Re: Concerning Firefox and presumably SeaMonkey security

[NoOp]

On 12/17/2008 12:45 PM, Rostyslaw Lewyckyj wrote:
> Justin Wood (Callek) wrote:
>> On 12/13/2008 10:47 PM, Rostyslaw Lewyckyj wrote:
>>> Taken from
>>> *
>>> SANS NewsBites December 12, 2008 Vol. 10, Num. 97
>>> *
>>> --Firefox Tops List of Most Known Vulnerabilities in Applications
>>> (December 11, 2008)
>>> Whitelisting company Bit9 has compiled statistics on the applications
>>> with the most security vulnerabilities reported over the last year.
>>> Mozilla's Firefox web browser versions 2 and 3 top the list with 40
>>> reported flaws. Adobe Acrobat versions 8.1.1 and 8.1.2 follow with 31
>>> reported flaws. Windows Live (MSN) Messenger versions 4.7 and 5.1 came
>>> in third with 19 flaws. Fourth and fifth place were taken by Apple
>>> iTunes versions 3.2 and 3.1.2 and Skype version 3.5.0.248, respectively.
>>> http://www.vnunet.com/vnunet/news/2232492/firefox-tops-app-vulnerability
>>> http://www.bit9.com/news-events/press-release-details.php?id=102
>>>
>> 
>> Further info see: http://quotes.burntelectrons.org/4233
>> 
> What info?

http://blog.mozilla.com/security/2008/12/15/the-importance-of-good-metrics/
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[NoOp]

On 12/17/2008 05:41 AM, Robert Kaiser wrote:
> NoOp wrote:
>> It's OK, I read the methods&  also tested with the expanded
>> explainations turned on. I'm just hoping for a 'developer' (Ping
>> Robert?) to test and provide feedback.
> 
> Sorry, I have no clue on those issues. Probably best to hand this to 
> Firefox security people and ask them, as we're using the same code as 
> them (intentionally, as we don't even claim to understand all that stuff 
> in details ourselves).
> 
> Robert Kaiser

Got it... thanks.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Rostyslaw Lewyckyj]

Justin Wood (Callek) wrote:

On 12/13/2008 10:47 PM, Rostyslaw Lewyckyj wrote:

Taken from
*
SANS NewsBites December 12, 2008 Vol. 10, Num. 97
*
--Firefox Tops List of Most Known Vulnerabilities in Applications
(December 11, 2008)
Whitelisting company Bit9 has compiled statistics on the applications
with the most security vulnerabilities reported over the last year.
Mozilla's Firefox web browser versions 2 and 3 top the list with 40
reported flaws. Adobe Acrobat versions 8.1.1 and 8.1.2 follow with 31
reported flaws. Windows Live (MSN) Messenger versions 4.7 and 5.1 came
in third with 19 flaws. Fourth and fifth place were taken by Apple
iTunes versions 3.2 and 3.1.2 and Skype version 3.5.0.248, respectively.
http://www.vnunet.com/vnunet/news/2232492/firefox-tops-app-vulnerability
http://www.bit9.com/news-events/press-release-details.php?id=102



Further info see: http://quotes.burntelectrons.org/4233


What info?
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Robert Kaiser]

NoOp wrote:

It's OK, I read the methods&  also tested with the expanded
explainations turned on. I'm just hoping for a 'developer' (Ping
Robert?) to test and provide feedback.


Sorry, I have no clue on those issues. Probably best to hand this to 
Firefox security people and ask them, as we're using the same code as 
them (intentionally, as we don't even claim to understand all that stuff 
in details ourselves).


Robert Kaiser
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Justin Wood (Callek)]

On 12/13/2008 10:47 PM, Rostyslaw Lewyckyj wrote:

Taken from
*
SANS NewsBites December 12, 2008 Vol. 10, Num. 97
*
--Firefox Tops List of Most Known Vulnerabilities in Applications
(December 11, 2008)
Whitelisting company Bit9 has compiled statistics on the applications
with the most security vulnerabilities reported over the last year.
Mozilla's Firefox web browser versions 2 and 3 top the list with 40
reported flaws. Adobe Acrobat versions 8.1.1 and 8.1.2 follow with 31
reported flaws. Windows Live (MSN) Messenger versions 4.7 and 5.1 came
in third with 19 flaws. Fourth and fifth place were taken by Apple
iTunes versions 3.2 and 3.1.2 and Skype version 3.5.0.248, respectively.
http://www.vnunet.com/vnunet/news/2232492/firefox-tops-app-vulnerability
http://www.bit9.com/news-events/press-release-details.php?id=102



Further info see: http://quotes.burntelectrons.org/4233

--
~Justin Wood (Callek)
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[NoOp]

On 12/16/2008 04:45 PM, Barry Edwin Gilmour wrote:
> Barry Edwin Gilmour wrote:
>> NoOp wrote:
>>> On 12/15/2008 08:34 PM, Barry Edwin Gilmour wrote:
>>>
 NoOp wrote:
  
> On 12/15/2008 02:58 PM, NoOp wrote:
>
>
>> On 12/13/2008 08:34 PM, Justin Wood (Callek) wrote:
>>
>>
>>  
>>> Of note to everyone here is that Mozilla (SeaMonkey, Firefox etc.)
>>> report EVERY security bug once fixed and what it was. Some companies
>>> like IE, Apple, and possibly even Google (for chrome -- no data), if a
>>> security bug is only ever found and reported internally, they won't make
>>> it even known that it _ever_ existed. Where we do and fix it anyway. It
>>> is a very open community, therefore the potential for others to
>>> accurately gauge what bugs are fixed on our side is high, whereas on
>>> Microsoft or Apple's side is relatively low.
>>>
>>>
>>>
>> Agree.
>>
>> Along these lines, this might be of interest to try with SeaMonkey...
>>
>> http://www.info-svc.com/news/2008/12-12/
>> [Google Chrome Receives Lowest Password Security Score]
>> http://www.info-svc.com/news/2008/12-12/pm-evaluator/
>> [Password Manager Evaluator v2.0]
>>
>> If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
>> what the results are.
>>
>>
>>  
> 1.1.14:
> Report
> Test PerformedResult
> Action Authority Checked on Retrieval FAILED
> Action Authority Checked on Save  FAILED
> Action Authority Raises Warnings  FAILED
> Action Path Checked on Retrieval  FAILED
> Action Path Checked on Save   FAILED
> Action Scheme Checked on RetrievalFAILED
> Action Scheme Checked on Save FAILED
> Action Scheme Raises Warnings FAILED
> Action Scheme Prevented if Unsafe FAILED
> Autocomplete=Off Prevents Form Fills  FAILED
> Invisiblility Prevents Form Fills PASSED
> Method Checked on Retrieval   FAILED
> Method Raises WarningsFAILED
> Multiple Paths Per User Per Authority FAILED
> Multiple Ports Per User Per Host  FAILED
> Multi. Schemes Per User Per Authority FAILED
> Page Path Checked on RetrievalFAILED
> Random Name Attr. Prevents Form Fills PASSED
> User Required for PW RetrievalFAILED
> User Required for PW Save FAILED
> Valid URIs Don't Break Anything   PASSED
>
> I reckon I'll run the test again to make sure that I did everything
> correct.
>
>
 Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3pre) Gecko/20081215
 Lightning/1.0pre SeaMonkey/2.0a3pre ID:20081215000501
 Report
 Action Authority Checked on RetrievalFAILED
 Action Authority Checked on Save FAILED
 Action Authority Raises Warnings FAILED
 Action Path Checked on Retrieval FAILED
 Action Path Checked on Save FAILED
 Action Scheme Checked on Retrieval FAILED
 Action Scheme Checked on Save FAILED
 Action Scheme Raises Warnings FAILED
 Action Scheme Prevented if Unsafe PASSED
 Autocomplete=Off Prevents Form Fills FAILED
 Invisiblility Prevents Form Fills PASSED
 Method Checked on Retrieval FAILED
 Method Raises Warnings FAILED
 Multiple Paths Per User Per AuthorityFAILED
 Multiple Ports Per User Per Host FAILED
 Multi. Schemes Per User Per AuthorityFAILED
 Page Path Checked on Retrieval FAILED
 Random Name Attr. Prevents Form FillsPASSED
 User Required for PW Retrieval FAILED
 User Required for PW Save FAILED
 Valid URIs Don't Break Anything PASSED

  
>>>
>>> Hmmm... Perhaps one of the developers can run as well&  see if: 1) they
>>> get the same results (I got the same as you with 2.0a3pre), and 2) if
>>> perhaps they can comment on the test. Perhaps if the test is flawed they
>>> can contact the info-svc.com folks to modify the tests accordingly?
>>>
>>>
>> The tests do highlight each browsers security-methods:-
>>
>> http://us.f13.yahoofs.com/bc/486c50ed_117b7/bc/Miscellaneous/passwd-evaluator.html?bffgDSJBHy5VqBbo
> My bad! that link is inaccessible.

It's OK, I read the methods & also tested with the expanded
explainations turned on. I'm just hoping for a 'developer' (Ping
Robert?) to test and provide feedback.


___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Barry Edwin Gilmour]

Barry Edwin Gilmour wrote:

  
NoOp wrote:
  
On 12/15/2008 08:34 PM, Barry Edwin Gilmour wrote:
  

  NoOp wrote:

  
On 12/15/2008 02:58 PM, NoOp wrote:
   
  

  On 12/13/2008 08:34 PM, Justin Wood (Callek) wrote:

 

  
Of note to everyone here is that Mozilla (SeaMonkey, Firefox etc.)
report EVERY security bug once fixed and what it was. Some companies
like IE, Apple, and possibly even Google (for chrome -- no data), if a
security bug is only ever found and reported internally, they won't make
it even known that it _ever_ existed. Where we do and fix it anyway. It
is a very open community, therefore the potential for others to
accurately gauge what bugs are fixed on our side is high, whereas on
Microsoft or Apple's side is relatively low.

   
  
  
  Agree.

Along these lines, this might be of interest to try with SeaMonkey...

http://www.info-svc.com/news/2008/12-12/
[Google Chrome Receives Lowest Password Security Score]
   http://www.info-svc.com/news/2008/12-12/pm-evaluator/
[Password Manager Evaluator v2.0]

If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
what the results are.

 


1.1.14:
Report
Test Performed	Result
Action Authority Checked on Retrieval	FAILED
Action Authority Checked on Save 	FAILED
Action Authority Raises Warnings 	FAILED
Action Path Checked on Retrieval 	FAILED
Action Path Checked on Save 	FAILED
Action Scheme Checked on Retrieval 	FAILED
Action Scheme Checked on Save 	FAILED
Action Scheme Raises Warnings 	FAILED
Action Scheme Prevented if Unsafe 	FAILED
Autocomplete=Off Prevents Form Fills 	FAILED
Invisiblility Prevents Form Fills 	PASSED
Method Checked on Retrieval 	FAILED
Method Raises Warnings 	FAILED
Multiple Paths Per User Per Authority	FAILED
Multiple Ports Per User Per Host 	FAILED
Multi. Schemes Per User Per Authority	FAILED
Page Path Checked on Retrieval 	FAILED
Random Name Attr. Prevents Form Fills	PASSED
User Required for PW Retrieval 	FAILED
User Required for PW Save 	FAILED
Valid URIs Don't Break Anything 	PASSED

I reckon I'll run the test again to make sure that I did everything
correct.
   
  
  
  Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3pre) Gecko/20081215 
Lightning/1.0pre SeaMonkey/2.0a3pre ID:20081215000501
Report
Action Authority Checked on RetrievalFAILED
Action Authority Checked on Save FAILED
Action Authority Raises Warnings FAILED
Action Path Checked on Retrieval FAILED
Action Path Checked on Save FAILED
Action Scheme Checked on Retrieval FAILED
Action Scheme Checked on Save FAILED
Action Scheme Raises Warnings FAILED
Action Scheme Prevented if Unsafe PASSED
Autocomplete=Off Prevents Form Fills FAILED
Invisiblility Prevents Form Fills PASSED
Method Checked on Retrieval FAILED
Method Raises Warnings FAILED
Multiple Paths Per User Per AuthorityFAILED
Multiple Ports Per User Per Host FAILED
Multi. Schemes Per User Per AuthorityFAILED
Page Path Checked on Retrieval FAILED
Random Name Attr. Prevents Form FillsPASSED
User Required for PW Retrieval FAILED
User Required for PW Save FAILED
Valid URIs Don't Break Anything PASSED




Hmmm... Perhaps one of the developers can run as well & see if: 1) they
get the same results (I got the same as you with 2.0a3pre), and 2) if
perhaps they can comment on the test. Perhaps if the test is flawed they
can contact the info-svc.com folks to modify the tests accordingly?

  
  
The tests do highlight each browsers security-methods:-
  
  http://us.f13.yahoofs.com/bc/486c50ed_117b7/bc/Miscellaneous/passwd-evaluator.html?bffgDSJBHy5VqBbo

My bad! that link is inaccessible.


___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Barry Edwin Gilmour]

NoOp wrote:

  On 12/15/2008 08:34 PM, Barry Edwin Gilmour wrote:
  
  
NoOp wrote:


  On 12/15/2008 02:58 PM, NoOp wrote:
   
  
  
On 12/13/2008 08:34 PM, Justin Wood (Callek) wrote:

 


  Of note to everyone here is that Mozilla (SeaMonkey, Firefox etc.)
report EVERY security bug once fixed and what it was. Some companies
like IE, Apple, and possibly even Google (for chrome -- no data), if a
security bug is only ever found and reported internally, they won't make
it even known that it _ever_ existed. Where we do and fix it anyway. It
is a very open community, therefore the potential for others to
accurately gauge what bugs are fixed on our side is high, whereas on
Microsoft or Apple's side is relatively low.

   
  

Agree.

Along these lines, this might be of interest to try with SeaMonkey...

http://www.info-svc.com/news/2008/12-12/
[Google Chrome Receives Lowest Password Security Score]
   http://www.info-svc.com/news/2008/12-12/pm-evaluator/
[Password Manager Evaluator v2.0]

If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
what the results are.

 

  
  1.1.14:
Report
Test Performed	Result
Action Authority Checked on Retrieval	FAILED
Action Authority Checked on Save 	FAILED
Action Authority Raises Warnings 	FAILED
Action Path Checked on Retrieval 	FAILED
Action Path Checked on Save 	FAILED
Action Scheme Checked on Retrieval 	FAILED
Action Scheme Checked on Save 	FAILED
Action Scheme Raises Warnings 	FAILED
Action Scheme Prevented if Unsafe 	FAILED
Autocomplete=Off Prevents Form Fills 	FAILED
Invisiblility Prevents Form Fills 	PASSED
Method Checked on Retrieval 	FAILED
Method Raises Warnings 	FAILED
Multiple Paths Per User Per Authority	FAILED
Multiple Ports Per User Per Host 	FAILED
Multi. Schemes Per User Per Authority	FAILED
Page Path Checked on Retrieval 	FAILED
Random Name Attr. Prevents Form Fills	PASSED
User Required for PW Retrieval 	FAILED
User Required for PW Save 	FAILED
Valid URIs Don't Break Anything 	PASSED

I reckon I'll run the test again to make sure that I did everything
correct.
   
  

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3pre) Gecko/20081215 
Lightning/1.0pre SeaMonkey/2.0a3pre ID:20081215000501
Report
Action Authority Checked on RetrievalFAILED
Action Authority Checked on Save FAILED
Action Authority Raises Warnings FAILED
Action Path Checked on Retrieval FAILED
Action Path Checked on Save FAILED
Action Scheme Checked on Retrieval FAILED
Action Scheme Checked on Save FAILED
Action Scheme Raises Warnings FAILED
Action Scheme Prevented if Unsafe PASSED
Autocomplete=Off Prevents Form Fills FAILED
Invisiblility Prevents Form Fills PASSED
Method Checked on Retrieval FAILED
Method Raises Warnings FAILED
Multiple Paths Per User Per AuthorityFAILED
Multiple Ports Per User Per Host FAILED
Multi. Schemes Per User Per AuthorityFAILED
Page Path Checked on Retrieval FAILED
Random Name Attr. Prevents Form FillsPASSED
User Required for PW Retrieval FAILED
User Required for PW Save FAILED
Valid URIs Don't Break Anything PASSED


  
  
Hmmm... Perhaps one of the developers can run as well & see if: 1) they
get the same results (I got the same as you with 2.0a3pre), and 2) if
perhaps they can comment on the test. Perhaps if the test is flawed they
can contact the info-svc.com folks to modify the tests accordingly?

  

The tests do highlight each browsers security-methods:-

http://us.f13.yahoofs.com/bc/486c50ed_117b7/bc/Miscellaneous/passwd-evaluator.html?bffgDSJBHy5VqBbo




___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[NoOp]

On 12/15/2008 08:34 PM, Barry Edwin Gilmour wrote:
> NoOp wrote:
>> On 12/15/2008 02:58 PM, NoOp wrote:
>>
>>> On 12/13/2008 08:34 PM, Justin Wood (Callek) wrote:
>>>
>>>  
 Of note to everyone here is that Mozilla (SeaMonkey, Firefox etc.)
 report EVERY security bug once fixed and what it was. Some companies
 like IE, Apple, and possibly even Google (for chrome -- no data), if a
 security bug is only ever found and reported internally, they won't make
 it even known that it _ever_ existed. Where we do and fix it anyway. It
 is a very open community, therefore the potential for others to
 accurately gauge what bugs are fixed on our side is high, whereas on
 Microsoft or Apple's side is relatively low.


>>> Agree.
>>>
>>> Along these lines, this might be of interest to try with SeaMonkey...
>>>
>>> http://www.info-svc.com/news/2008/12-12/
>>> [Google Chrome Receives Lowest Password Security Score]
>>>http://www.info-svc.com/news/2008/12-12/pm-evaluator/
>>> [Password Manager Evaluator v2.0]
>>>
>>> If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
>>> what the results are.
>>>
>>>  
>>
>> 1.1.14:
>> Report
>> Test Performed   Result
>> Action Authority Checked on RetrievalFAILED
>> Action Authority Checked on Save FAILED
>> Action Authority Raises Warnings FAILED
>> Action Path Checked on Retrieval FAILED
>> Action Path Checked on Save  FAILED
>> Action Scheme Checked on Retrieval   FAILED
>> Action Scheme Checked on SaveFAILED
>> Action Scheme Raises WarningsFAILED
>> Action Scheme Prevented if UnsafeFAILED
>> Autocomplete=Off Prevents Form Fills FAILED
>> Invisiblility Prevents Form FillsPASSED
>> Method Checked on Retrieval  FAILED
>> Method Raises Warnings   FAILED
>> Multiple Paths Per User Per AuthorityFAILED
>> Multiple Ports Per User Per Host FAILED
>> Multi. Schemes Per User Per AuthorityFAILED
>> Page Path Checked on Retrieval   FAILED
>> Random Name Attr. Prevents Form FillsPASSED
>> User Required for PW Retrieval   FAILED
>> User Required for PW SaveFAILED
>> Valid URIs Don't Break Anything  PASSED
>>
>> I reckon I'll run the test again to make sure that I did everything
>> correct.
>>
> Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3pre) Gecko/20081215 
> Lightning/1.0pre SeaMonkey/2.0a3pre ID:20081215000501
> Report
> Action Authority Checked on RetrievalFAILED
> Action Authority Checked on Save FAILED
> Action Authority Raises Warnings FAILED
> Action Path Checked on Retrieval FAILED
> Action Path Checked on Save FAILED
> Action Scheme Checked on Retrieval FAILED
> Action Scheme Checked on Save FAILED
> Action Scheme Raises Warnings FAILED
> Action Scheme Prevented if Unsafe PASSED
> Autocomplete=Off Prevents Form Fills FAILED
> Invisiblility Prevents Form Fills PASSED
> Method Checked on Retrieval FAILED
> Method Raises Warnings FAILED
> Multiple Paths Per User Per AuthorityFAILED
> Multiple Ports Per User Per Host FAILED
> Multi. Schemes Per User Per AuthorityFAILED
> Page Path Checked on Retrieval FAILED
> Random Name Attr. Prevents Form FillsPASSED
> User Required for PW Retrieval FAILED
> User Required for PW Save FAILED
> Valid URIs Don't Break Anything PASSED
> 

Hmmm... Perhaps one of the developers can run as well & see if: 1) they
get the same results (I got the same as you with 2.0a3pre), and 2) if
perhaps they can comment on the test. Perhaps if the test is flawed they
can contact the info-svc.com folks to modify the tests accordingly?

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Rostyslaw Lewyckyj]

NoOp wrote:

On 12/15/2008 06:05 PM, Rostyslaw Lewyckyj wrote:

NoOp wrote:



Along these lines, this might be of interest to try with SeaMonkey...

http://www.info-svc.com/news/2008/12-12/
[Google Chrome Receives Lowest Password Security Score]
  http://www.info-svc.com/news/2008/12-12/pm-evaluator/
[Password Manager Evaluator v2.0]

If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
what the results are.


1.1.14:
Report
Test Performed  Result
Action Authority Checked on Retrieval   FAILED
Action Authority Checked on SaveFAILED
Action Authority Raises WarningsFAILED
Action Path Checked on RetrievalFAILED
Action Path Checked on Save FAILED
Action Scheme Checked on Retrieval  FAILED
Action Scheme Checked on Save   FAILED
Action Scheme Raises Warnings   FAILED
Action Scheme Prevented if Unsafe   FAILED
Autocomplete=Off Prevents Form FillsFAILED
Invisiblility Prevents Form Fills   PASSED
Method Checked on Retrieval FAILED
Method Raises Warnings  FAILED
Multiple Paths Per User Per Authority   FAILED
Multiple Ports Per User Per HostFAILED
Multi. Schemes Per User Per Authority   FAILED
Page Path Checked on Retrieval  FAILED
Random Name Attr. Prevents Form Fills   PASSED
User Required for PW Retrieval  FAILED
User Required for PW Save   FAILED
Valid URIs Don't Break Anything PASSED


I count FAILED = 18  vs. PASSED = 3 ?



I reckon I'll run the test again to make sure
that I did everything correct.


Does FAILED mean good or bad ?


http://www.info-svc.com/news/2008/12-12/


Right!
SO according to the report, all those FAILEDs mean bad.
--
Rostyk
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Barry Edwin Gilmour]

NoOp wrote:

On 12/15/2008 02:58 PM, NoOp wrote:
   

On 12/13/2008 08:34 PM, Justin Wood (Callek) wrote:

 

Of note to everyone here is that Mozilla (SeaMonkey, Firefox etc.)
report EVERY security bug once fixed and what it was. Some companies
like IE, Apple, and possibly even Google (for chrome -- no data), if a
security bug is only ever found and reported internally, they won't make
it even known that it _ever_ existed. Where we do and fix it anyway. It
is a very open community, therefore the potential for others to
accurately gauge what bugs are fixed on our side is high, whereas on
Microsoft or Apple's side is relatively low.

   

Agree.

Along these lines, this might be of interest to try with SeaMonkey...

http://www.info-svc.com/news/2008/12-12/
[Google Chrome Receives Lowest Password Security Score]
   http://www.info-svc.com/news/2008/12-12/pm-evaluator/
[Password Manager Evaluator v2.0]

If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
what the results are.

 


1.1.14:
Report
Test Performed  Result
Action Authority Checked on Retrieval   FAILED
Action Authority Checked on SaveFAILED
Action Authority Raises WarningsFAILED
Action Path Checked on RetrievalFAILED
Action Path Checked on Save FAILED
Action Scheme Checked on Retrieval  FAILED
Action Scheme Checked on Save   FAILED
Action Scheme Raises Warnings   FAILED
Action Scheme Prevented if Unsafe   FAILED
Autocomplete=Off Prevents Form FillsFAILED
Invisiblility Prevents Form Fills   PASSED
Method Checked on Retrieval FAILED
Method Raises Warnings  FAILED
Multiple Paths Per User Per Authority   FAILED
Multiple Ports Per User Per HostFAILED
Multi. Schemes Per User Per Authority   FAILED
Page Path Checked on Retrieval  FAILED
Random Name Attr. Prevents Form Fills   PASSED
User Required for PW Retrieval  FAILED
User Required for PW Save   FAILED
Valid URIs Don't Break Anything PASSED

I reckon I'll run the test again to make sure that I did everything
correct.
   
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3pre) Gecko/20081215 
Lightning/1.0pre SeaMonkey/2.0a3pre ID:20081215000501

Report
Action Authority Checked on RetrievalFAILED
Action Authority Checked on Save FAILED
Action Authority Raises Warnings FAILED
Action Path Checked on Retrieval FAILED
Action Path Checked on Save FAILED
Action Scheme Checked on Retrieval FAILED
Action Scheme Checked on Save FAILED
Action Scheme Raises Warnings FAILED
Action Scheme Prevented if Unsafe PASSED
Autocomplete=Off Prevents Form Fills FAILED
Invisiblility Prevents Form Fills PASSED
Method Checked on Retrieval FAILED
Method Raises Warnings FAILED
Multiple Paths Per User Per AuthorityFAILED
Multiple Ports Per User Per Host FAILED
Multi. Schemes Per User Per AuthorityFAILED
Page Path Checked on Retrieval FAILED
Random Name Attr. Prevents Form FillsPASSED
User Required for PW Retrieval FAILED
User Required for PW Save FAILED
Valid URIs Don't Break Anything PASSED

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[NoOp]

On 12/15/2008 06:05 PM, Rostyslaw Lewyckyj wrote:
> NoOp wrote:

>>> Along these lines, this might be of interest to try with SeaMonkey...
>>>
>>> http://www.info-svc.com/news/2008/12-12/
>>> [Google Chrome Receives Lowest Password Security Score]
>>>   http://www.info-svc.com/news/2008/12-12/pm-evaluator/
>>> [Password Manager Evaluator v2.0]
>>>
>>> If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
>>> what the results are.
>>>
>> 
>> 1.1.14:
>> Report
>> Test Performed   Result
>> Action Authority Checked on RetrievalFAILED
>> Action Authority Checked on Save FAILED
>> Action Authority Raises Warnings FAILED
>> Action Path Checked on Retrieval FAILED
>> Action Path Checked on Save  FAILED
>> Action Scheme Checked on Retrieval   FAILED
>> Action Scheme Checked on SaveFAILED
>> Action Scheme Raises WarningsFAILED
>> Action Scheme Prevented if UnsafeFAILED
>> Autocomplete=Off Prevents Form Fills FAILED
>> Invisiblility Prevents Form FillsPASSED
>> Method Checked on Retrieval  FAILED
>> Method Raises Warnings   FAILED
>> Multiple Paths Per User Per AuthorityFAILED
>> Multiple Ports Per User Per Host FAILED
>> Multi. Schemes Per User Per AuthorityFAILED
>> Page Path Checked on Retrieval   FAILED
>> Random Name Attr. Prevents Form FillsPASSED
>> User Required for PW Retrieval   FAILED
>> User Required for PW SaveFAILED
>> Valid URIs Don't Break Anything  PASSED
>> 
>> I reckon I'll run the test again to make sure that I did everything
>> correct.
> 
> Does FAILED mean good or bad ?

http://www.info-svc.com/news/2008/12-12/

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Rostyslaw Lewyckyj]

NoOp wrote:

On 12/15/2008 02:58 PM, NoOp wrote:

On 12/13/2008 08:34 PM, Justin Wood (Callek) wrote:

Of note to everyone here is that Mozilla (SeaMonkey, Firefox etc.) 
report EVERY security bug once fixed and what it was. Some companies 
like IE, Apple, and possibly even Google (for chrome -- no data), if a 
security bug is only ever found and reported internally, they won't make 
it even known that it _ever_ existed. Where we do and fix it anyway. It 
is a very open community, therefore the potential for others to 
accurately gauge what bugs are fixed on our side is high, whereas on 
Microsoft or Apple's side is relatively low.



Agree.

Along these lines, this might be of interest to try with SeaMonkey...

http://www.info-svc.com/news/2008/12-12/
[Google Chrome Receives Lowest Password Security Score]
  http://www.info-svc.com/news/2008/12-12/pm-evaluator/
[Password Manager Evaluator v2.0]

If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
what the results are.



1.1.14:
Report
Test Performed  Result
Action Authority Checked on Retrieval   FAILED
Action Authority Checked on SaveFAILED
Action Authority Raises WarningsFAILED
Action Path Checked on RetrievalFAILED
Action Path Checked on Save FAILED
Action Scheme Checked on Retrieval  FAILED
Action Scheme Checked on Save   FAILED
Action Scheme Raises Warnings   FAILED
Action Scheme Prevented if Unsafe   FAILED
Autocomplete=Off Prevents Form FillsFAILED
Invisiblility Prevents Form Fills   PASSED
Method Checked on Retrieval FAILED
Method Raises Warnings  FAILED
Multiple Paths Per User Per Authority   FAILED
Multiple Ports Per User Per HostFAILED
Multi. Schemes Per User Per Authority   FAILED
Page Path Checked on Retrieval  FAILED
Random Name Attr. Prevents Form Fills   PASSED
User Required for PW Retrieval  FAILED
User Required for PW Save   FAILED
Valid URIs Don't Break Anything PASSED

I reckon I'll run the test again to make sure that I did everything
correct.


Does FAILED mean good or bad ?
--
Rostyk
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Peter Potamus the Purple Hippo]

John Boyle wrote:

NoOp wrote:



If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
what the results are.



1.1.14:



To ALL: There is a question that comes to my mind, as I see a SM 1.1.14
is mentioned, but cannot find that anywhere. Is there really a version
1.1.14 or is that a typo? :-[


no, not yet.  1.1.14 was released as a testing version, 
but the official release should be out soon.


--
*IMPORTANT*: Sorry folks, but I cannot provide email 
help Emails to me may become public


Notice: This posting is protected under the Free Speech 
Laws, which applies everywhere in the FREE world, 
except for some strange reason, not to the mozilla.org 
newsgroup servers, where your posting may get you banned.


Peter Potamus & His Magic Flying Balloon:
http://melaman2.com/cartoons/singles/mp3/p-potamus.mp3
http://www.toonopedia.com/potamus.htm
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[»Q«]

On Mon, 15 Dec 2008 15:58:15 -0800
John Boyle  wrote:

> To ALL: There is a question that comes to my mind, as I see a SM
> 1.1.14 is mentioned, but cannot find that anywhere. Is there really a
> version 1.1.14 or is that a typo? :-[

There are only candidates for 1.1.14.  It should be out fairly soon,
along with the Fx 2.0.0.19 release.

-- 
»Q«  /"\
  ASCII Ribbon Campaign  \ /
   against html e-mailX
    / \
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[NoOp]

On 12/15/2008 03:58 PM, John Boyle wrote:

>>   
> To ALL: There is a question that comes to my mind, as I see a SM 1.1.14
> is mentioned, but cannot find that anywhere. Is there really a version
> 1.1.14 or is that a typo? :-[
> 

Tomorrow, or at least within a few days hopefully. I'm using a
pre-released version. 1.1.13 is the currently released version.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[John Boyle]

NoOp wrote:
> On 12/15/2008 02:58 PM, NoOp wrote:
>   
>> On 12/13/2008 08:34 PM, Justin Wood (Callek) wrote:
>>
>> 
>>> Of note to everyone here is that Mozilla (SeaMonkey, Firefox etc.) 
>>> report EVERY security bug once fixed and what it was. Some companies 
>>> like IE, Apple, and possibly even Google (for chrome -- no data), if a 
>>> security bug is only ever found and reported internally, they won't make 
>>> it even known that it _ever_ existed. Where we do and fix it anyway. It 
>>> is a very open community, therefore the potential for others to 
>>> accurately gauge what bugs are fixed on our side is high, whereas on 
>>> Microsoft or Apple's side is relatively low.
>>>
>>>   
>> Agree.
>>
>> Along these lines, this might be of interest to try with SeaMonkey...
>>
>> http://www.info-svc.com/news/2008/12-12/
>> [Google Chrome Receives Lowest Password Security Score]
>>   http://www.info-svc.com/news/2008/12-12/pm-evaluator/
>> [Password Manager Evaluator v2.0]
>>
>> If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
>> what the results are.
>>
>> 
>
> 1.1.14:
> Report
> Test PerformedResult
> Action Authority Checked on Retrieval FAILED
> Action Authority Checked on Save  FAILED
> Action Authority Raises Warnings  FAILED
> Action Path Checked on Retrieval  FAILED
> Action Path Checked on Save   FAILED
> Action Scheme Checked on RetrievalFAILED
> Action Scheme Checked on Save FAILED
> Action Scheme Raises Warnings FAILED
> Action Scheme Prevented if Unsafe FAILED
> Autocomplete=Off Prevents Form Fills  FAILED
> Invisiblility Prevents Form Fills PASSED
> Method Checked on Retrieval   FAILED
> Method Raises WarningsFAILED
> Multiple Paths Per User Per Authority FAILED
> Multiple Ports Per User Per Host  FAILED
> Multi. Schemes Per User Per Authority FAILED
> Page Path Checked on RetrievalFAILED
> Random Name Attr. Prevents Form Fills PASSED
> User Required for PW RetrievalFAILED
> User Required for PW Save FAILED
> Valid URIs Don't Break Anything   PASSED
>
> I reckon I'll run the test again to make sure that I did everything
> correct.
>   
To ALL: There is a question that comes to my mind, as I see a SM 1.1.14
is mentioned, but cannot find that anywhere. Is there really a version
1.1.14 or is that a typo? :-[

-- 
Old Sarge-John Boyle
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[NoOp]

On 12/15/2008 02:58 PM, NoOp wrote:
> On 12/13/2008 08:34 PM, Justin Wood (Callek) wrote:
> 
>> Of note to everyone here is that Mozilla (SeaMonkey, Firefox etc.) 
>> report EVERY security bug once fixed and what it was. Some companies 
>> like IE, Apple, and possibly even Google (for chrome -- no data), if a 
>> security bug is only ever found and reported internally, they won't make 
>> it even known that it _ever_ existed. Where we do and fix it anyway. It 
>> is a very open community, therefore the potential for others to 
>> accurately gauge what bugs are fixed on our side is high, whereas on 
>> Microsoft or Apple's side is relatively low.
>> 
> 
> Agree.
> 
> Along these lines, this might be of interest to try with SeaMonkey...
> 
> http://www.info-svc.com/news/2008/12-12/
> [Google Chrome Receives Lowest Password Security Score]
>   http://www.info-svc.com/news/2008/12-12/pm-evaluator/
> [Password Manager Evaluator v2.0]
> 
> If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
> what the results are.
> 

1.1.14:
Report
Test Performed  Result
Action Authority Checked on Retrieval   FAILED
Action Authority Checked on SaveFAILED
Action Authority Raises WarningsFAILED
Action Path Checked on RetrievalFAILED
Action Path Checked on Save FAILED
Action Scheme Checked on Retrieval  FAILED
Action Scheme Checked on Save   FAILED
Action Scheme Raises Warnings   FAILED
Action Scheme Prevented if Unsafe   FAILED
Autocomplete=Off Prevents Form FillsFAILED
Invisiblility Prevents Form Fills   PASSED
Method Checked on Retrieval FAILED
Method Raises Warnings  FAILED
Multiple Paths Per User Per Authority   FAILED
Multiple Ports Per User Per HostFAILED
Multi. Schemes Per User Per Authority   FAILED
Page Path Checked on Retrieval  FAILED
Random Name Attr. Prevents Form Fills   PASSED
User Required for PW Retrieval  FAILED
User Required for PW Save   FAILED
Valid URIs Don't Break Anything PASSED

I reckon I'll run the test again to make sure that I did everything
correct.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[NoOp]

On 12/13/2008 08:34 PM, Justin Wood (Callek) wrote:

> Of note to everyone here is that Mozilla (SeaMonkey, Firefox etc.) 
> report EVERY security bug once fixed and what it was. Some companies 
> like IE, Apple, and possibly even Google (for chrome -- no data), if a 
> security bug is only ever found and reported internally, they won't make 
> it even known that it _ever_ existed. Where we do and fix it anyway. It 
> is a very open community, therefore the potential for others to 
> accurately gauge what bugs are fixed on our side is high, whereas on 
> Microsoft or Apple's side is relatively low.
> 

Agree.

Along these lines, this might be of interest to try with SeaMonkey...

http://www.info-svc.com/news/2008/12-12/
[Google Chrome Receives Lowest Password Security Score]
  http://www.info-svc.com/news/2008/12-12/pm-evaluator/
[Password Manager Evaluator v2.0]

If I get some time later I'll try it with SM 1.1.14 and 2.0a3pre to see
what the results are.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Robert Kaiser]

Rostyslaw Lewyckyj wrote:

Robert Kaiser wrote:

Rostyslaw Lewyckyj wrote:

Mozilla's Firefox web browser versions 2 and 3 top the list with 40
reported flaws.


The real interesting part is how many users out there (absolute or
percentage) are using products with unfixed security flaws? How many
days of having no fix for a known security vulnerability did the
different products have?
It not important how many different flaws there were in any given
product,


Come again?? Not important how many flaws made it past all internal
quality controls and presumably beta testing into a released version
of the product?


There is no "internal" in open source. Everything is public. The open 
community is the testing and quality control, be it in testing or in 
code reviews. Every single line of the code is out there for everyone to 
look at, user, developer, white hat or black hat. And that's why we 
don't hide minor flaws that probably cannot be exploited, as companies 
with closed source like to do. We label everything we find in our own 
development that has been in a release as security relevant and publish 
at least a minor severity advisory once we release the updates that fix 
this flaw. Most of the issues you'll see in Mozilla software are 
actually first published by us, and together with a version that 
actually contains the fixes, and together with the source code that 
fixes it. How many others do things that way? You just cannot compare 
apples with oranges, sorry.



Non organizational users, i.e. without centralized upgrade,
are unlikely to upgrade promptly. Heck, even centers with
dedicated computer administration, are often behind on versions
and fixes.


So, what you're saying basically means that anyone using centralized 
upgrades voluntarily is insecure. Well, if they like being insecure, why 
do we care about their security at all?


Robert Kaiser
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Rostyslaw Lewyckyj]

Robert Kaiser wrote:

Rostyslaw Lewyckyj wrote:

Mozilla's Firefox web browser versions 2 and 3 top the list with 40
reported flaws.


The real interesting part is how many users out there (absolute or 
percentage) are using products with unfixed security flaws? How many 
days of having no fix for a known security vulnerability did the 
different products have?
It not important how many different flaws there were in any given 
product,


Come again?? Not important how many flaws made it past all internal
quality controls and presumably beta testing into a released version
of the product?
The number of found flaws, bugs, in a product release is an often
used measure used to estimate the number of still hidden bugs.
Sure its commendable that a bug fix is prompt, but is no substitute
to the bug never getting past design, and internal quality control
into the released version.
Which do you consider preferable: a bug fix, version upgrade a day;
or more careful internal quality control before a version release,
so that bug fix version upgrades to the public are needed
infrequently.

the importance is how much likely are users to be harmed, i.e. 
severity of the flaws and getting the fix out to users.


Non organizational users, i.e. without centralized upgrade,
are unlikely to upgrade promptly. Heck, even centers with
dedicated computer administration, are often behind on versions
and fixes.



Justin also has some very valid points there as well.

Robert Kaiser

--
Rostyk
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Robert Kaiser]

Rostyslaw Lewyckyj wrote:

Mozilla's Firefox web browser versions 2 and 3 top the list with 40
reported flaws.


The real interesting part is how many users out there (absolute or 
percentage) are using products with unfixed security flaws? How many 
days of having no fix for a known security vulnerability did the 
different products have?
It not important how many different flaws there were in any given 
product, the importance is how much likely are users to be harmed, i.e. 
severity of the flaws and getting the fix out to users.

Justin also has some very valid points there as well.

Robert Kaiser
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[»Q«]

In ,
Rostyslaw Lewyckyj  wrote:

> Taken from
> *
> SANS NewsBites  December 12, 2008Vol. 10, Num. 97
> *
>   --Firefox Tops List of Most Known Vulnerabilities in Applications
> (December 11, 2008)
> Whitelisting company Bit9 has compiled statistics on the applications
> with the most security vulnerabilities reported over the last year.
> Mozilla's Firefox web browser versions 2 and 3 top the list with 40
> reported flaws.  Adobe Acrobat versions 8.1.1 and 8.1.2 follow with 31
> reported flaws.  Windows Live (MSN) Messenger versions 4.7 and 5.1
> came in third with 19 flaws.  Fourth and fifth place were taken by
> Apple iTunes versions 3.2 and 3.1.2 and Skype version 3.5.0.248,
> respectively.
> http://www.vnunet.com/vnunet/news/2232492/firefox-tops-app-vulnerability
> http://www.bit9.com/news-events/press-release-details.php?id=102

The vnunet.com article is highly misleading.  The Bit9 press release is
aimed only at enterprise. It explicitly rules out applications for which
updates can be applied via Microsoft's enterprise tools such as SMS and
WSUS.  IT departments are concerned about apps they can't control
directly very well and which users may install but not update to get
the needed patches.  The autoupdate mechanism of Firefox (and SeaMonkey
2, right?) should mitigate that a great deal, but no mention is made of
it.

Probably Bit9 should have ruled out Firefox also, since it actually is
possible for IT to manage the updates if they use FrontMotion's
product, .

-- 
»Q«
 Kleeneness is next to Gödelness.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: Concerning Firefox and presumably SeaMonkey security

[Justin Wood (Callek)]

On 12/13/2008 10:47 PM, Rostyslaw Lewyckyj wrote:

Taken from
*
SANS NewsBites December 12, 2008 Vol. 10, Num. 97
*
--Firefox Tops List of Most Known Vulnerabilities in Applications
(December 11, 2008)
Whitelisting company Bit9 has compiled statistics on the applications
with the most security vulnerabilities reported over the last year.
Mozilla's Firefox web browser versions 2 and 3 top the list with 40
reported flaws. Adobe Acrobat versions 8.1.1 and 8.1.2 follow with 31
reported flaws. Windows Live (MSN) Messenger versions 4.7 and 5.1 came
in third with 19 flaws. Fourth and fifth place were taken by Apple
iTunes versions 3.2 and 3.1.2 and Skype version 3.5.0.248, respectively.
http://www.vnunet.com/vnunet/news/2232492/firefox-tops-app-vulnerability
http://www.bit9.com/news-events/press-release-details.php?id=102



What really matters is time to fix said flaws, how aggressive the 
problems are. and time from "report" to "fix in users hands" aka: How 
much of a vulnerability it is in the wild.


Firefox (and SeaMonkey) has a very good track record with all of the 
above.  Though as far as getting updates in users hands, Firefox is 
slightly better than SeaMonkey (due to auto-update) though SeaMonkey is 
not that far behind either.


There are many many more people, much more qualified than me, who have 
explained this in vivid detail as well.


Of note to everyone here is that Mozilla (SeaMonkey, Firefox etc.) 
report EVERY security bug once fixed and what it was. Some companies 
like IE, Apple, and possibly even Google (for chrome -- no data), if a 
security bug is only ever found and reported internally, they won't make 
it even known that it _ever_ existed. Where we do and fix it anyway. It 
is a very open community, therefore the potential for others to 
accurately gauge what bugs are fixed on our side is high, whereas on 
Microsoft or Apple's side is relatively low.


--
~Justin Wood (Callek)
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey