Security issues such as specific security problems or ideas for making the code as a whole more secure can be discussed here

Gervase Markham | 3 Mar 2009 00:14

Picon

Re: Work-around for Moxie Marlinspike's Blackhat attack

On 28/02/09 00:32, Jonas Sicking wrote:
> It'd be good to have a separate pref, network.IDN.blacklist_chars_extra,
> where users can add additional characters without having to worry about
> not receiving updates to the list we maintain.

If users have to add chars to this list manually, that's Really Bad - 
because most won't. What's easier - getting loads of users to modify 
this pref, or shipping an automatically-installed security update to all 
of them?

Gerv

Gervase Markham | 3 Mar 2009 00:13

Picon

Re: Return of i18n attacks with the help of wildcard certificates

On 27/02/09 14:48, Boris Zbarsky wrote:
> It's not clear to me that the person who added the list even knew the
> page existed.

Neil added the list, and he wrote the second half of the page. So there 
was mutual knowledge. The list isn't documented on the page because, 
strictly speaking, it's not relevant.

> It seems like the right thing to do is to make the "this is the hostname
> of the site" ui somehow more prominent. Or possibly "this is the tld+2
> of the site" or something. Some UI mockups would probably help more than
> anything else.

We just turned hostname display UI for SSL on, according to The Burning 
Edge...

Gerv

Jean-Marc Desperrier | 3 Mar 2009 15:30

Re: Return of i18n attacks with the help of wildcard certificates

Gervase Markham wrote:
> [...]
> We just turned hostname display UI for SSL on, according to The Burning
> Edge...

This is a nice change, I found out about it on the burning edge too 

But, and as the link Eddy just reported shows, the attack is far from 
being only for SSL.

I think we should reconsider the options available to make the domain 
name more visible for http connexions.
What about a white version of the hostname display for http sites ?

Eddy Nigg | 3 Mar 2009 16:07

Re: Return of i18n attacks with the help of wildcard certificates

On 03/03/2009 04:30 PM, Jean-Marc Desperrier:
> But, and as the link Eddy just reported shows, the attack is far from
> being only for SSL.
>
> I think we should reconsider the options available to make the domain
> name more visible for http connexions.
> What about a white version of the hostname display for http sites ?

YEAH!

--

-- 
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: startcom <at> startcom.org
Blog:  	https://blog.startcom.org

Boris Zbarsky | 3 Mar 2009 16:51

Picon

Re: Return of i18n attacks with the help of wildcard certificates

Jean-Marc Desperrier wrote:
> But, and as the link Eddy just reported shows, the attack is far from 
> being only for SSL.
> 
> I think we should reconsider the options available to make the domain 
> name more visible for http connexions.
> What about a white version of the hostname display for http sites ?

Wait.  Why does the domain matter at all for non-SSL connections?  It's 
not like we have any guarantees against MITM here...

-Boris

Eddy Nigg | 3 Mar 2009 18:52

Re: Return of i18n attacks with the help of wildcard certificates

On 03/03/2009 05:51 PM, Boris Zbarsky:
> Jean-Marc Desperrier wrote:
>> But, and as the link Eddy just reported shows, the attack is far from
>> being only for SSL.
>>
>> I think we should reconsider the options available to make the domain
>> name more visible for http connexions.
>> What about a white version of the hostname display for http sites ?
>
> Wait. Why does the domain matter at all for non-SSL connections? It's
> not like we have any guarantees against MITM here...
>

If we train users to watch out for positive SSL indicators and warn 
before submitting any information I think this should not be necessary. 
However I could imagine a re-vamped UI where the actual domain name is 
more prominent and the real URL less important for the average user.

Something like this:

+----+-------------+
|    |             +-------------------------------------+
|SSL | DOMAIN.COM  |                  URL                |
|    |             +-------------------------------------+
+----+-------------+

The URL part might be only optional or hide and reappear on mouse-over.

--

-- 
Regards

(Continue reading)

Jean-Marc Desperrier | 3 Mar 2009 19:59

Re: Return of i18n attacks with the help of wildcard certificates

Boris Zbarsky wrote:
> Jean-Marc Desperrier wrote:
>> But, and as the link Eddy just reported shows, the attack is far from
>> being only for SSL.
>>
>> I think we should reconsider the options available to make the domain
>> name more visible for http connexions.
>> What about a white version of the hostname display for http sites ?
>
> Wait. Why does the domain matter at all for non-SSL connections? It's
> not like we have any guarantees against MITM here...

Well, we don't have the option to change the world, and in practice 
people just *do* send important login/password on http connections.

You do have a point though, maybe it's time to think if there's a way by 
which mozilla could push toward more use of https to protect sensitive data.

Boris Zbarsky | 3 Mar 2009 20:14

Picon

Re: Return of i18n attacks with the help of wildcard certificates

Jean-Marc Desperrier wrote:
> Well, we don't have the option to change the world, and in practice 
> people just *do* send important login/password on http connections.

But that's insecure no matter what we do with our UI, and we should NOT 
be doing anything that makes it look more secure.

-Boris

Florian Weimer | 4 Mar 2009 12:27

Picon

Re: Return of i18n attacks with the help of wildcard certificates

* Boris Zbarsky:

> Wait.  Why does the domain matter at all for non-SSL connections?
> It's not like we have any guarantees against MITM here...

Most users are not subject to MITM attacks, but they do receive all
kinds of URL lures.

Boris Zbarsky | 4 Mar 2009 14:36

Picon

Re: Return of i18n attacks with the help of wildcard certificates

Florian Weimer wrote:
> Most users are not subject to MITM attacks

This may or may not be true given the prevalence of wireless networks 
out there...  we've had a number of reports of in-the-wild MITM attacks 
by wireless network operators.

> but they do receive all kinds of URL lures.

Yes, most of these are trying to phish sites that are normally SSL, so 
we should be making it very easy to tell when a site is not SSL or 
doesn't have the expected hostname over SSL.  Making non-SSL sites look 
more like SSL ones even by similarly highlighting the hostname is asking 
for trouble.

-Boris

Group

gmane.comp.mozilla.security.

Search Archive

Page

1 | 2 | 3 | 4

Articles in period: 30

March 2009

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

מדוע בישראל לא מרוויחים (24 May 2013)
Get the finished message of TLS handshake (14 May 2013)
It's time to remove plugin support from Firefox mobile (13 May 2013)
Removal of "Revocation Lists" feature (Options -> Advanced -> Revocati (11 May 2013)
It's time to remove plugin support from Firefox mobile (10 May 2013)
Removal of "Revocation Lists" feature (Options -> Advanced -> Revocati (1 May 2013)
OCSP Stapling w/ Delegated Signers (27 Apr 2013)
Safebrowsing (22 Apr 2013)
Orangfuzz – an experimental user interaction fuzzer for Firefox OS (17 Apr 2013)
Firefox behavior with CDPs and AIAs (12 Apr 2013)
Firefox behavior with CDPs and AIAs (11 Apr 2013)
Warnings about non-default certs in Private Browsing Mode? (7 Apr 2013)
Building NSS failed on both Ubuntu 12.04 and Linux Mint 14 (6 Apr 2013)
Content Type Dependencies (6 Apr 2013)
Calling function from nsIContentSecurityPolicy.idl (6 Apr 2013)
Proposal: tougher CA standards in "private browsing" mode. (4 Apr 2013)
Confusion about abstract strings (4 Apr 2013)
Case sensitivity in FF (4 Apr 2013)
Proposal: tougher CA standards in "private browsing" mode. (4 Apr 2013)
Biggest Fake Conference in Computer Science (3 Apr 2013)
Advanced Image Gallery DW Extension (1 Apr 2013)

Archives

8	May 2013
54	April 2013
26	March 2013
17	February 2013
14	January 2013
6	December 2012
19	November 2012
10	October 2012
7	September 2012
42	August 2012
25	July 2012
96	June 2012
35	May 2012
239	April 2012
332	March 2012
20	February 2012
13	January 2012
1	December 2011
4	October 2011
27	September 2011
14	August 2011
10	July 2011
12	June 2011
9	May 2011
37	April 2011
21	March 2011
6	February 2011
3	January 2011
26	December 2010
3	November 2010
3	October 2010
10	September 2010
9	August 2010
4	July 2010
22	June 2010
4	May 2010
11	April 2010
40	March 2010
50	February 2010
9	January 2010
15	December 2009
94	November 2009
122	October 2009
3	September 2009
42	August 2009
88	July 2009
16	June 2009
9	May 2009
54	April 2009
30	March 2009
36	February 2009
27	January 2009
40	December 2008
26	November 2008
13	October 2008
43	September 2008
27	August 2008
47	July 2008
60	June 2008
20	May 2008
23	April 2008
14	March 2008
25	February 2008
31	January 2008
13	December 2007
9	November 2007
8	October 2007
24	September 2007
17	August 2007
15	July 2007
14	June 2007
44	May 2007
41	April 2007
87	March 2007
266	February 2007
47	January 2007
11	December 2006
203	November 2006
20	October 2006
10	September 2006
23	August 2006
32	July 2006
8	June 2006
6	May 2006
4	April 2006
3	March 2006
7	January 2006
12	December 2005
11	November 2005
3	October 2005
8	September 2005
46	August 2005
18	July 2005
165	June 2005
205	May 2005
196	April 2005
312	March 2005
219	February 2005
21	January 2005
55	December 2004
15	November 2004
30	October 2004
35	September 2004
40	August 2004
54	July 2004
51	June 2004
29	May 2004
49	April 2004
42	March 2004
31	February 2004
34	January 2004
30	December 2003
91	November 2003
24	October 2003
40	September 2003
58	August 2003
30	July 2003
27	June 2003
29	May 2003
27	April 2003
25	March 2003
31	February 2003
18	January 2003
36	December 2002
46	November 2002
38	October 2002
37	September 2002
26	August 2002
28	July 2002
19	June 2002
37	May 2002
41	April 2002
1	February 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template