Re: SSL Exploit: Mozilla family no better than the rest of the pack
Le 29 septembre 2011, d...@kd4e.com a écrit : In addition to HTML 5 supposedly displacing some of the needs for Java, wasn't there a project of some sort that provided for an open-source substitute for Java ... or was that just a silly dream? There exists IcedTea (at least on Linux, which you are using). Not as good as the original, though (some applets won't work). -- LL ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
THAT'S NOT an answer - PLEASE REFRAIN TO INSIST - YOU DID NOT FOLLOW THE ETIQUETTE WHEN NOT ANSWERING. NoOp wrote: On 09/29/2011 05:27 PM, d...@kd4e.com wrote: In addition to HTML 5 supposedly displacing some of the needs for Java, wasn't there a project of some sort that provided for an open-source substitute for Java ... or was that just a silly dream? I think that you've been reminded of this before, but if not I'll repeat: http://www.mozilla.org/about/forums/etiquette.html quote Top-posting vs bottom-posting. Some people like to put reply after the quoted text, some like it the other way around, and still some prefer interspersed style. Debates about which posting style is better have led to many flame wars in the forums. To keep forum discussion friendly, please do interspersion with trimming (see above for trimming rules). For a simple reply, this is equivalent bottom-posting. So, remove extraneous material, and place your comments in logical order, after the text you are commenting upon. The only exceptions are the accessibility forums, which are top-posting. /quote ... Please refrain from 'Top-posting'. Thanks. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
Robert Kaiser wrote: NoOp schrieb: Blocking all versions of Java on all versions of Firefox + SeaMonkey? Yes. Seriously? Yes, as it's a security hazard and we don't know of any plans of Oracle to fix it. Are you referring to this: https://bugzilla.mozilla.org/show_bug.cgi?id=689661 [Block Java Plugin due to security vulnerabilities (BEAST TLS and bug in same-origin-policy)] Yes. Doing that kills sites that use java. Example: http://myspeed.visualware.com/index.php Yes. Users can easily turn on/off java using prefbar. Doesn't apply to the majority of users that don't even know what prefbar is. Users will be able to turn it on again if they must, but it's a security risk. I agree with you, java is a bad open door for nasty things. Nobody need unexpected program to run on their computer. How to kill Java on my machine (win7) and/or when using IE(or SM) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
Ray_Net schrieb: How to kill Java on my machine (win7) and/or when using IE(or SM) On SM it should be as easy as going into the Add-ons Manager, select Plugins, and deactivate it from there. No idea about Windows/IE as I keep my hands off proprietary software as much as I can. Robert Kaiser -- Note that any statements of mine - no matter how passionate - are never meant to be offensive but very often as food for thought or possible arguments that we as a community should think about. And most of the time, I even appreciate irony and fun! :) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
NoOp schrieb: I'm not sure I fully understand (or probably ever will)... https://bugzilla.mozilla.org/show_bug.cgi?id=665814 {(CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0 (facilitated by websockets -76)] doesn't seem to indicate java, but instead nss as being the issue. So, to be clear: is it a java or nss issue? Java uses its own TLS stack, which is vulnerable as described in the bug on plugins (https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c90 mentions that this has been split off into https://bugzilla.mozilla.org/show_bug.cgi?id=688008), and Java allows sockets to any site, which can trigger the attack, and Oracle has not yet made any comments that they even intend to work on the problem. The NSS stack is vulnerable in theory, but under our control, so we can fix it, and will do so. To trigger the attack, HTTPS connection need to be made in a certain way, though, and we have no code in Firefox or SeaMonkey right now that does that. Websockets protocol -76 was a way to trigger that, but we have not been implementing this protocol version since Firefox 5 and SeaMonkey 2.2, we are now implementing a newer protocol version of Websockets which cannot trigger that attack. So, NSS is basically vulnerable, but we don't have any code that opens network connections in a way that would actually allow the attack. We still will fix NSS in future versions so that any change in how we're doing connections will also not expose us to the attack. (Note that Chrome is using NSS as well, and they're in the same situation as us here and will ship probably exactly the same fix in the future.) We can't fix Java, and Java applets are exploitable as things stand, so our only possibility is to reduce/block usage of the vulnerable versions, which are all we know about right now, and Oracle has not made any commitment to fixing the problem in future versions. I hope that explains the problem enough. Robert Kaiser -- Note that any statements of mine - no matter how passionate - are never meant to be offensive but very often as food for thought or possible arguments that we as a community should think about. And most of the time, I even appreciate irony and fun! :) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
On 09/30/2011 07:17 AM, Robert Kaiser wrote: NoOp schrieb: I'm not sure I fully understand (or probably ever will)... https://bugzilla.mozilla.org/show_bug.cgi?id=665814 {(CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0 (facilitated by websockets -76)] doesn't seem to indicate java, but instead nss as being the issue. So, to be clear: is it a java or nss issue? Java uses its own TLS stack, which is vulnerable as described in the bug on plugins (https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c90 mentions that this has been split off into https://bugzilla.mozilla.org/show_bug.cgi?id=688008), and Java allows sockets to any site, which can trigger the attack, and Oracle has not yet made any comments that they even intend to work on the problem. The NSS stack is vulnerable in theory, but under our control, so we can fix it, and will do so. To trigger the attack, HTTPS connection need to be made in a certain way, though, and we have no code in Firefox or SeaMonkey right now that does that. Websockets protocol -76 was a way to trigger that, but we have not been implementing this protocol version since Firefox 5 and SeaMonkey 2.2, we are now implementing a newer protocol version of Websockets which cannot trigger that attack. So, NSS is basically vulnerable, but we don't have any code that opens network connections in a way that would actually allow the attack. We still will fix NSS in future versions so that any change in how we're doing connections will also not expose us to the attack. (Note that Chrome is using NSS as well, and they're in the same situation as us here and will ship probably exactly the same fix in the future.) We can't fix Java, and Java applets are exploitable as things stand, so our only possibility is to reduce/block usage of the vulnerable versions, which are all we know about right now, and Oracle has not made any commitment to fixing the problem in future versions. I hope that explains the problem enough. Robert Kaiser It does indeed. Thanks for the details Robert. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
Robert Kaiser wrote: Ray_Net schrieb: How to kill Java on my machine (win7) and/or when using IE(or SM) On SM it should be as easy as going into the Add-ons Manager, select Plugins, and deactivate it from there. No idea about Windows/IE as I keep my hands off proprietary software as much as I can. Thanks, i have verified - it's disabled. And, i have found for IE9 - http://windows7themes.net/how-to-disable-java-in-ie9.html ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
Paul B. Gallagher schrieb: HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES That doesn't sounds correct. Firefox itself is not affected at all when WebSockets are turned off. And WebSockets are not used by millions of sites. It looks like the Java plugins is affected though and we are discussing blocking all versions of Java on all versions of Firefox. The same should be true 1:1 for SeaMonkey. Robert Kaiser -- Note that any statements of mine - no matter how passionate - are never meant to be offensive but very often as food for thought or possible arguments that we as a community should think about. And most of the time, I even appreciate irony and fun! :) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
On 09/29/2011 07:44 AM, Robert Kaiser wrote: Paul B. Gallagher schrieb: HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES That doesn't sounds correct. Firefox itself is not affected at all when WebSockets are turned off. And WebSockets are not used by millions of sites. It looks like the Java plugins is affected though and we are discussing blocking all versions of Java on all versions of Firefox. The same should be true 1:1 for SeaMonkey. Robert Kaiser Blocking all versions of Java on all versions of Firefox + SeaMonkey? Seriously? Are you referring to this: https://bugzilla.mozilla.org/show_bug.cgi?id=689661 [Block Java Plugin due to security vulnerabilities (BEAST TLS and bug in same-origin-policy)] Doing that kills sites that use java. Example: http://myspeed.visualware.com/index.php Users can easily turn on/off java using prefbar. Related (from that bug report): http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/ http://www.theregister.co.uk/2011/09/29/firefox_killing_java/ http://www.imperialviolet.org/2011/09/23/chromeandbeast.html Seems like dejavu: http://www.theregister.co.uk/2010/04/21/mozilla_blocks_java_plug_in/ [Mozilla blocks Firefox Java plugin] Discussions on Bugzilla show this is unrelated to a flaw in Java Web Start affecting multiple browsers and patched by Oracle via an out-of-sequence (emergency) update last week. http://jaxenter.com/mozilla-block-java-deployment-toolkit-11057.html [Mozilla Block Java Deployment Toolkit] ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
NoOp schrieb: Blocking all versions of Java on all versions of Firefox + SeaMonkey? Yes. Seriously? Yes, as it's a security hazard and we don't know of any plans of Oracle to fix it. Are you referring to this: https://bugzilla.mozilla.org/show_bug.cgi?id=689661 [Block Java Plugin due to security vulnerabilities (BEAST TLS and bug in same-origin-policy)] Yes. Doing that kills sites that use java. Example: http://myspeed.visualware.com/index.php Yes. Users can easily turn on/off java using prefbar. Doesn't apply to the majority of users that don't even know what prefbar is. Users will be able to turn it on again if they must, but it's a security risk. Robert Kaiser -- Note that any statements of mine - no matter how passionate - are never meant to be offensive but very often as food for thought or possible arguments that we as a community should think about. And most of the time, I even appreciate irony and fun! :) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
On 09/29/2011 03:50 PM, Robert Kaiser wrote: NoOp schrieb: Blocking all versions of Java on all versions of Firefox + SeaMonkey? Yes. Seriously? Yes, as it's a security hazard and we don't know of any plans of Oracle to fix it. Are you referring to this: https://bugzilla.mozilla.org/show_bug.cgi?id=689661 [Block Java Plugin due to security vulnerabilities (BEAST TLS and bug in same-origin-policy)] Yes. Doing that kills sites that use java. Example: http://myspeed.visualware.com/index.php Yes. Users can easily turn on/off java using prefbar. Doesn't apply to the majority of users that don't even know what prefbar is. Users will be able to turn it on again if they must, but it's a security risk. ... Thanks for the clarification. Java goes off until either Mozilla and/or Oracle fix _their_ issues. Might be a good idea to post a separate thread/subject on this list informing users on how to easily disable Java via other means outside of prefbar. Tools|Add-ons Manager|Plugins|Java(TM) version Plug-in|Disable doesn't seem to work on 2.4.1 (linux). Nor via about:config: security.enable_java;false I can *only* disable (checking via http://java.com) via prefbar. I'll test in a 'test' profile to see if the results are different. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
NoOp schrieb: Thanks for the clarification. Java goes off until either Mozilla and/or Oracle fix _their_ issues. To be clear, those issues are completely on Oracle's side, the Mozilla code doesn't have an issue wrt Java, and the other major plugins are safe as well as we found out. The Java plugin itself is the thing that has the security issue, and a published one at that. Robert Kaiser -- Note that any statements of mine - no matter how passionate - are never meant to be offensive but very often as food for thought or possible arguments that we as a community should think about. And most of the time, I even appreciate irony and fun! :) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
In addition to HTML 5 supposedly displacing some of the needs for Java, wasn't there a project of some sort that provided for an open-source substitute for Java ... or was that just a silly dream? Thanks for the clarification. Java goes off until either Mozilla and/or Oracle fix _their_ issues. To be clear, those issues are completely on Oracle's side, the Mozilla code doesn't have an issue wrt Java, and the other major plugins are safe as well as we found out. The Java plugin itself is the thing that has the security issue, and a published one at that. Robert Kaiser -- Thanks! 73, KD4E David Colburn http://kd4e.com Have an http://ultrafidian.com day I don't google I SEARCH! http://yippy.com Shop Freedom-Friendly http://kd4e.com/of.html ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
On 09/29/2011 05:12 PM, Robert Kaiser wrote: NoOp schrieb: Thanks for the clarification. Java goes off until either Mozilla and/or Oracle fix _their_ issues. To be clear, those issues are completely on Oracle's side, the Mozilla code doesn't have an issue wrt Java, and the other major plugins are safe as well as we found out. The Java plugin itself is the thing that has the security issue, and a published one at that. Robert Kaiser I'm not sure I fully understand (or probably ever will)... https://bugzilla.mozilla.org/show_bug.cgi?id=665814 {(CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0 (facilitated by websockets -76)] doesn't seem to indicate java, but instead nss as being the issue. So, to be clear: is it a java or nss issue? ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
On 09/29/2011 05:27 PM, d...@kd4e.com wrote: In addition to HTML 5 supposedly displacing some of the needs for Java, wasn't there a project of some sort that provided for an open-source substitute for Java ... or was that just a silly dream? I think that you've been reminded of this before, but if not I'll repeat: http://www.mozilla.org/about/forums/etiquette.html quote Top-posting vs bottom-posting. Some people like to put reply after the quoted text, some like it the other way around, and still some prefer interspersed style. Debates about which posting style is better have led to many flame wars in the forums. To keep forum discussion friendly, please do interspersion with trimming (see above for trimming rules). For a simple reply, this is equivalent bottom-posting. So, remove extraneous material, and place your comments in logical order, after the text you are commenting upon. The only exceptions are the accessibility forums, which are top-posting. /quote ... Please refrain from 'Top-posting'. Thanks. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
SSL Exploit: Mozilla family no better than the rest of the pack
HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES == Beware of BEAST decrypting secret PayPal cookies By Dan Goodin in San Francisco Posted in ID, 19th September 2011 21:10 GMT Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting. At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL. The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Two days after this article was first published, Google released a developer version of its Chrome browser designed to thwart the attack. ... Full article (Mozilla stuff on p. 2): http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ -- War doesn't determine who's right, just who's left. -- Paul B. Gallagher ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
On 9/23/2011 5:36 AM, Paul B. Gallagher wrote: ... Full article (Mozilla stuff on p. 2): http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ ALSO http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091611 Lastly, It is unclear at this point if the attack can be replicated in Firefox [Gecko] 7, which has the newer WebSocket protocol. We're working to get an answer from the bug reporters. For further discussion on this threat, I suggest m.d.platform rather than the SeaMonkey list, since its not just a SeaMonkey Issue... ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
On 23.09.2011 04:36, Paul B. Gallagher wrote: --- Original Message --- HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES == Beware of BEAST decrypting secret PayPal cookies By Dan Goodin in San Francisco Posted in ID, 19th September 2011 21:10 GMT Researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that's passing between a webserver and an end-user browser. The vulnerability resides in versions 1.0 and earlier of TLS, or transport layer security, the successor to the secure sockets layer technology that serves as the internet's foundation of trust. Although versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost entirely unsupported in browsers and websites alike, making encrypted transactions on PayPal, GMail, and just about every other website vulnerable to eavesdropping by hackers who are able to control the connection between the end user and the website he's visiting. At the Ekoparty security conference in Buenos Aires later this week, researchers Thai Duong and Juliano Rizzo plan to demonstrate proof-of-concept code called BEAST, which is short for Browser Exploit Against SSL/TLS. The stealthy piece of JavaScript works with a network sniffer to decrypt encrypted cookies a targeted website uses to grant access to restricted user accounts. The exploit works even against sites that use HSTS, or HTTP Strict Transport Security, which prevents certain pages from loading unless they're protected by SSL. The demo will decrypt an authentication cookie used to access a PayPal account, Duong said. Two days after this article was first published, Google released a developer version of its Chrome browser designed to thwart the attack. ... Full article (Mozilla stuff on p. 2): http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ See bug https://bugzilla.mozilla.org/show_bug.cgi?id=480514 And an article from the ISC: http://www.dshield.org/diary.html?storyid=11629 -- *Jay Garcia - Netscape Champion* www.ufaq.org Netscape - Firefox - SeaMonkey - Thunderbird ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
On 09/23/2011 04:19 AM, Justin Wood (Callek) wrote: On 9/23/2011 5:36 AM, Paul B. Gallagher wrote: ... Full article (Mozilla stuff on p. 2): http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ ALSO http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091611 Lastly, It is unclear at this point if the attack can be replicated in Firefox [Gecko] 7, which has the newer WebSocket protocol. We're working to get an answer from the bug reporters. For further discussion on this threat, I suggest m.d.platform rather than the SeaMonkey list, since its not just a SeaMonkey Issue... http://www.mozilla.org/about/forums/ I'm curious why you recommend: mozilla.dev.platform For people working on Mozilla-the-platform. rather than: mozilla.dev.tech.crypto For discussions about cryptography, and cryptographic issues surrounding the Mozilla source code. See the PKI project for more info. (Moderated.) or mozilla.dev.security Security issues such as specific security problems or ideas for making the code as a whole more secure can be discussed here. Cryptography, however, is not within this group's charter. (Moderated.) Note: not disputing your recommendation; just trying to understand why when the others (security crypto) seem closer to the issue. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: SSL Exploit: Mozilla family no better than the rest of the pack
On 09/23/2011 11:00 AM, NoOp wrote: On 09/23/2011 04:19 AM, Justin Wood (Callek) wrote: On 9/23/2011 5:36 AM, Paul B. Gallagher wrote: ... Full article (Mozilla stuff on p. 2): http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/ ALSO http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091611 Lastly, It is unclear at this point if the attack can be replicated in Firefox [Gecko] 7, which has the newer WebSocket protocol. We're working to get an answer from the bug reporters. For further discussion on this threat, I suggest m.d.platform rather than the SeaMonkey list, since its not just a SeaMonkey Issue... http://www.mozilla.org/about/forums/ I'm curious why you recommend: mozilla.dev.platform For people working on Mozilla-the-platform. rather than: mozilla.dev.tech.crypto For discussions about cryptography, and cryptographic issues surrounding the Mozilla source code. See the PKI project for more info. (Moderated.) or mozilla.dev.security Security issues such as specific security problems or ideas for making the code as a whole more secure can be discussed here. Cryptography, however, is not within this group's charter. (Moderated.) Note: not disputing your recommendation; just trying to understand why when the others (security crypto) seem closer to the issue. And I reckon that the post from Nelson Bolyard on bug pretty much settles that question: https://bugzilla.mozilla.org/show_bug.cgi?id=480514 [Implement TLS 1.2 (RFC 5246)] quote Nelson Bolyard (seldom reads bugmail) 2011-09-23 13:28:47 PDT Read comment 32 before posting any new comment. Bugzilla bugs are not a discussion forum. This is NOT the place for everyone to pile on with I think this is important, too comments. The place for those comments is the mozilla.dev.tech.crypto newsgroup. /quote Also referenced: https://bugzilla.mozilla.org/show_bug.cgi?id=565047 [(RFC4346) Implement TLS 1.1 (RFC 4346)] Followup set to: mozilla.support.seamonkey as this is where this thread originated. However I suppose any additional technical posts regarding SeaMonkey (meaning other than general media notice/info), per Nelson's comments should actually be in mozilla.dev.tech.crypto. ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey