I just received an obvious fishing message that was directing me to
https://signin.ebay.com.
It looked really interesting, fishing using an https site rings a bell,
but this was the real ebay login site (I had a doubt at first, was that
the comeback of some i18n trick ?), so I really wondered
RML wrote:
Yes, IE gives me 2 session id's. That what I expected to get on a multi-tab
browser too.
Are you *sure* of that ?
If you click twice on the blue e, you'll get two instances of the
application, and then two different session id.
But if you get a new windows of the same instance
Gervase Markham wrote:
I don't care if the petnames toolbar was proposed by your grandmother,
the man in the moon or Bruce Schneier. It will be evaluated in exactly
the same way.
What's more I see no connexion with the page Ian referenced (Application
and not only user level rights
Julien Pierre wrote:
I'm saying the standard defines no way to revoke a lost CA root, because
it doesn't make sense. When a root is compromised, there is no PKI
standard that can fix this.
To be precise, the standard says that path validation begins with a
trust anchor, and that the trust
Ian G wrote:
So if one wanted to follow the standard one could
create two keys, Alice and Bob, and have Alice
sign Bob's PK. Bob then becomes the root and is
used to sign all lower level public keys. Alice is
the trust anchor.
Then, store Alice and Bob together, and if they ever
get
Fabrizio Marana wrote:
1.0.4 is the proof I needed to escalate this again.
[...]
So again: per site java plug-ins/applets control would make FireFox more
secure...
There is *no* connexion between the very serious problems that were
fixed in 1.0.4 and java/applet.
Honestly I was tempted to stop
Peter Gutmann wrote:
[...]. The problem with ActiveX
controls isn't (apart from one or two proof-of-concept ones) someone creating
a malicious signed control (or FF plugin, or whatever).
Really ? Why is there a product dedicated to avoiding them, then ?
Gervase Markham wrote:
As an example (and I don't know of anyone who is actually suggesting
this), what if we made all CAs who issued non-zero accountability certs
post a $1,000,000 bond against losses from phishing attacks performed
using their certs? Would you consider that a lockout measure?
Jean-Marc Desperrier wrote:
There's a common comment that it's a good thing that FF only has one
security zone, which removes the risk of priveledge escalation attacks.
I couldn't help thinking today that Firefox in fact indeed has two
security zone, and that the recent problems are privilege
Daniel Veditz wrote:
Absolutely not true, there is a version of the ByteVerify Java attack
that affects Sun's JRE 1.4.2_05 and older -- and Firefox users can be
infected. If you have this older JRE then it's most definitely NOT
harmless.
Dan, what do you refer to exactly ?
I've seen some
Michael Krax wrote:
[...]
It seems this function gets used to implement blocker conditions in the
code, to prevent that a malicious uri (e.g. javascript) gets used in a piece
of code with chrome priviliges:
if (uri.schemeIs(javascript))
return
The problem that i see is, that if ever an
Ian G wrote:
http://www.ebcvg.com/articles.php?id=673
Mozilla: The Honeymoon is over
Well, this time it's the analysis by the expert who's selling
antivirus/http filters.
Unfortunately, many will fail to his incredibly specious assessments
about the recent vulnerabilities in Mozilla without
Vincent THOREL wrote:
I have written a XPCOM C++ Components.
[...] It work in signed JAR and
requested privilege(UniversalXPConnect) is accepted from remote host
because it is signed.
But the problem is, I want to use this component into a HTTPS page.
And when I run this page, i got in
Doug Wright wrote:
Gerv suggested I post this here for discussion - copied from bug 288693
When visiting 'secure' sites that use outdated encryption,
Firefox/Thunderbird should give a big ugly warning about the dangers
of submitting information to this site.
[...]
My personal preference would
, as I'm from
tomorrow in holiday for two weeks with little/none internet access.
Jean-Marc Desperrier wrote:
I have some comments about this request, but I'm not sure inside the
bug is the best place. Anyway the bug is about implementing some
things that have been discussed here recently
Frank Hecker wrote:
That pretty much completes my night-time excursion into the wonderful
world of Firefox security UI discussions. Feel free to flame away.
A few days ago, I reached pretty similar ideas as a conclusion of the
recent debatting, reinforced by remembering how valid the old SSL
Nelson Bolyard wrote:
I'll bet the error message you get contains more than just that number.
Does it contain much more than : couldn't establish a secure connection
to xxx error code -8075 ? (at least this message use the correct format
for the error, it's better than 'error e00b' when it
Ian G wrote:
[...]
OK, that's good to know that there is no number
involved. That just leaves us with determining
what information *is* in this cert, and how it is
that it needs to be presented to the user, and
what the legal and contractual ramifications of
all this information is.
We should
Gervase Markham wrote:
- The text used to explain the feature isn't at all clear to average
users. What is an encrypted security key? What does it mean if it's
missing? The message bar doesn't say.
+1 I thought it would be *really* obscure for the average user.
Ian G wrote:
[...]
So the task for the Euro cert in question [...]
[...]
What planet are these guys on? What are we supposed to do, run it
through a web translation engine?
It certainly opens a can of worms. I asked
around for any experience of these things,
but got no answers on the
Ka-Ping Yee wrote:
I came to this list after hearing about the widely publicized IDN
spoofing attack on Firefox. [...]
So, what happened?
Yee, what you see as a list is primarily a newsgroup
'netscape.public.mozilla.security' on which it's easy to get all the old
messages, and it would be very
Julien Pierre wrote:
Ian G wrote:
LOL... Amazon.com domain for sale :)
I couldn't resist taking screenshots of how this hack looks in Mozilla
under Solaris. That's certainly distinctive !
Add Microsoft to the *guilty* list.
The reused the same glyph for cyrillic caracters as for latin one.
The
Chagi wrote:
They can be exploited
by remote users to carry out diverse actions on systems, such as uploading
malicious software
The first case should be exploited by remote users to push the user to
put malicious software on his computer while thinking it is not
executable content.
All three
Nebergall, Christopher a écrit :
If Optional Client Authentication is specified should /does Mozilla
prompt the user for th eir PIN to access the i r certificates?
Yes, it will prompt. And if the user clicks cancel, it will just connect
without authentification which you should be able to
Duane a écrit :
[...] I've been shoving people onto ubuntu [...]
It's the second time in a short interval I read a recommendation of
Ubuntu as a No worries, everything just works linux distribution.
___
Mozilla-security mailing list
[EMAIL PROTECTED]
Ian Grigg wrote:
Jean-Marc Desperrier wrote:
He does not compute the SHA1/MD5, he returns the cert.sha1Fingerprint,
cert.md5Fingerprint value from a nsIX509Cert object he gets back from
nsISSLStatus status.
Darn. One supposes that this is authoritive,
in that NSS will also
If you don't trust
$Bill wrote:
This are the messages I get when tryin to go to a secure site :
You cannot connect to x.y.z because SSL is disabled
Could not initialize the browser's security component. The most likely cause
is problems with files in your browser's profile directory. [...]
There is over 100MB of
Michael Lefevre wrote:
On 2004-06-11, Jean-Marc Desperrier [EMAIL PROTECTED] wrote:
As 1.4.1 is it's most recent version publicly available
[snip]
Actually it's not - 1.4.2 was released a few weeks ago, and binaries are
available. Mozilla.org didn't make a big announcement because it's
Daniel Veditz wrote:
Ben and I, in person. Actually the argument's pretty much over, there's not
much point in doing the work if the default (which 99% don't change) is to
work the same way as today.
I don't know about FireFox GUI, but please, please, if you do it as
white list, *don't* add
Daniel Veditz wrote:
(I'm serious, by the way: we're most likely turning off XPInstall by default
for most sites for Firefox 1.0)
It does make more sense to sign XP package.
Site-level restriction is a problem for load repartition (isn't mozdev
strongly overloaded ?), and make the consequence of
Robert Irving wrote:
I am trying to import a .cer security certificate, but I keep getting
asked for a password and then getting the error message:
[...]
So far as I know, there is no password for this, [...]
I'll fully agree with that :-)
Any help?
First the correct group for certificate related
Julien Pierre wrote:
[NSS DB access not multi-process safe]
Solving this problem involves using a new database format. The NSS team
researched the issue of licensing other database code that didn't suffer
from the single-process limitation, but none was found that would
satisfy all licensing
Julien Pierre wrote:
No. There was a code-freeze for mozilla 1.1a, and the checkin of this
fix also had to be delayed until after the 1.1alpha was built. So you
need a recent nightly build to get this fix (last night would have it
for sure). If this still does not fix your problem, please
dhiva wrote:
I have a Cert with CN as host name and multiple host name listed on
SubjectAltName extension, but i am getting Domain name mismatch warning
?
I'm sorry, but I've never heard of this way of using SubjectAltName for
server certificates being normalized anywhere.
Can you supply
I need to test with a recent build, but while I have been since a long
time been able to successfully validate web site with OCSP, despite
often hitting bug 141256 (the lines Kai quoted when opening 141256
were my analyse of this problem), I have never been able to validate
mail
35 matches
Mail list logo