session unique? It's the same browser, so it uses the same cookies (which presumably matches up to the ASP.NET session ID). Why do you care which tab the user is in? Perhaps they wanted to see your website in two tabs at the same time... --BDS ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
Well, the problem is that I've divided my users into different groups. And those groups have various levels of authorities. The problem that occurs is that, not knowing which browser-tab is using my application, I can't be sure what permissions to give to the application-user should users use the same browser (on different tabs). RML Benjamin D. Smedberg [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] Planet Internet Nieuws wrote: I'm currently writing a .NET application and I run into a problem using multi-tab browsers (like FireFox). I'm using the unique ASP.NET session-id to keep track of security issues with a logged-in user. The session id is one-on-one with his/her security account. However, when using 2 tabs in FireFox, one session-id is used by both tabs. It undermines my procedures. How can I deal with this problem? How do I make each tab-session unique? It's the same browser, so it uses the same cookies (which presumably matches up to the ASP.NET session ID). Why do you care which tab the user is in? Perhaps they wanted to see your website in two tabs at the same time... --BDS ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
RML wrote: Well, the problem is that I've divided my users into different groups. And those groups have various levels of authorities. The problem that occurs is that, not knowing which browser-tab is using my application, I can't be sure what permissions to give to the application-user should users use the same browser (on different tabs). It's a multi-tab browser, only one user is using it at a time. --BDS ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
Yes, IE gives me 2 session id's. That what I expected to get on a multi-tab browser too. Michael Vincent van Rantwijk [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] RML wrote: Next question: differs a cookie with individual tab in FireFox? No, because two tabs are just like two windows and their documents share cookies for the same domain. Now the question is, what happens when you open two windows in MSIE i.e. do you get two session id's? Michael Vincent van Rantwijk [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] Store a session cookie with that session id and check if that cookie is stored ;) Michael ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
That'll get me somewhere. Thanks. Michael Vincent van Rantwijk [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] RML wrote: Well, the problem is that I've divided my users into different groups. And those groups have various levels of authorities. The problem that occurs is that, not knowing which browser-tab is using my application, I can't be sure what permissions to give to the application-user should users use the same browser (on different tabs). You mean like two different users in one and the same browser? Well, first of all, there are plenty web applications, like for example web mail and Internet banking, that enable you two open two, or more, tabs or windows. However, you can either limit the number of connections or check for a user/session ID by adding/using a user/session specific global var or a property on one of the available objects, like for example the window or document. RML Benjamin D. Smedberg [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] Planet Internet Nieuws wrote: I'm currently writing a .NET application and I run into a problem using multi-tab browsers (like FireFox). I'm using the unique ASP.NET session-id to keep track of security issues with a logged-in user. The session id is one-on-one with his/her security account. However, when using 2 tabs in FireFox, one session-id is used by both tabs. It undermines my procedures. How can I deal with this problem? How do I make each tab-session unique? It's the same browser, so it uses the same cookies (which presumably matches up to the ASP.NET session ID). Why do you care which tab the user is in? Perhaps they wanted to see your website in two tabs at the same time... --BDS ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
RML wrote: Yes, IE gives me 2 session id's. That what I expected to get on a multi-tab browser too. Hm, and what happens when you open two windows, not tabs, in Mozilla Firefox? Michael Vincent van Rantwijk [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] RML wrote: Next question: differs a cookie with individual tab in FireFox? No, because two tabs are just like two windows and their documents share cookies for the same domain. Now the question is, what happens when you open two windows in MSIE i.e. do you get two session id's? Michael Vincent van Rantwijk [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] Store a session cookie with that session id and check if that cookie is stored ;) Michael ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Multitab vs. unique session id
Just tested that and that worries me even more... Got the same session-id too. Which means that an administrator uses the same session id as a regular user does. Doesn't sound too good. Michael Vincent van Rantwijk [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] RML wrote: Yes, IE gives me 2 session id's. That what I expected to get on a multi-tab browser too. Hm, and what happens when you open two windows, not tabs, in Mozilla Firefox? Michael Vincent van Rantwijk [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] RML wrote: Next question: differs a cookie with individual tab in FireFox? No, because two tabs are just like two windows and their documents share cookies for the same domain. Now the question is, what happens when you open two windows in MSIE i.e. do you get two session id's? Michael Vincent van Rantwijk [EMAIL PROTECTED] schreef in bericht news:[EMAIL PROTECTED] Store a session cookie with that session id and check if that cookie is stored ;) Michael ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Firefox password manager doesn't work with Yahoo. remembered as username
Matt Nordhoff wrote: On 08/11/05 10:00, Bob Chauvin ( Paix dehors ) wrote: Yahoo! sets the form so the password manager will ignore it. There's a Remember Password bookmarklet that should make the password manager work, but I don't have the link to it. Shouldn't it be up to the user whether he wants to save the password for a website or not? It would be very useful if Firefox and Mozilla had a configuration option that would ignore the specification in the form if set. -- Ulrich ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Firefox password manager doesn't work with Yahoo. remembered as username
On 08/12/05 15:29, Ulrich Boche wrote: Matt Nordhoff wrote: On 08/11/05 10:00, Bob Chauvin ( Paix dehors ) wrote: Yahoo! sets the form so the password manager will ignore it. There's a Remember Password bookmarklet that should make the password manager work, but I don't have the link to it. Shouldn't it be up to the user whether he wants to save the password for a website or not? It would be very useful if Firefox and Mozilla had a configuration option that would ignore the specification in the form if set. The Allow Password Remembering Greasemonkey script [1] should be able to stop it. [1]URL:http://blog.monstuff.com/archives/images/AllowPasswordRemembering.user.js -- Replace the point in my email address with a period to reply. ;-) ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Firefox password manager doesn't work with Yahoo. remembered as username
Ulrich Boche wrote: Matt Nordhoff wrote: On 08/11/05 10:00, Bob Chauvin ( Paix dehors ) wrote: Yahoo! sets the form so the password manager will ignore it. There's a Remember Password bookmarklet that should make the password manager work, but I don't have the link to it. Shouldn't it be up to the user whether he wants to save the password for a website or not? It would be very useful if Firefox and Mozilla had a configuration option that would ignore the specification in the form if set. -- Ulrich At least Mozilla 1.7.x/SeaMonkey has 'wallet.crypto.autocompleteoverride' but I don't know if that works in Mozilla Firefox. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
Duane [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Nelson B wrote: Two buttons: rip me off, protect me from the rip off would undoubtedly change user responses. I doubt it, their ISP/tech support etc would tell them to ignore it as an over reaction... Rather then trying to explain the finer details of what exactly is occurring, this isn't a black and white situation and that's why it's failing to cope with it. That is exactly why i wanted to use multiple sensor input: visual AND auditive. simple buttons don't work, nor do % as it requires users to think and most people just don't think. period. Fabrizio ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
On Thu, 11 Aug 2005, Fabrizio Marana wrote: Duane [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Nelson B wrote: Two buttons: rip me off, protect me from the rip off would undoubtedly change user responses. I doubt it, their ISP/tech support etc would tell them to ignore it as an over reaction... Rather then trying to explain the finer details of what exactly is occurring, this isn't a black and white situation and that's why it's failing to cope with it. That is exactly why i wanted to use multiple sensor input: visual AND auditive. simple buttons don't work, nor do % as it requires users to think and most people just don't think. period. But the issue is never that simple. If the software knows with 100% certainty that the user is going to a ripoff site, it could just prevent the navigation. The only reason the software has to ask is that it doesn't know for sure. -- ?!ng ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Firefox password manager doesn't work with Yahoo. remembered as username
On 08/11/05 10:00, Bob Chauvin ( Paix dehors ) wrote: Can anyone verify that the Firefox pw maanger d/n work with Yahoo? Specifically, I use the https site to log-in, but Firefox doesn't prompt. Older versions of FF would prompt AFTER I had type my username/password and clicked the submit button. Yahoo! sets the form so the password manager will ignore it. There's a Remember Password bookmarklet that should make the password manager work, but I don't have the link to it. -- Replace the point in my email address with a period to reply. ;-) ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
TrustBar 0.4 beta 9.3.1, with Hey! Training Mode - please help test usability
I've just placed new version of TrustBar including Hey! component for testing usability and training users, please save to disk and then open via FireFox, from: http://www.cs.biu.ac.il/~herzbea//TrustBar/Latest%20TB.xpi The Hey! component is designed to support testing for other bars so I'll be happy to cooperate in testing with other bars. It is quite easy. I will really appreciate if you test it - yourselves, of course, but also if you try to find one non-expert e-banking user and have him try it for two weeks... This is a new, exciting (I think) way to test secure usability - by real usage!! Comments welcome... Thanks and best regards, Amir Herzberg Dept. of Computer Science, Bar Ilan University http://AmirHerzberg.com ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Free Mac Mini from the gratis network. Com on, just check it out. It won't kill you.
This really works. I have already received a free psp ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
Justin Wood (Callek) wrote: p.s. Why is no-one honoring the Followup-To of n.p.m.security? Actually, you're the only one who's set any follow-up of the posts I have, and I've not seen any replies to any of your messages. I'm not even going to see *this* reply, so don't get too stuck-up about follow-ups. -- James Ross [EMAIL PROTECTED] ChatZilla Developer ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
On 08/07/05 23:43, Mats Palmgren wrote: roc wrote: Why can't you open the file browser and paste the URL in there? The native file picker which we use in trunk GTK2 builds does not have a text field. The general UI design of that thing is just a disaster. It's also painfully slow on directories with many files, I often see delays for 10-20 seconds before it even appears on screen! It's so crappy we should stop using it IMO. /Mats Yes, the other one that used to be used is much nicer. (Followup-to set to netscape.public.mozilla.ui. Why did this thread have to be posted to four groups with no followup-to? -- Replace the point in my email address with a period to reply. ;-) ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
That's an argument for fixing bug 111821, not an argument against making the textbox read-only. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
Why can't you open the file browser and paste the URL in there? Rob ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
roc wrote: That's an argument for fixing bug 111821, not an argument against making the textbox read-only. Or at least an argument for fixing bug 111821 before making the textbox read-only. -- Warning: May contain traces of nuts. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
roc schrieb: Why can't you open the file browser and paste the URL in there? Because it needs two clicks and several mouse movements more? Robert Kaiser ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
Robert Kaiser wrote: roc schrieb: Why can't you open the file browser and paste the URL in there? Because it needs two clicks and several mouse movements more? Robert Kaiser Not to mention if for accessability reasons you use the mouse for copy/paste. (a simple right-click in the text-box + paste, vs click to open the file-picker, (wait if slow system for directory enumeration), right click in THAT text-box and paste, then click to close the file-picker with the new value... Just seems like WAAAY too much work. ~Justin Wood (Callek) p.s. Why is no-one honoring the Followup-To of n.p.m.security? ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
roc wrote: Why can't you open the file browser and paste the URL in there? The native file picker which we use in trunk GTK2 builds does not have a text field. The general UI design of that thing is just a disaster. It's also painfully slow on directories with many files, I often see delays for 10-20 seconds before it even appears on screen! It's so crappy we should stop using it IMO. /Mats ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
[EMAIL PROTECTED] wrote: In https://bugzilla.mozilla.org/show_bug.cgi?id=258875 I propose making the text control in a file input be readonly. This will prevent various kinds of spoofing attacks, but it may affect usability. Any objections/counterproposals? I like jruderman's idea from bug 57770 much better. He proposes to show a warning dialog before uploading any files that have been selected via the text control. see here https://bugzilla.mozilla.org/attachment.cgi?id=17860 or here https://bugzilla.mozilla.org/show_bug.cgi?id=57770#c31 ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
[EMAIL PROTECTED] schrieb: In https://bugzilla.mozilla.org/show_bug.cgi?id=258875 I propose making the text control in a file input be readonly. This will prevent various kinds of spoofing attacks, but it may affect usability. Any objections/counterproposals? Actually, I also like being able to do what heikki wrote in a different reply... I guess the security concern is automatically entering a file name in the box with a script - what about inventing something that manual editing by the user is possible but automated changes via a script aren't, if that's possible at all? Requiring something with chrome privs (file dialog, eventually routing keyboard input and mouse/keyboard pasting through soemthing setting those) to change the content of the field? It's sometimes quite practical to copy the path from somewhere (other app or other file control) and just paste it into the file control, eventually changing a letter or number there manually afterwards... If we just can make sure the user did the action himself and not had some page-bound script doing it, then we should be fine, I think... Robert Kaiser ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
Robert Kaiser wrote: [EMAIL PROTECTED] schrieb: In https://bugzilla.mozilla.org/show_bug.cgi?id=258875 I propose making the text control in a file input be readonly. This will prevent various kinds of spoofing attacks, but it may affect usability. Any objections/counterproposals? Actually, I also like being able to do what heikki wrote in a different reply... I guess the security concern is automatically entering a file name in the box with a script - what about inventing something that manual editing by the user is possible but automated changes via a script aren't, if that's possible at all? Requiring something with chrome privs (file dialog, eventually routing keyboard input and mouse/keyboard pasting through soemthing setting those) to change the content of the field? Actually, it isn't. Currently web pages *can't* change the value of a file upload control without the UniversalFileRead privilege. It's sometimes quite practical to copy the path from somewhere (other app or other file control) and just paste it into the file control, eventually changing a letter or number there manually afterwards... If we just can make sure the user did the action himself and not had some page-bound script doing it, then we should be fine, I think... See https://bugzilla.mozilla.org/attachment.cgi?id=17860 from bug 57770 (https://bugzilla.mozilla.org/show_bug.cgi?id=57770). The problem is that the *user* did all the interaction with the form, and still managed to attempt an upload of a system file (whether the code should be able to *read* the value is another question, but I suspect there is some long and silly history about allowing that). -- James Ross [EMAIL PROTECTED] ChatZilla Developer ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
James Ross wrote: whether the code should be able to *read* the value is another question, but I suspect there is some long and silly history about allowing that Maybe make it so that the page can only read the value if it was chosen via the filepicker? -- Warning: May contain traces of nuts. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
Robert Kaiser wrote: See https://bugzilla.mozilla.org/attachment.cgi?id=17860 from bug 57770 (https://bugzilla.mozilla.org/show_bug.cgi?id=57770). The problem is that the *user* did all the interaction with the form, and still managed to attempt an upload of a system file (whether the code should be able to *read* the value is another question, but I suspect there is some long and silly history about allowing that). The real problem I see there is that the doc can trigger a submit before I even unfocus the file control. That should never be possible IMO, as I should be able to realize what I've typed in before I send it to a server. Robert Kaiser A solution to that would be to set a flag (preventing automatic submission) of a form when a file control is being edited. This may get complicated by a user leaving focus on the file control and trying to submit, but I am sure something can be worked out from that. ~Justin Wood (Callek) ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
Neil wrote: James Ross wrote: whether the code should be able to *read* the value is another question, but I suspect there is some long and silly history about allowing that Maybe make it so that the page can only read the value if it was chosen via the filepicker? Why, if I know the correct path to a file I want to upload, I will NOT expect it to create an error for me if I try to type in the path to the file in the text-box. Invoking an enumerator for any directory on my system is much more costly (processor/HD use) than simply entering in a known path. ~Justin Wood (Callek) ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
See https://bugzilla.mozilla.org/attachment.cgi?id=17860 from bug 57770 (https://bugzilla.mozilla.org/show_bug.cgi?id=57770). The problem is that the *user* did all the interaction with the form, and still managed to attempt an upload of a system file (whether the code should be able to *read* the value is another question, but I suspect there is some long and silly history about allowing that). The real problem I see there is that the doc can trigger a submit before I even unfocus the file control. That should never be possible IMO, as I should be able to realize what I've typed in before I send it to a server. Robert Kaiser ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Making file control text editor readonly
[EMAIL PROTECTED] wrote: In https://bugzilla.mozilla.org/show_bug.cgi?id=258875 I propose making the text control in a file input be readonly. This will prevent various kinds of spoofing attacks, but it may affect usability. Any objections/counterproposals? Please don't - or make it an option to restore the old behavior if you do. Some web interfaces where you can upload photos (Shutterfly or some other service I've used) will present you a bunch of file input controls. The way I use these (and I imagine many others do as well) is by first using the browse button for the first one, then copy and paste for the others and change the file name (typically just one character in digital images I've taken). Hmm... maybe even make it so that it is read-only by default, but if you notice someone trying to edit the value, pop up a dialog and ask if they would like to enable editing them for this page. -- Heikki Toivonen ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Making file control text editor readonly
In https://bugzilla.mozilla.org/show_bug.cgi?id=258875 I propose making the text control in a file input be readonly. This will prevent various kinds of spoofing attacks, but it may affect usability. Any objections/counterproposals? Rob ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Seleccione una tabla o una consulta para utilizar como ori gen de datos para el nuevo formulario, informe o págin a de acceso a datos.
Acuerdas de limpiar tu habitacion hoy.
Re: Security warnings and obedience to authority
Fabrizio Marana wrote: As Ping points out in his blog, there are two steps in a typical phishing attack: first the email message, then the website. So when the end-user clicks on the link to the website, (s)he has already accepted an authority twice. Unfortunately for us, the authority of the phisher... I have found that many end users misinterpret the purpose of the dialogs that ask them whether to continue or stop. They completely fail to understand that the message is: We're giving you a chance to protect yourself from a potential bad guy and instead interpret the message as If you want to continue to do the thing you wanted to do, you must jump through this hoop by pressing continue now. IOW, they totally fail to comprehend WHY this hoop exists. They have no perception that they are being protected from potential evil by this. I found that users think that the browser is asking them to do something, and they obediently do what it asks. It says press continue and so they do. This is not just a browser problem. There are firewall products that attempt to stop previously unknown and unapproved programs from accessing the internet. They pop-up dialogs for such programs, asking the user whether to allow the program to proceed or not. Many users always approve everything, out of a sense of obedience. The master (computer) holds up the hoop and says jump boy, and they jump. I think this is a UI problem. Perhaps if the buttons were labelled Take me to the bad guy anyway protect me from this bad guy they'd get it. People being people and all end-users being dumb ;) we now have a steep mountain to climb to win back the user's trust. Win back? I don't think we've lost any trust. The KISS solution (Keep It Simply Stupid) to getting this message across in the GUI is: 1/ Use a funky background and font colour: GMail uses a white font on a red background. 2/ Use sound: An authorative voice telling the end-user SECURITY WARNING! You are being ripped off! 3/ Use animation: An animated GIF of a wallet being drained of money. 4/ All of the above Two buttons: rip me off, protect me from the rip off would undoubtedly change user responses. -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
Nelson B wrote: Two buttons: rip me off, protect me from the rip off would undoubtedly change user responses. I doubt it, their ISP/tech support etc would tell them to ignore it as an over reaction... Rather then trying to explain the finer details of what exactly is occurring, this isn't a black and white situation and that's why it's failing to cope with it. When does black and white security ever work in situations where end users don't understand the context? What's needed is something like spamassassin, which ranks sites based on a set of criteria and then tells the user this site is 5% likely to be bad, or 95% likely to be bad... etc etc etc... Not all popups mean bad things and by labelling it as such you simple end up back to square one when users need to go to sites that aren't bad... -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
Frank Hecker: I thought this was an interesting blog post, with obvious implications for the issue of warning dialogs in Firefox, Thunderbird, etc. http://usablesecurity.com/2005/07/19/obedience-to-authority/ Florian Weimer wrote: all-too-common security warnings are not effective at all because users tend to increase their productivity by blinding clicking away Lev Walkin wrote: Instead of the simple Yes/No warning dialogs, an application could display something like: In order to proceed with a potentially unsafe choice, please enter the following random dictionary word into an input area below: CONTEMPLATE +-+ |_| +-+ It could, but i suspect that such a measure would quickly become reviled. Getting into an arms race against one's own users just looks like an unpleasant road to go down. Making the awareness part of the main task is likely to be more successful. Admittedly it is a very tricky design challenge to find clever ways to do that, but it will probably work better than adding irrelevant chores for users to do. -- ?!ng ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
As Ping points out in his blog, there are two steps in a typical phishing attack: first the email message, then the website. So when the end-user clicks on the link to the website, (s)he has already accepted an authority twice. Unfortunately for us, the authority of the phisher... People being people and all end-users being dumb ;) we now have a steep mountain to climb to win back the user's trust. Milgram not only raised the issue that Ping is describing here, but also points us to a solution as he found out that when the immediacy of the victim was increased, compliance decreased. Therefore we are only faced with establishing a higher authority to the end-user then the one of the phisher in a way that can't be imitated. The KISS solution (Keep It Simply Stupid) to getting this message across in the GUI is: 1/ Use a funky background and font colour: GMail uses a white font on a red background. 2/ Use sound: An authorative voice telling the end-user SECURITY WARNING! You are being ripped off! 3/ Use animation: An animated GIF of a wallet being drained of money. 4/ All of the above :) Fabrizio Florian Weimer [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] * Frank Hecker: I thought this was an interesting blog post, with obvious implications for the issue of warning dialogs in Firefox, Thunderbird, etc. http://usablesecurity.com/2005/07/19/obedience-to-authority/ This is certainly a problem. The more significant issue (and I believe it's been raised multiple times on this list) is that all-too-common security warnings are not effective at all because users tend to increase their productivity by blinding clicking away warnings. Even Emacs' yes-or-no-p quickly becomes equivalent to y-or-n-p, at least in my experience. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security warnings and obedience to authority
* Frank Hecker: I thought this was an interesting blog post, with obvious implications for the issue of warning dialogs in Firefox, Thunderbird, etc. http://usablesecurity.com/2005/07/19/obedience-to-authority/ This is certainly a problem. The more significant issue (and I believe it's been raised multiple times on this list) is that all-too-common security warnings are not effective at all because users tend to increase their productivity by blinding clicking away warnings. Even Emacs' yes-or-no-p quickly becomes equivalent to y-or-n-p, at least in my experience. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Security warnings and obedience to authority
I thought this was an interesting blog post, with obvious implications for the issue of warning dialogs in Firefox, Thunderbird, etc. http://usablesecurity.com/2005/07/19/obedience-to-authority/ Frank -- Frank Hecker [EMAIL PROTECTED] ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Security alert
On 2005-07-18, Vrodok the Troll [EMAIL PROTECTED] wrote: On 18 Jul 2005 14:04:21 GMT, in netscape.public.mozilla.security, Michael Lefevre [EMAIL PROTECTED], by way of Message-id [EMAIL PROTECTED], wrote: [snip] There was a problem with the release, which was discovered with Firefox first, so Mozilla Suite 1.7.9 was not released. There should be a 1.7.10 version out in the next few days which will have the fix and not have the problem. (The problem was that some API changes slipped in, which broke compatibility with some addons and extensions. Firefox 1.0.5 was released last Tuesday and now the problem What problem (former user of FF 1.0.5; now using 1.0.4, again)? As I just wrote The problem was that some API changes slipped in, which broke compatibility with some addons and extensions. Firefox 1.0.6 will be out shortly, which will not have that problem, but will have the security fixes that are in 1.0.5. -- Michael ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Security alert
CERT and others are recommending going to version 1.7.9 - there are some references to it on Mozilla's site but I can't find the download. Any ideas? David Fosdike dfosdike at nospam(leave this out and change 'dots' and 'at') dot elders dot com dot au ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: click events not coming thru
Hi charlie, have similiar problems ... have you made some progress in the meanwhile? viz charlie schmitt wrote: *If there's a better place to post this please let me know I have a simple xul application which records a browser session. I capture (at the moment) click and change events, build a simple xml script and then play the script back later with createEvent/dispatchEvent. I'd call it a prototype at this point - it needs alot of work. SNIP * -- vikiez Posted via http://www.forum4designers.com View this thread: http://www.forum4designers.com/message208932.html ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: new anti-fraud mailing list for discussing improving browser security UI
Amir Herzberg wrote: I wonder: was the mere fact of you meeting with them a secret? If so, did you get permission to disclose this secret (was it declassified)? The existence of the meeting was not a secret. http://weblogs.mozillazine.org/gerv/archives/008126.html It must have been `top secret` since you were forced to take evasive actions, i.e. tell us you need usability tests, criteria, code, etc. when you simply could have said that you decided to follow a specific direction and are not currently interested in outside contributions. This would have been the right thing to do, imho. Why do you persist in seeing this as an either/or, black-and-white thing? Just because we are improving the certificate UI doesn't mean that all your work is suddenly invalid or unwanted. I'm very interested in what you are doing. I'm not yet convinced any of the suggested outside contributions are a good fit for Firefox. That doesn't mean that won't change in the future. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Is there a Mozilla security process?
Space Riqui wrote: --- Heikki Toivonen [EMAIL PROTECTED] wrote: after playing around for a while I managed to go to a site I had set a petname for but the petname field showed untrusted (I've been unable to reproduce this, though) This has happened to me a few times with the following web sites: https://tryowa.arvinmeritor.com/ https://chaseonline.chase.com/chaseonline/home/sso_co_home.jsp I tried both and didn't notice this particular problem. OTOH, I noticed petname (and spoofstick) does not handle multitab FF windows correctly, which is very confusing and annoying; maybe that was the cause of your problem? BTW, these sites work fine for TrustBar (now using our 0.4 alpha version which also lets me `rename` them in the bar directly, like `petname`; but I'm quite sure they worked also in the current 0.31 release). Best, Amir Herzberg Hope it helps. Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: new anti-fraud mailing list for discussing improving browser security UI
Doug Ludy wrote: I am a newcomer who knows a little bit about group process. It has been fascinating to watch this newsgroup at work--brilliant minds and powerful egos working toward similar goals. I am reminded of a debate in the English parliament. Rather than viewing the current impasse in terms of betrayal and trickery I think a more charitable approach might be the model of culture clash. How does a group accustomed to open process communicate and negotiate with another group whose approach is proprietary and secretive? What rules apply? Which compromises are life-enhancing rather that life-threatening? This is a very old dilemma. I sincerely hope this discussion continues, for trust is important to me. Interesting comment. But: the discussion was between two groups which are both claiming to follow and believe in open process; I believe Gerv in his note clearly indicates his personal preference for more open process. Anyway, considering Mozilla are currently pursueing a different, `closed` approach, the technical discussion moved to the new list Duane made (see original post). Best, Amir Herzberg ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: new anti-fraud mailing list for discussing improving browser security UI
Gervase Markham wrote: Amir Herzberg wrote: It is not an issue of fairness, it is an issue of open process. I am indeed disappointed to find that Mozilla is not acting openly. As a believer in open process, I am concerned that the result may be suboptimal. I would like the process to be more open. I hope and expect that in the future, it will be. However, to achieve the goal, it can't be open right now. Fine. Considering Mozilla are currently pursueing a different, `closed` approach, the technical discussion moved to the new list Duane made (see original post); please join if and when interested. This is not the way to encourage innovation. In fact, this situation, which was not even disclosed openly during this lengthy discussion, As I said, some of those involved are reticent about their involvement. I don't see why this prevented you from stating all this up front, instead of wasting people's time on trying to convince you to follow an open process you (temporarily?) abandoned. And I hope the occupants of this newsgroup won't go shooting their mouths off in blogs and on Slashdot. I'm rather surprised at this comment. After all, you (claim to) believe in open process, and surely criticism of your actions is a part of that. If somebody feels this is somewhat contrary to the stated goals and principles of Mozilla and the open community in general, what's wrong about voicing this in any forum? puts Heikki's advice on `develop code` in rather strange light. Not at all. Just because we're not in a position to accept your code now doesn't mean it's not valuable. It certainly does not mean the code is not valueable. OTOH, it is important input, which I think in fairness should have been disclosed. For example, I may have decided to put more effort into non-Mozilla development; we currently do only FireFox and IE, I may have focused more on the IE version, or even begun an effort on another browser. I am definitely considering such options now; regardless of my decision and actions, the fact that this new information resulted in re-evaluation indicates this information should have been disclosed. I am not angry, I'm sure you and Heikke simply did not consider the implication of your following a closed process and the need to dislose that decision. Frankly, a simple apology would have made me feel better about it, but I don't insist, after all sometimes `sorry seems to be the hardest word` :-) I'm not planning to stop coding (yet), but I think you should have indicated that at least the Mozilla group thinks that working in a closed committee will be more effective Please don't make it so black and white - it's not. I personally don't think a closed group is any more effective, but I'm not the only person with a view on the question. Ok, and even if you did, that's an understandable position, even if I think it is wrong. Best, Amir Herzberg ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Checking URL against black list - privacy and efficiency concerns
There were several good threads we left in Mozilla.security, which I think we may want to revisit and try to resolve in the new anti-fraud list. For now, I'm cross-posting, although I suggest we continue only on anti-fraud if nobody objects, simply since it is more focused. Heikki Toivonen wrote: One thing about a class of extensions that check the URL you are visiting against known bad ones from an online source: privacy. I read about some implementation which was IMO too invasive. When a security product like this comes from a commercial company and they get access to your browsing history in real time I see it as a deal breaker. Tweaking the settings and eliminating the commercial party from the picture would make it much more likely to get accepted. Hear, hear!!! This is absolutely absolutely correct, imho. Indeed, as I already mentioned, we got a kind offer (I'm serious) to access one of these DBs with `black list` of suspect sites, but decided to decline, due to these concerns (and also performance; you feel this very well if you are not close to the server, e.g. from Israel). We are now working (Ahmad, mostly) on a better solution. In a sense, this `blacklist` is really a variant on the old CRL problem, btw. The solution we work on is roughly: -- Have a local cache for the queries. This reduces privacy invasion substantially and improves performance. -- Specifically, we simply think of doing the requests in cacheable HTTP queries - the cache will be simply in the HTTP proxy (often hidden, of course). DNS could be an alternative, btw. But HTTP is really trivial solution. -- Each query will not be for a single URL but for a collection, following the efficient CRL techniques. Again: improve efficiency and privacy together. -- A variant on this mechanism will help us get additional positive credentials for the web page such as logo, BBB/Zagat/Fodor/eTrust ratings,... None of them have been usability tested in a browsing situation. Some tests were done and more will follow, I don't think you do this for any new UI feature, do you? Making them into extensions and gathering feedback is one way of getting it. In fact this is what I recommend. Iron out the bugs and usability problems in the extension model first. We did/do. I have my own opinions about these options. Ian has his own opinions, and Gervase has his own opinions. We could argue endlessly about it, but there comes a point where arguments are based on speculation and the only way to know is to gather empirical evidence. Do you do this as part of your closed process? I doubt. I don't think there is a written set of acceptance criteria. Writing one up would be a good thing. Another doc for the security area or wiki perhaps. Anyone could write/start it, but it would need approval from the Mozilla Security Group of course. I can't see many volunteers to write a draft of the Mozilla security group's acceptance criteria - esp. not from people outside this group... In the end it will fall into convincing the right people, but before that you really need to pass the not-yet-written-down-anywhere acceptance criteria. Well, seems like an impossible mission, then. Some rules of thumb could be gathered from my feedback to the petnames extension, like should not require too much (ideally anything) from users, should use minimal chrome real estate and so on. I'd also like to add: make it first into an extension, iron out the bugs, gather usability etc. feedback I think we do all that fairly well. I am grateful that you posted the link to the list of people on the Mozilla Security Group. It's helpful to know those names. It's just that there are over 60 people on that list, so I'd like to know a little more about how consensus is reached on design decisions. ... You can narrow down the list, though, by checking the affiliations of the people on the list, and if you can't figure who to contact you could always start with the owner. Well, sounds like fun, they are probably all very interesting persons and digging up their e-mails should be lots of fun, writing each of them - a very efficient, constructive use of my time. I've put it in the appropriate priority of my `to-do` list. Coding to other platforms is a bit higher, though. Best, Amir Herzberg ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: new anti-fraud mailing list for discussing improving browser security UI
Duane wrote: But how can you trust a process going on behind closed door and excluding everyone else? We're not developing security protocols, we're developing best practices and UI. And I am very strongly of the opinion that there needs to be a public review process, and have made that point and will make it again. Further more another example of what I'm talking about was with Comodo trying to lock trust bar into their patents, for US businesses this seems to be business as usual, the only thing surprising me is the Mozilla guys falling hook line and sinker for it... No wonder Gerv didn't want blogs and/or slashdot postings about it, it would blow the lid of the entire thing at how Mozilla is selling out it's user base to the same vested commercial interests it's supposed to be an alternative for! Well, it's certainly this sort of unfounded paranoia that probably would blow the lid off the embryonic ground-breaking collaboration we've managed to achieve. Do you think all the browser makers collaborate regularly? So go ahead, shoot your mouth off, create a security scandal - some large company will rush out a patch containing the best UI that comes to mind, and we'll all have to copy it if we want consistency. At the moment, phishers aren't using SSL. This gives us breathing space to reinforce it so that when they do, we'll be ready. That's what I hope to take advantage with this work. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
new list for open discussion of anti-phishing
Gervase Markham wrote: Ian Grigg wrote: This is clearly not the case - in partnership with the other browser vendors, we are together working out the most appropriate UI and then all implementing it. That's fine, but of course not currently an open process. Duane kindly setup an open forum, the [EMAIL PROTECTED] mailing list. This is for anybody interested in further discussing these issues; thanks! I am sure that some of the people in the `closed` group will also join/follow the open forum, and certainly hope that Gerv will. In particular, this list is an appropriate forum for feedback on our proposal (TrustBar) and other proposals, for developing agreed-upon criteria, etc For info or to join: http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud You (mozilla, you, everyone within) are not playing fair. It is not an issue of fairness, it is an issue of open process. I am indeed disappointed to find that Mozilla is not acting openly. As a believer in open process, I am concerned that the result may be suboptimal. This is not the way to encourage innovation. In fact, this situation, which was not even disclosed openly during this lengthy discussion, puts Heikki's advice on `develop code` in rather strange light. I'm not planning to stop coding (yet), but I think you should have indicated that at least the Mozilla group thinks that working in a closed committee will be more effective (and is unlikely to evaluate the code - as seems the case). Best, Amir Herzberg See the new TrustBar homepage at http://AmirHerzberg.com/TrustBar ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
new anti-fraud mailing list for discussing improving browser security UI
Gervase Markham wrote: Ian Grigg wrote: This is clearly not the case - in partnership with the other browser vendors, we are together working out the most appropriate UI and then all implementing it. That's fine, but of course not currently an open process. Duane kindly setup an open forum, the [EMAIL PROTECTED] mailing list. This is for anybody interested in further discussing these issues; thanks! I am sure that some of the people in the `closed` group will also join/follow the open forum, and certainly hope that Gerv will. In particular, this list is an appropriate forum for feedback on our proposal (TrustBar) and other proposals, for developing agreed-upon criteria, etc For info or to join: http://lists.cacert.org/cgi-bin/mailman/listinfo/anti-fraud You (mozilla, you, everyone within) are not playing fair. It is not an issue of fairness, it is an issue of open process. I am indeed disappointed to find that Mozilla is not acting openly. As a believer in open process, I am concerned that the result may be suboptimal. This is not the way to encourage innovation. Best, Amir Herzberg See the new TrustBar homepage at http://AmirHerzberg.com/TrustBar ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: new anti-fraud mailing list for discussing improving browser security UI
Gervase Markham wrote: Amir Herzberg wrote: It is not an issue of fairness, it is an issue of open process. I am indeed disappointed to find that Mozilla is not acting openly. As a believer in open process, I am concerned that the result may be suboptimal. I would like the process to be more open. I hope and expect that in the future, it will be. However, to achieve the goal, it can't be open right now. This is not the way to encourage innovation. In fact, this situation, which was not even disclosed openly during this lengthy discussion, As I said, some of those involved are reticent about their involvement. And I hope the occupants of this newsgroup won't go shooting their mouths off in blogs and on Slashdot. puts Heikki's advice on `develop code` in rather strange light. Not at all. Just because we're not in a position to accept your code now doesn't mean it's not valuable. I'm not planning to stop coding (yet), but I think you should have indicated that at least the Mozilla group thinks that working in a closed committee will be more effective Please don't make it so black and white - it's not. I personally don't think a closed group is any more effective, but I'm not the only person with a view on the question. Gerv I am a newcomer who knows a little bit about group process. It has been fascinating to watch this newsgroup at work--brilliant minds and powerful egos working toward similar goals. I am reminded of a debate in the English parliament. Rather than viewing the current impasse in terms of betrayal and trickery I think a more charitable approach might be the model of culture clash. How does a group accustomed to open process communicate and negotiate with another group whose approach is proprietary and secretive? What rules apply? Which compromises are life-enhancing rather that life-threatening? This is a very old dilemma. I sincerely hope this discussion continues, for trust is important to me. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Is there a Mozilla security process?
Space Riqui wrote: --- Heikki Toivonen [EMAIL PROTECTED] wrote: after playing around for a while I managed to go to a site I had set a petname for but the petname field showed untrusted (I've been unable to reproduce this, though) This has happened to me a few times with the following web sites: https://tryowa.arvinmeritor.com/ https://chaseonline.chase.com/chaseonline/home/sso_co_home.jsp I tried both and didn't notice this particular problem. OTOH, I noticed petname (and spoofstick) does not handle multitab FF windows correctly, which is very confusing and annoying; maybe that was the cause of your problem? BTW, these sites work fine for TrustBar (now using our 0.4 alpha version which also lets me `rename` them in the bar directly, like `petname`; but I'm quite sure they worked also in the current 0.31 release). Best, Amir Herzberg Hope it helps. Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Criteria for an antiphishing tool
Ian Grigg wrote: 2. This policy seems to have arisen alongside or from a closed meeting of a month or so ago. Duane (representing a CA of 2000 members) didn't get invited to the closed meeting of CAs and browser manufacturers. No minutes, no agenda, no published results. There is only one word for that - compromised. This reply isn't aimed at you Ian, but you happened to mention numbers that are a little out of date. In any case I did ask on several occasions before the event if this was going to be a secret back room deal or open such as the source code only to be shouted down about breach of confidences, what about the confidences of the actual browser users that keeps getting touted as the holy grail. To date I've seen nothing but contempt for most users with the closed meeting and no actual minutes or reports on the event and in fact I'm starting to think using the excuse about protecting users is merely a convenient line to throw out when it suits rather then actually being concerned about their welfare on an active basis. So far to date I still haven't heard from the Mozilla foundation who was present, general over view of the event, any major decisions made likely to effect users of Mozilla software, so on an so forth. Ian as for our numbers, that depends what you want to count... As of the present moment we have 3,328 users that have appeared in person to verify their identity. We have a further 644 that have partially proven their identity, but aren't considered completely verified in the system. We have issued 53,175 certificates of which 28,108 are valid. People have verified 39,284 email addresses and 16,776 domains, and there are 29,808 valid user accounts, of course this number keeps growing by the day, up to date figures can be seen on our website: http://www.cacert.org/stats.php Any other CAs publishing any similar stats? -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers I do not try to dance better than anyone else. I only try to dance better than myself. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Need help w/programmatic installation of Client Certs
Customer demand. We have to support both browsers now. Duane [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Mike Stokes wrote: Thanks again for all of your help Duane. I'm going to go do some more research on this. I can't use any of the technologies that you use due to our in-house development standards and practices - no open source, so no PHP, no OpenSSL, etc. I also need to better understand the root cert technologies at a lower level. Then why are you using firefox? -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers I do not try to dance better than anyone else. I only try to dance better than myself. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Need help w/programmatic installation of Client Certs
Nelson, Thanks for the info. I'm gonna go check out those Netscape reference docs right away. Nelson B [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Mike Stokes wrote: I'm new to the Netscape/Firefox/Mozilla platform and I've been tasked with providing a programmatic method for our customers to use to install client certificates. I'm looking for suggestions on how to approach a solution. Java applet? Extension? Plug-in? None of the above. The functionality is built right in to the browser. A simple HTML is all that is needed to get the browser to generate a Certificate signing request, and another simple page (er, MIME content type) is all that's needed to download the user's new cert chain. This functionality is all inherited from the older Netscape browsers, and much of the original Netscape documentation on this subject still applies. Look at http://wp.netscape.com/eng/security/comm4-keygen.html http://wp.netscape.com/eng/security/comm4-cert-download.html You can ask more questions here. -- Nelson B ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Criteria for an antiphishing tool
Ian Grigg wrote: On the notion of common and consistent security UI policy - how is that any different to follow the leader ? It's synonymous as far as I can see it. sigh The implication of the phrase follow the leader is that we are just doing what others are doing simply because they are doing it. This is clearly not the case - in partnership with the other browser vendors, we are together working out the most appropriate UI and then all implementing it. If anything (given that I wrote the proposal) _we_ are the leader. Do you *oppose* a common and consistent security UI? If not, why am I wasting my time typing this? I apologise for being short with you, but this newsgroup has a great enough volume already without me having to write things which are unnecessary. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Criteria for an antiphishing tool
Ian Grigg wrote: This is clearly not the case - in partnership with the other browser vendors, we are together working out the most appropriate UI and then all implementing it. This is news. Are you intending to announce this or does it remain embargoed ? What is clear about it? Who's in and who's out ? It's not announced yet because it's still very much a draft, and because some organisations involved are a little reticent about their involvement. To take a phrase out of your book, the word is 'diplomacy'. You (mozilla, you, everyone within) are not playing fair. snip So fair is OK, I have big reservations about your ideas but I'm going to implement them anyway? I've just noticed that this email has three more pages to it. I'm sorry, but I don't have time to read it, as I can see it's just an abusive monologue. Gerv ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Criteria for an antiphishing tool
Ian Grigg responded to Gerv: Amir Herzberg wrote: So, Mozilla plays `follow the leader`? Nice to know. Not exactly the original goal of the project, was it? Up to this point, our discussions have been reasonably civil, but now you are just throwing clearly ridiculous assertions around. Sorry, I didn't mean to offend. Having a common and consistent security UI across browsers, no matter who comes up with it, is not inconsistent with the goals of the project. Of course. But, does it imply that Mozilla/FF will refrain from enhancing its security UI, until IE does ? Or until coordinating with IE (which may or may not happen... and via which process?)? Best, Amir Herzberg ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Criteria for an antiphishing tool
Guys, this will be my last post, for reasons that I hope are clear. If anyone wants to discuss phishing, let me know. I'm hopeful a specialist list for cross-fertilisation of phishing efforts will pop up soon. On Saturday 25 June 2005 23:07, Gervase Markham wrote: Ian Grigg wrote: On the notion of common and consistent security UI policy - how is that any different to follow the leader ? It's synonymous as far as I can see it. sigh The implication of the phrase follow the leader is that we are just doing what others are doing simply because they are doing it. The reality is, if Mozilla has decided on a common and consistent security UI policy then that requires MS to agree. If they don't agree then you don't have it; if they do agree then you have it. In short, whatever they say is it. That's just commercial reality. This is clearly not the case - in partnership with the other browser vendors, we are together working out the most appropriate UI and then all implementing it. This is news. Are you intending to announce this or does it remain embargoed ? What is clear about it? Who's in and who's out ? If anything (given that I wrote the proposal) _we_ are the leader. Is it documented anywhere that this proposal be accepted? By whom? Who's put it down on paper that they are accepting this proposal? What has staff said about this? Do you *oppose* a common and consistent security UI? If not, why am I wasting my time typing this? I apologise for being short with you, but this newsgroup has a great enough volume already without me having to write things which are unnecessary. You (mozilla, you, everyone within) are not playing fair. There were a bunch of people trying to help. Everything they've proposed has been knocked back or ridiculed or blocked. Everything they've asked to help with has been shunted to the left, to the right or wherever. Now it transpires that a new policy is emerging, one which has emerged in a secret or private process to which these people - regardless of their efforts or time or their applicability to the community or their credentials - were decidedly not invited. Let's put this into the wider perspective of how you're not dealing fair and that will answer the question for everyone. 1. This new policy - is it approved? Recall how Frank Hecker went to extreme lengths to create and formulate a policy and debate it in the open with (noisy) outsiders and insiders. And then presented it to staff for approval. The word there was Leadership. Has this been done with the policy for a common and consistent security UI? Are staff even aware that Mozilla may be outsourcing their security UI to Microsoft? 2. This policy seems to have arisen alongside or from a closed meeting of a month or so ago. Duane (representing a CA of 2000 members) didn't get invited to the closed meeting of CAs and browser manufacturers. No minutes, no agenda, no published results. There is only one word for that - compromised. 3. It turns out that something happened at that meeting - a month ago? - and this might have resulted in a new policy to do with security. So here we are suggesting stuff about security that happens to be antithetical towards this new secretly evolving policy, and having to drag it out of you so we can finally work out why everything that is tried in the hopefully open forum is being rejected. I'd say the word here is woftam, thanks very much. 4. When I suggested there wasn't a security process, you all rose up and said of course there is ... and it's here or there or wherever. But as soon as we went there, it disappeared. This is a 100% screamingly important staff issue and my impression is that staff still doesn't even know it has an issue. Which is just an astounding statement to make in a society where we are flooded with news on this issue. 5. Tyler Close asked to join the security team and got ignored. That's the procedure that is published and after some hectoring someone on this group said that's what he should do - ask. I chimed in and presented some credentials for the people here because the team page specifically mentioned it, and that was ignored too (to put a polite face on it). You wanted coders, and code is there - it's in the plugins that these guys knocked up, but still not good enough. So it's a closed shop, right? We don't want any trouble makers in our security team, so we'll just not help anyone join. You're not even playing by your own rules. The word for that is bureaucracy. 6. When Amir Herzberg drops his normal politeness briefly and points out that the common and consistent security UI clearly and blatantly contradicts the Mozilla mission of preserve choice and innovation you manage to take umbrage at his phrasing and thus ignore the central issue he was raising. That is called evasion and has its place in politics, not security work. 7. There is no security process, but there are a
Re: Strange mail recieved with thunderbird
On Saturday 25 June 2005 12:16, Jeroen van Iddekinge wrote: Hi, I got the following mail in mine Thunderbird (1.0 linux) email box. what the hell is it? It doesn't event have a proper header (no 'receaved' etc.. header) Is it a bug or a virus? No, accidental usage?! Someone is experimenting with a spam package, and they've mistyped the command and accidentally mailed a script that does some part of it to all the recipients in their spam list. (That's a *guess*, I've seen a number of cases where people who don't know much go and buy cheap but simple spam packages in order to do mass mailings, and the results are ... chaotic.) iang -- Advances in Financial Cryptography, Issue 1: https://www.financialcryptography.com/mt/archives/000458.html Daniel Nagy, On Secure Knowledge-Based Authentication Adam Shostack, Avoiding Liability: An Alternative Route to More Secure Products Ian Grigg, Pareto-Secure ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Strange mail recieved with thunderbird
Hi, Hmm yes , but wat about the missing headers? There is no 'recieved' header etc... the recieving smtp server should add it to the message isn't it? regards Jeroen. On Saturday 25 June 2005 12:16, Jeroen van Iddekinge wrote: Hi, I got the following mail in mine Thunderbird (1.0 linux) email box. what the hell is it? It doesn't event have a proper header (no 'receaved' etc.. header) Is it a bug or a virus? No, accidental usage?! Someone is experimenting with a spam package, and they've mistyped the command and accidentally mailed a script that does some part of it to all the recipients in their spam list. (That's a *guess*, I've seen a number of cases where people who don't know much go and buy cheap but simple spam packages in order to do mass mailings, and the results are ... chaotic.) iang ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Plugin nonsense
The behavior of scanning the system for all sorts of plugins and enabling them by default needs to stop. Not only is the default behavior to enable external plugins by default without prompting the user, but there is no convenient way to disable them from the UI. I've been setting the plugin.scan.[product] preference strings to ridiculously high values; e.g., user_pref(plugin.scan.WindowsMediaPlayer, 99) as a hack, but there should be a documented and supported method to ensure consistent control over plugin behavior. At the very least, there should be well defined global (for administrators) and per-user preferences to control plugins; whether exposed in the UI or not is a different matter. The current plugin behavior is of an IE like mentality, something one would neither expect nor desire from Mozilla. Since I generally dislike it when people whine about open source projects without doing anything to contribute, perhaps there is something I can do to improve this situation. I've compiled Mozilla and FF on Windows from the source many times in the past, and the size of the code base is quite daunting. Can someone recommend a good resource (a book would be nice) that details the procedure of writing extensions? My current level of understanding concerning the whole XUL deal is rather limited, so I will need to attack that first. If someone would tell me the appropriate part (or at least the top level) of the source tree to begin snooping, that would help as well. Dave ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Plugin nonsense
Dave A. wrote: The behavior of scanning the system for all sorts of plugins and enabling them by default needs to stop. Not only is the default behavior to enable external plugins by default without prompting the user, but there is no convenient way to disable them from the UI. I've been setting the plugin.scan.[product] preference strings to ridiculously high values; e.g., user_pref(plugin.scan.WindowsMediaPlayer, 99) as a hack, but there should be a documented and supported method to ensure consistent control over plugin behavior. At the very least, there should be well defined global (for administrators) and per-user preferences to control plugins; whether exposed in the UI or not is a different matter. The current plugin behavior is of an IE like mentality, something one would neither expect nor desire from Mozilla. Since I generally dislike it when people whine about open source projects without doing anything to contribute, perhaps there is something I can do to improve this situation. I've compiled Mozilla and FF on Windows from the source many times in the past, and the size of the code base is quite daunting. Can someone recommend a good resource (a book would be nice) that details the procedure of writing extensions? My current level of understanding concerning the whole XUL deal is rather limited, so I will need to attack that first. If someone would tell me the appropriate part (or at least the top level) of the source tree to begin snooping, that would help as well. Dave the simple way, which works for me, just go to the plugins directory for the browser and delete them all. also, make sure that plugins and software installation and helper apps are all completely cleared out or turned off. then you don't have to worry about them again. ( I regularly clean out the helper apps, as os filetype associations are getting called, need to rip that garbage from the sources before next build to make life simpler. ) ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security