PARAMORE MP3
Click Here to Enter: http://better-web-365.com/12/paramore-mp3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Paramore Mp3 Paramore Franklin Free Mp3 Paramore Misery Business Mp3 S Paramore Misery Business Mp3 Paramore Pressure Mp3 Emergency Paramore Mp3 Paramore Decode Mp3 Lovesick Melody Paramore Free Mp3s Misery Business Paramore Mp3 Mp3 Paramore Paramore Decode Mp3 Download Paramore Misery Business Free Mp3 Paramore Misery Buisness Mp3 Files Paramore Fences Mp3 Paramore Download Mp3 Paramore Crushcrushcrush Mp3 Download Decode Paramore Mp3 Paramore Decoy Mp3 Paramore Crush Mp3 Paramore Mp3 Free Mp3 Downloads Paramore Paramore My Hero Mp3 Paramore Circle Mp3 Paramore That's What You Get Mp3 Paramore Emergency Mp3 Paramore Mp3 Downloads Paramore All We Know Mp3 Paramore Stuck On You Mp3 We Are Broken Paramore Mp3 Paramore All We Know Mp3 Download Paramore Thats What You Get Mp3 Free Mp3 Downloads Paramore Misery Business Paramore Misery Business Mp3s Paramore Misery Business Free Mp3 Download Paramore Crushcrushcrush Mp3 Misery Business Paramore Mp3s Paramore Decoy Mp3 Mediafire Index Of Intitle Mp3 Paramore Paramore Free Mp3 Downloads Intitle Mp3 Paramore Paramore I Caught Myself Free Mp3 Paramore Downloads Mp3 Paramore Misery Business Mp3 Download Download Paramore Mp3 Paramore Stop This Song Mp3 Misery Business Paramore Mp3 Free Paramore And Mp3 Paramore Miracle Mp3 Free Downloadable Paramore Crushcrushcrush Mp3 S Paramore Parent Directory Mp3 Index Of Paramore Mp3 Born For This Paramore I Caught Myself Mp3 Paramore Mp3 Download Paramore Mp3 Crush Crush Crush Paramore Mp3 Fences Paramore Mp3 Free Download Paramore Mp3 Franklin Paramore Mp3 Circle Paramore Mp3 C Paramore Hero Mp3 Paramore Mp3 Crush Paramore Mp3 Livejournal Paramore Misguided Ghosts Mp3 Paramore Miracle Midi Mp3 Paramore Mashups Mp3 Paramore Lovesick Mp3 Paramore Just Like Me Mp3 Paramore Just Like Mp3 Paramore Karaoke Mp3 Paramore Let The Flames Mp3 Paramore Let The Flames Begin Mp3 Paramore Le The Flames Begin Mp3 Paramore Lovesick Melody Mp3 Paramore Live Mp3 Paramore Let This Go Mp3 Paramore Misery Buisiness Mp3 Paramore Misery Business Song Mp3s Paramore Misery Business On Mp3 Format Paramore Ignorance Mp3 Paramore Misery Mp3 Paramore Misery Bussiness Mp3 Paramore Misery Busness Acoustic Mp3 Paramore Misery Buisness Mp3 Paramore Misery Buisness Free Mp3 Paramore Misery Buisness Acoustic Mp3 Paramore Ignorance Studio Mp3 Paramore Misery Business Acoustic Mp3 Paramore Im Alive Mp3 Paramore Mp3 Mp3 Pressure Paramore Live Mp3 Pressure Paramore Mp3 Peer Pressure Paramore Mp3 Pessimist Paramore Mp3 Riot Paramore Mp3 Star Paramore Mp3 Rapidshare Paramore Decoy Mp3 Download Rewind Paramore Mp3 Paramore We Are Broken Mp3 Paramore What You Get Mp3 Paramore Warning Mp3 Download Paramore Warning Mp3 Warning Paramore Woah Mp3 Paramores Mp3 Paramore When It Rains Mp3 Paramore Whoa Mp3 Stay Away Paramore Mp3 Unbreakable Paramore Mp3 Until Tomorrow Paramore Mp3 Thats Waht You Get Paramore Mp3 Thats What You Get Paramore Mp3 When It Rains Paramore Mp3 Whoa Paramore Mp3 We Are Broken By Paramore Mp3 We Are Broken Mp3 Paramore Stuck On You Paramore Mp3 Sunday Bloody Sunday Paramore Mp3 Stop This Song Paramore Mp3 Stuck On You Mp3 Paramore That's What You Get Mp3 Paramore That's What You Get Paramore Mp3 Sunday Paramore Mp3 Temporary Paramore Mp3 Paramore Pessimist Mp3 Paramore Pressure Acoustic Mp3 Paramore Never Let This Go Mp3 Paramore Oh Star Mp3 Paramore Rewind Mp3 Paramore Ringtone Mp3 Paramore Pressure Mp3 Download Paramore Rewind Demo Bonus Track Mp3 Paramore Mp3 Rewind Paramore Mp3 We Are Broken Paramore Mp3 Music Paramore Mp3 Pessimist Paramore My Heart Mp3 Paramore Never Let Go Mp3 Paramore Mp3s Paramore Music Mp3 Paramore Riot Mp3 Paramore Until Mp3 Paramore Until Tomorrow Mp3 Paramore Thts What You Get Mp3 Paramore Type Mp3 Paramore Vegas Mp3 Paramore Video's Mp3 Paramore Until Tomorrow Real Version Mp3 Paramore Untill Tomorrow Mp3 Paramore Sunday Bloody Sunday Mp3 Paramore Temporary Mp3 Paramore Star Mp3 Paramore Stay Away Mp3 Paramore Thats What Mp3 Paramore Thats What You Got Mp3 Paramore That Mp3 Paramore That's What Mp3 Paramore Here We Go Again Mp3 Free Mp3 Paramore Decode Free Mp3 Downloads Paramore Free Mp3 Download Paramore Free Mp3 Paramore Ignorance Ft Paramore Mp3 Free Paramore Mp3 Downloads Free Paramore Mp3 Free Downloads Mp3 Paramore Fences Bye Paramore Mp3 Fences By Paramore Mp3 Feels So Good Paramore Mp3 Fences Mp3 Paramore Free Download Paramore Mp3 Franklin Paramore Mp3 Fences Paramore Mp3 Hallelujah Paramore Mp3 Let This Go Paramore Mp3 Let The Flames Begin Paramore Mp3 Just Like Me Paramore Mp3 Little Spys By Paramore Mp3 Misery Buisness Paramore Mp3 Miracle Paramore Mp3 Miracle By Paramore Mp3 Intitle Mp3 Paramore Riot Here We Go Again Mp3 Paramore Hello Hello Paramore Mp3 Heart Paramore Mp3 Here We Go Again Paramore Mp3 Intitle
Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync
On Oct 21, 7:58 pm, Robert Relyea rrel...@redhat.com wrote: SHA1Context SHA1_Hash SHA1_HashBuf SHA1_NewContext SHA1_DestroyContext SHA1_Begin SHA1_Update SHA1_End The exported equivalence to these functions are: #include sechash.h I see. Having found the SHA1_* functions in blapi.h I assumed they were exported, too. It depends on what J-PAKE is doing. My guess is it's doing a zero knowledge proof algorithm (given the need for add and sub), which is generally useful. Yes, J-PAKE uses zero knowledge proofs. mpi is used to do those as well as compute the key that both sides agree upon. I would be view a patch that puts the zero knowledge proof into freebl with favor (and would clear out time to review such a patch). Not sure how generic the signature of the zero knowledge proof we use in J-PAKE is. Compatibility with the implementation found in OpenSSL is important for us right now (the Firefox Home app for the iPhone uses OpenSSL). It hashes things in a particular way to avoid moving goalposts attacks. See http://www.links.org/?p=393. As Brian points out, pushing the J-PAKE implementation down to NSS may have several advantages. This might include building blocks in freebl or not. For Firefox Sync we'd just need a public API that we can use going forward. I for one would feel more comfortable with this officially being in NSS. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: JSS4.DLL and JSS.jar for Windows 64 bits
On 10/21/2010 12:30 PM, Marcio wrote: Hi there, I´m trying to compile the JSS in the Windows 64 bits platform and I have found many problems to do that. I have seen many posts in the internet with many problems too. I just want use the JSS and not compile it. Could the Mozilla team publishs the JSS binaries (dll and jar) compiled in the Windows 64 bits for us like the existing in older JSS packag ? Thank you very much Ramirez, Marcio I can send you an optomized, 64-bit 4.3.2 JSS.dll compiled against NSS 3.12.7 and built using Visual Studio 2010 so it depends on the Microsoft VC 2010 runtime. The jar you can get from the mozilla.org as you can use the same Jar on any architecture. Let me know if you are interested. Dave -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
RE: JSS4.DLL and JSS.jar for Windows 64 bits
I would also be interested in the 64-bit 4.3.2 JSS.dll. I have been having problems building it on a 64-bit Windows XP system. Thanks. Stephen Moccaldi -Original Message- From: dev-tech-crypto-bounces+stephen.moccaldi=gdc4s@lists.mozilla.org [mailto:dev-tech-crypto-bounces+stephen.moccaldi=gdc4s@lists.mozilla.org] On Behalf Of David Stutzman Sent: Friday, October 22, 2010 7:51 AM To: dev-tech-crypto@lists.mozilla.org Subject: Re: JSS4.DLL and JSS.jar for Windows 64 bits On 10/21/2010 12:30 PM, Marcio wrote: Hi there, I´m trying to compile the JSS in the Windows 64 bits platform and I have found many problems to do that. I have seen many posts in the internet with many problems too. I just want use the JSS and not compile it. Could the Mozilla team publishs the JSS binaries (dll and jar) compiled in the Windows 64 bits for us like the existing in older JSS packag ? Thank you very much Ramirez, Marcio I can send you an optomized, 64-bit 4.3.2 JSS.dll compiled against NSS 3.12.7 and built using Visual Studio 2010 so it depends on the Microsoft VC 2010 runtime. The jar you can get from the mozilla.org as you can use the same Jar on any architecture. Let me know if you are interested. Dave -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync
Philipp von Weitershausen wrote: Not sure how generic the signature of the zero knowledge proof we use in J-PAKE is. Compatibility with the implementation found in OpenSSL is important for us right now Hi, Why are you choosing J-PAKE instead of SRP ? Looking for an assessment of J-PAKE against SRP, I found the following that make me worried that choice's a mistake. http://rdist.root.org/2010/09/08/clench-is-inferior-to-tlssrp/#comment-5990 The JPAKE in OpenSSH is unfinished and I don’t recommend enabling it [...] When writing it, I came up with a hacky solution to the cleartext password storage problem [...] http://rdist.root.org/2010/09/08/clench-is-inferior-to-tlssrp/#comment-5993 “Balanced” is symmetric and requires both sides to hold the same authenticator (e.g., a plaintext password). “Augmented” has the additional property that compromise of the server does not yield the key necessary to impersonate the client JPAKE and SPEKE are balanced schemes and thus have the same problem as Clench. However, SRP does not. SRP is an augmented scheme -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: JSS4.DLL and JSS.jar for Windows 64 bits
On 10/22/2010 8:00 AM, stephen.mocca...@gdc4s.com wrote: I would also be interested in the 64-bit 4.3.2 JSS.dll. I have been having problems building it on a 64-bit Windows XP system. Again, you'll probably need to have the MS C runtime 2010 installed for this to work. And it should work at least back to WinXP, but not sure about anything before that. https://w3.dstutz.com/JSS/jss4.dll -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Fennec M8 Code - HTTPS Links not working
Hi All, We are trying to port NSS present in Fennec_M8 code on our mobile platform . Since we had to statically link i had followed the suggestions from community in https://bugzilla.mozilla.org/show_bug.cgi?id=534471. NSS_Initialize function failed first since it could not find the secmod.db. So i had picked up the secmod.db and the related cert8.db and key8.db from the files generated on the fennec on Windows XP version for running on our Win32 simulator. I had to port the File System APIs in hash.c to our platform But now am getting an certificate version error from the API nsslowcert_GetVersionNumber so NSS_Initialize still fails. Is there any other files that i need to port other than NSPR. Can anyone give me pointer where to look for the problem? Thanks. Ashok -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
J-PAKE (was Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync)
Jean-Marc Desperrier wrote: Why are you choosing J-PAKE instead of SRP ? The J-PAKE authors claim they developed J-PAKE to avoid patents that cover other algorithms, and they claim they won't patent it. I don't know if either claim is true or not. http://rdist.root.org/2010/09/08/clench-is-inferior-to-tlssrp/#comment-5993 JPAKE and SPEKE are balanced schemes and thus have the same problem as Clench. However, SRP does not. SRP is an augmented scheme Balanced vs augmented does not matter for Sync's usage because the user is at both end points. The end-user is establishing a secure channel from one of his/her devices to another one of his/her devices that are in the same location. Also, there is a new PIN (password) for every transaction. See https://wiki.mozilla.org/Services/Sync/SyncKey/J-PAKE Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync
Nelson B Bolyard wrote: Brian Smith wrote: I personally would like to find a way to avoid calling these internal functions from within Firefox--especially since there's no way to detect incompatibilities at compile-time and because the interface to these functions isn't frozen. To what functions are you referring when you say the interface to these functions isn't frozen. ?? The functions you listed below (which I haven't copied here)? Yes. Speaking only for myself, I have no objection to offering the mp_int bignum API as a public API out of freebl3. If people are open to having the J-PAKE building blocks in FreeBL, then we wouldn't need MPI to be part of the public API. The main concern with putting J-PAKE building blocks in NSS is getting that NSS release out for FF4.0. - the wisdom of making Mozilla products even MORE dependent on shared secrets and passwords than they already are, when, for at least a decade, shared secrets in general and passwords in particular have been regarded by security experts as more part of the problem than part of the solution. Letting mozilla products become a playground for home-baked crypto protocols. That's a gate you'll find difficult to close once it is allowed to be opened. At the present time, the only thing you can do with the Sync account password is delete the data off the server and/or associate a different (strong) sync key with the account. Besides J-PAKE, it looks like Sync crypto will end up using quite simple/standard/boring algorithms techniques. Once things are nailed down a little more, there will be a complete design document (and code, of course) for public review. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Fennec M8 Code - HTTPS Links not working
On Fri, Oct 22, 2010 at 8:33 AM, Ashok Subash subash.as...@gmail.com wrote: Is there any other files that i need to port other than NSPR. Probably not. NSS depends on the following: - Standard C Library - NSPR Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: JSS4.DLL and JSS.jar for Windows 64 bits
Hi Dave. Yes I do. I will appreciate the jss.dll in 64 bits. Thank you very much. Ramirez, Marcio On 22 out, 10:00, stephen.mocca...@gdc4s.com wrote: I would also be interested in the 64-bit 4.3.2 JSS.dll. I have been having problems building it on a 64-bit Windows XP system. Thanks. Stephen Moccaldi -Original Message- From: dev-tech-crypto-bounces+stephen.moccaldi=gdc4s@lists.mozilla.org [mailto:dev-tech-crypto-bounces+stephen.moccaldi=gdc4s@lists.mozilla.org] On Behalf Of David Stutzman Sent: Friday, October 22, 2010 7:51 AM To: dev-tech-cry...@lists.mozilla.org Subject: Re: JSS4.DLL and JSS.jar for Windows 64 bits On 10/21/2010 12:30 PM, Marcio wrote: Hi there, I´m trying to compile the JSS in the Windows 64 bits platform and I have found many problems to do that. I have seen many posts in the internet with many problems too. I just want use the JSS and not compile it. Could the Mozilla team publishs the JSS binaries (dll and jar) compiled in the Windows 64 bits for us like the existing in older JSS packag ? Thank you very much Ramirez, Marcio I can send you an optomized, 64-bit 4.3.2 JSS.dll compiled against NSS 3.12.7 and built using Visual Studio 2010 so it depends on the Microsoft VC 2010 runtime. The jar you can get from the mozilla.org as you can use the same Jar on any architecture. Let me know if you are interested. Dave -- dev-tech-crypto mailing list dev-tech-cry...@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-tech-crypto- Ocultar texto das mensagens anteriores - - Mostrar texto das mensagens anteriores - -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PARAMORE MP3
Gerv, On 2010-10-22 01:25 PDT, Jan Huynh wrote: Click Here to Enter: http://better-web-365.com/12/paramore-mp3 . . Paramore Mp3 Paramore Franklin Free Mp3 [Hundreds of lines beginning with the word Paramore deleted] This is clearly a failure of the new newsgroup moderation, and of the news-mail gateway's filter ... unless those things are not yet in place. I thought they were going to be in place starting earlier this week, with the result that there would be propagation problems from news-mail. Sadly, there appears to be no propagation problem for spam from news-mail. :( What's up with that? -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync
On Thu, Oct 21, 2010 at 3:53 PM, Nelson B Bolyard nel...@bolyard.me wrote: I'd say the interfaces to those functions (more precisely, their signatures) are quite frozen. The mp_int bignum package API is so frozen as to have become something of a standard of its own. There are now at least 3 different implementations known to me that are all API compatible, differing only in the content of the (opaque) mp_int structure itself. Speaking only for myself, I have no objection to offering the mp_int bignum API as a public API out of freebl3. They're not presently exported from the freebl shared lib at all, but IMO, they could be. We merely wanted to minimize the exported API. We also need to undo some processor-version-specific type definitions. An example is the mp_digit type for 64-bit Solaris SPARC. mp_digit is defined differently for different versions of the SPARC v9a processors: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/Makefilerev=1.115mark=420-432#420 Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
JSS building error on Windows
Hi folks, I got the follow error while builidng the JSS 4.3.1 after building with successfully the NSS 3.12.6 and NSPR 4.8: building steps: a) first attempty: 1) using the MozillaBuilding Tools (c:\mozilla-build), Perl and Microsoft Visual Studio 8, JAVA_HOME=c:\jdk1.6.0_22 2) started the shell with: start-msvc9.bat 3) OS_TARGET=WINNT 4) BUILD_OPT=1 5) cd nss../nss.../mozilla/security/nss 6) make nss_build_all (note that I´m using the make, not gmake because not found in the MozillaBuild package) results: compiled succesfully and binaries in: ../../dist/ WINNT6.0_OPT.OBJ 7) cd /tests 8) ./all.sh results: passed, except for CRL SSL Client Tests that I have to abort after some time 9) cd jss../mozilla/security/jss 10) make results: Makefile:49: ../coreconf/config.mk: No such file or directory Makefile:69: ../coreconf/rules.mk: No such file or directory make: *** No rule to make target '../coreconf/rules.mk'. Stop. b) second attempty: 1) using the MozillaBuilding Tools (c:\mozilla-build), Perl and Microsoft Visual Studio 8, JAVA_HOME=c:\jdk1.6.0_22 2) started the shell with: start-msvc9.bat 3) OS_TARGET=WIN95 4) BUILD_OPT=1 5) cd nss../nss.../mozilla/security/nss 6) make nss_build_all (note that I´m using the make, not gmake because not found in the MozillaBuild package) results: compiled succesfully and binaries in: ../../dist/ WIN954.0_OPT.OBJ 7) cd /tests 8) ./all.sh results: passed, except for CRL SSL Client Tests that I have to abort after some time 9) cd jss../mozilla/security/jss 10) make results: Makefile:49: ../coreconf/config.mk: No such file or directory Makefile:69: ../coreconf/rules.mk: No such file or directory make: *** No rule to make target '../coreconf/rules.mk'. Stop. c) third attempty: 1) using the MozillaBuilding Tools (c:\mozilla-build), Perl and Microsoft Visual Studio 8 (64), JAVA_HOME=c:\jdk1.6.0_22 2) started the shell with: start-msvc9-x64.bat 3) OS_TARGET=WINNT 4) BUILD_OPT=1 5) cd nss../nss.../mozilla/security/nss 6) make nss_build_all (note that I´m using the make, not gmake because not found in the MozillaBuild package) results: compiled succesfully and binaries in: ../../dist/ WIN6.0_64_OPT.OBJ 7) cd /tests 8) ./all.sh results: passed, except for CRL SSL Client Tests that I have to abort after some time 9) cd jss../mozilla/security/jss 10) make results: Makefile:49: ../coreconf/config.mk: No such file or directory Makefile:69: ../coreconf/rules.mk: No such file or directory make: *** No rule to make target '../coreconf/rules.mk'. Stop. I got the same error building it on the Windows XP with MSVC 8 and MozillaBuild What can I do ? Note: I´ve not access to CVS, so I´ve been download the src from the Mozilla JSS´s release ftp site and extracted the gz and bz2 with WinRAR Thanks in advance Ramirez, Marcio -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync
This is a resend. Don't know why my previous copy went only to Marsh. I intended it to go to the list as well. On 2010-10-21 16:50 PDT, Marsh Ray wrote: On 10/21/2010 05:53 PM, Nelson B Bolyard wrote: - Letting mozilla products become a playground for home-baked crypto protocols. That's a gate you'll find difficult to close once it is allowed to be opened. Since when have Mozilla products not been a playground? It IS a playground, in the sense that people can develop add-ons to do whatever their hearts desire, and Mozilla actively encourages that. I'm referring to the functionality in the base product, and particularly to the security functionality in the base product. Users expect that Mozilla product security, out of the box (so to speak), with no add-ons present, is going to be very good. And once added, features are seldom removed. Look at how long it is still taking to get browsers to be secure with respect to renegotiation out-of-the-box. It's because users have become dependent on that bad old stuff and won't let go, even if it's bad for them. Who put up a gate in the first place anyway? Would you really have app developers go elsewhere for bignums? I'm talking about putting JBAKE (or whatever it is) into the base product. That's the motive behind this request. It's not for add-on developers. It's because someone wants to put Do you really think it would inhibit anyone from baking with crypto? I don't care about what people do with add-ons. They're not even at issue here. I do care about what Mozilla offers to its users in the products that bear its name, under the pretense of security. Security isn't about a pile of cool-sounding features. It's about assurances. There are people within Mozilla who want to add to the feature list, want to have more bragging rights, want to claim to be the first with some new buzzword. That's utterly harmless when the new buzzword is some new UI feature that changes pixels on a screen, but in the security space, more care is needed to maintain the assurances. I want my playground and Easy Bake crypto oven. Or, more precisely, it bugs me that an open project like Mozilla would restrict tools on the too dangerous for mere mortals principle. Marsh, Most users have no idea, draw no distinction, among the various security protocols, mechanisms, schemes used within a product like their browser. They have no idea where the responsibilities of a protocol end and the responsibilities of the program's UI begin. When their security is violated, they just lump it all together. That's why SSL/TLS keep getting smeared for faults that are purely UI faults. We read, monthly if not weekly, pronouncements in the press saying that SSL has failed because users clicked past security warnings, or because the browser was fooled by some clever web page content (e.g. JavaScript) into displaying the wrong information to identify the source of that content, or because badly-designed browser security UI, which is utterly indistinguishable from web page content, is subverted to fool users into taking actions that harm their own security, or simply because users continue to fall for emails bearing dire warnings that appear to come from their banks, that make them SO upset that they fail to notice the web page into which they typed their bank password was NOT their bank's page. None of these problems is in any way a fault of the SSL/TLS protocols, but even readers of this group have tried to argue that they are. So, when it comes to user security, Mozilla needs to take care about who it lets into its bed. One foul piece of security in the base product will besmirch ALL the product's security features. cheap_shot So if Mozilla's got such high standards on authentication and such, they can put up even one add-on that doesn't say (Author not verified) in my browser: https://addons.mozilla.org/en-US/firefox/addon/15003/ https://addons.mozilla.org/en-US/firefox/addon/11950/ /cheap_shot I don't think it's a cheap shot. I'm not wild about that, either. I think it does show, however, a difference in degree of care between things that are offered as products of Mozilla versus addons by whomever. That's appropriate, to some degree, in my opinion. I'm just trying to ensure that the newest comer to Mozilla's security development community is aware of some of these issues. -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync
On 2010-10-22 11:35 PDT, Wan-Teh Chang wrote: On Thu, Oct 21, 2010 at 3:53 PM, Nelson B Bolyard nel...@bolyard.me wrote: I'd say the interfaces to those functions (more precisely, their signatures) are quite frozen. The mp_int bignum package API is so frozen as to have become something of a standard of its own. There are now at least 3 different implementations known to me that are all API compatible, differing only in the content of the (opaque) mp_int structure itself. Speaking only for myself, I have no objection to offering the mp_int bignum API as a public API out of freebl3. They're not presently exported from the freebl shared lib at all, but IMO, they could be. We merely wanted to minimize the exported API. We also need to undo some processor-version-specific type definitions. An example is the mp_digit type for 64-bit Solaris SPARC. mp_digit is defined differently for different versions of the SPARC v9a processors: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/Makefilerev=1.115mark=420-432#420 Hmm. The mp_int struct itself should be opaque in a public definition. So there shuold be no need to change the machine-dependent definitions of the contents of that struct (including the array to which it points). But I know that mp_digit is also used for types in the function signatures, and that IS an issue... I think this says that the task is feasible but requires more time to think about all its implications. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto