headers
Christian Koßmann | 14 May 2013 11:12

Get the finished message of TLS handshake

Hey,

I try to implement a prototype implementation of tls-unique (RFC 5929) in Firefox for a German research
group. Therefore I need the finished message of the TLS handshake. After hours of research I found out that
this is "most likely" not possible to get the finished message in a Firefox extension. But what about XPCOM
components? Is it possible to create an XPCOM component that propagates such implementation details or
do I really have to modify the source code of nss? Or is there any other way that I have overlooked?

I looking forward to your answer,
Christian Koßmann
Permalink | Reply | 1 comment |
headers
Gervase Markham | 13 May 2013 15:06
Picon
Favicon
Gravatar

Re: It's time to remove plugin support from Firefox mobile

On 10/05/13 18:54, David Keeler wrote:
> * The only plugin that most users care about is Flash. Adobe stopped
> development for Flash on Android in November of 2011, which is a year
> and a half ago[1].

.... and it's no longer available for new installations.

> * Popular sites that use plugins have native apps. This includes
> YouTube, Netflix, Hulu, and so on. Other sites can follow suit or use
> modern web technologies like HTML5. 

I think the first big question is: is driving people to using native
apps rather than Flash a win or a loss for us?

Clearly we'd prefer them to use HTML5 video, but they won't all do that.

The second big question is regard to user opinion. When we didn't have
Flash support we were regularly panned for it - even beyond the Flash
EOL announcement IIRC. Do we want to take the hit to our Market rating?

Addons are also an option.

How are addons a serious option?

Gerv
Permalink | Reply | 0 comments |
headers
Michael Ströder | 11 May 2013 13:15

Re: Removal of "Revocation Lists" feature (Options -> Advanced -> Revocation Lists)

Brian Smith wrote:
> I propose we remove the "Revocation Lists" feature (Options -> Advanced ->
> Revocation Lists). Are there any objections? If so, please explain your
> objection.

For privacy reasons many people switch off OCSP checking. And therefore I have
strong objections against everything which makes CRL checking less flexible.

Ciao, Michael.
Permalink | Reply | 0 comments |
headers
David Keeler | 10 May 2013 19:54

It's time to remove plugin support from Firefox mobile

[bcc'd to many lists for wide visibility - discussion should probably be
on mobile.firefox.dev
(https://mail.mozilla.org/listinfo/mobile-firefox-dev )]

TL;DR: Now is a good time to remove plugin support from Firefox for Android.

Consider:
* We do not support plugins for Firefox OS and do not plan to
* The only plugin that most users care about is Flash. Adobe stopped
development for Flash on Android in November of 2011, which is a year
and a half ago[1].
* Popular sites that use plugins have native apps. This includes
YouTube, Netflix, Hulu, and so on. Other sites can follow suit or use
modern web technologies like HTML5. Addons are also an option.
* Plugins are a security hazard
* Plugins drain battery life and make Firefox seem slow

Let's be bold, let's protect our users, and let's move the web forward.

[1] http://blogs.adobe.com/conversations/2011/11/flash-focus.html
Permalink | Reply | 0 comments |
headers
Jan Schejbal | 1 May 2013 23:48
Picon
Picon

Re: Removal of "Revocation Lists" feature (Options -> Advanced -> Revocation Lists)

Am 2013-04-30 23:28, schrieb Brian Smith:
> For all these reasons, I think it is time for this feature to go.

I just checked. In my list, I had two CRLs, one by OpenLimit, one by
CACert. The CACert had autoupdate enabled and set to be done 1 day
before nextupdate date, a nextUpdate date in 2008, and no reported
update failures. Manually triggering the update did bring up a current
CRL. Therefor, I am not even sure if the feature works properly.

The only place where I could imagine this could be relevant are
enterprise setups where someone has rolled out their own CA, either for
https or for mail. Thus, I would suggest asking on the various
Enterprise Working Group mailing list.

Kind regards,
Jan

--

-- 
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...
Permalink | Reply | 0 comments |
headers
Tom Ritter | 27 Apr 2013 19:37
Favicon
Gravatar

OCSP Stapling w/ Delegated Signers

I have what may be a well tread topic in the nuances of OCSP Stapling
- but after having it posed to me I realized I did not know the
answer.  Thus, I ask publicly in the hope that there is a simple
answer I can point to in the future.

If a CA uses a delegated signer for OCSP, and a website delivers an
OCSP Staple... How does the user (talking only to the website) get

 - The Delegated Signing Cert (which is presumably an Intermediate off
a Trust Root)
 - The revocation information for *that* Intermediate cert

thanks,
tom
Permalink | Reply | 2 comments |
headers
fr0sty | 22 Apr 2013 17:53
Gravatar

Safebrowsing

Hi,
I have a few questions about the safebrowsing feature in Firefox.
Answering any of these questions would be extremely helpful.

    1. How does one clear the safebrowsing data?
    2. Does Firefox stop fetching safebrowsing data if the browser is
    inactive? The spec says the list is updated every 30 minutes, but
    doesn't say anything about user activity.
    3. The data itself is authenticated, but it is also served over HTTP,
    and the protocol supports requesting specific lists and segments. This
    might introduce the ability of websites to repeatedly block list
    segments in an attempt to create a "supercookie" in the client. This
    "supercookie" looks like it can persist for up to 6 hours (based on
    the retry behavior in
    https://wiki.mozilla.org/Phishing_Protection:_Design_Documentation#Client_Backoff
    <http://www.google.com/url?q=https%3A%2F%2Fwiki.mozilla.org%2FPhishing_Protection%3A_Design_Documentation%23Client_Backoff&sa=D&sntz=1&usg=AFQjCNER-Z-tD46-m2VihudZ4bBeqS9fpA>).
    Is there a way for websites to read this supercookie at will? If so,
    is there a way to prevent it/clear it?
    4. Clearing the list data might also cause an immediate re-download of
    all lists and segments. Does it?
    5. Say I needed to clear the MAC key. How do I do that? Does doing so
    invalidate the previous list data?

Again, any answers to these questions would be very helpful.

Thanks in advance,
cl34r

______________________________
____________________________________________
(Continue reading)

Permalink | Reply | 0 comments |
headers
Gary Kwong | 17 Apr 2013 22:27

Orangfuzz – an experimental user interaction fuzzer for Firefox OS

(followups to: mozilla.dev.b2g please)

I recently released an experimental user interaction (touch) fuzzer for 
Firefox OS, known as orangfuzz[1]. It is based on the Orangutan 
framework[2] by wlach.

More details can be found in a Mozilla Security blogpost[3].

Currently it only works with a Unagi B2G test device - I tested on a 
Geeksphone Keon but the Orangutan framework wasn't working as expected 
there yet.

Some possible ideas/ways to move forward:

* Decide on a common prepopulate state - currently orangfuzz always 
starts off on the homescreen, but ideally should be started from a 
fixed  state of Firefox with a fixed number of apps in a common position 
  (e.g. from reset) b2gpopulate[4] might help with this.
* Run the generated scripts with the long-running harness script[5] on 
pandaboards running B2G and orangutan, possibly via mozpool.
* Find ways to detect crashes - should we monitor 
"/data/b2g/mozilla/Crash\ Reports" for new crashes?
* Find a way to detect assertions - monitor logcat?
* Improve the reliability of reproducing testcases by another person - 
what are factors involved in one person not reproducing the crash by 
running the script on another similar device?
* Come up with a way to reduce testcases generated by the fuzzer 
automatically, maybe using Lithium[6].
* Come up with an optimum number of steps (currently 10000) such that we 
   achieve a fair balance of simulating sufficient user actions, not
(Continue reading)

Permalink | Reply | 0 comments |
headers
r.andrews | 12 Apr 2013 02:16
Picon
Favicon

Re: Firefox behavior with CDPs and AIAs

Thanks; I had already posted this to dev.tech.crypto...
Permalink | Reply | 1 comment |
headers
r.andrews | 11 Apr 2013 21:25
Picon
Favicon

Firefox behavior with CDPs and AIAs

I know that FF allows you to choose a CRL and it will check status against that CRL when it finds a cert issued by
the CRL issuer. Does anyone know if FF uses the CDP in the cert or the cert's issuer name as a key to find the CRL?

The reason I ask is in regards to partitioned CRLs, where a CA could, for example, have one CRL for odd serial
numbers and one for even. The CA would put the appropriate CDP in each cert, but would that confuse FF?

Same question about OCSP responses and AIA.

Does anyone know the answers for IE?
Permalink | Reply | 5 comments |
headers
Michael Ströder | 7 Apr 2013 15:00

Re: Warnings about non-default certs in Private Browsing Mode?

Gervase Markham wrote:
> I wanted to raise a suggestion from John Nagle to the status of a new
> thread. John suggested that, in Private Browsing Mode only, Firefox
> should inform the user if they make a secure connection using a
> certificate which is not one of the default set in NSS's root store.
> 
> The logic is that if a user is using PBM, they are unlikely to be
> browsing their own intranet, or other location where the certificate
> chains up to a manually-installed cert. Therefore, if one is being used,
> they are likely to be being MITMed. They may have consented to this,
> e.g. at a workplace - hence the suggestion that this is a prominent user
> interface indicator, e.g. a non-dismissable infobar, rather than a
> blocking page or red scary warning.

Given the fact that there are so many CA certs pre-installed as "trusted"
issued by CAs with dubious reputation I'd rather vote for displaying a warning
to make the user explicitly accept a certain CA cert for a given DNS name once.

Ciao, Michael.
Permalink | Reply | 0 comments |

Gmane