Security issues such as specific security problems or ideas for making the code as a whole more secure can be discussed here

Milko Krachounov | 7 Jan 2010 16:20

This Message is Untrusted

You have asked your mail client to open this email message, but we can't 
confirm that its contents are friendly and polite.

Normally, within a mailing list message, the sender would use kind words to 
prove that he is peaceful and loyal. However, this message contained tons of 
bitter words directed at the addressees, so the good intentions of the sender 
couldn't be verified.

What Should I Do?
If you usually read messages on this mailing list without problems, this error 
could mean that someone just got very angry at you because some of your latest 
moronic decisions, and you shouldn't continue.

[Get me out of here!]

Technical Details
The mailing message contained 89 mild curse words, 17 strong curse words, and 
4 curse words exceeding the threshold of pain.

(Error code: sec_error_too_many_cursewords)

I Understand the Risks
If you understand what's going on, you can tell the mailing system to start 
trusting the sender by performing a short five-minute exorcism. You should do 
this for every message. *Even if you trust the sender, this error could mean 
that he still wants to insult you, attack you, nuke you from orbit or force 
you to listen to Rick Astley.*

Don't do this unless you know for certain that the sender doesn't have a 
reason to come down rudely upon you.

(Continue reading)

alex daloo | 7 Jan 2010 21:03

Fx FTL

Firefox 3.5.7 .... year 2010... mozilla still not able to get ICA
certs... good job mozilla. i told my company the solution (use IE).

just my 2 cents.

good job  <at>  eddy from startcom

Kathleen Wilson | 15 Jan 2010 19:45

Picon

Date to disable/remove remaining MD2/MD5 roots from NSS

I have started a discussion in mozilla.dev.security.policy with subject 
“Date to disable/remove remaining MD2/MD5 roots from NSS”.

If this is of interest to you, please refer to and contribute to that 
discussion thread.

Kathleen

Timothy D. Morgan | 26 Jan 2010 21:57

Paper: Weaning the Web off of Session Cookies

Hello,

I would like to bring your attention to a paper I published today:
  http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf

It includes a few minor security problems with HTTP authentication
dialog boxes and password managers in several browsers.

More importantly, it makes an argument for a few small changes to
browser behavior and/or standards.  I would hope that Mozilla
developers could take a look and provide any feedback.  I'm
particularly interested in opinions on the suggested 401 response
behavior change.  I have submitted this information to other browser
vendors as well.

thanks!
tim

Daniel Veditz | 27 Jan 2010 17:19

Re: Paper: Weaning the Web off of Session Cookies

On 1/26/10 12:57 PM, Timothy D. Morgan wrote:
> I would like to bring your attention to a paper I published today:
>   http://www.vsecurity.com/download/papers/WeaningTheWebOffOfSessionCookies.pdf
> 
> It includes a few minor security problems with HTTP authentication
> dialog boxes and password managers in several browsers.

This is an area Mozilla has been interested in. You should talk to our
"Mozilla Labs" folks who have been working on Identity in the browser.
They are coming at it from a different angle but there's a lot of
overlap between the problems you and they are trying to solve.

http://www.azarask.in/blog/post/identity-in-the-browser-firefox/
http://mozillalabs.com/blog/2009/05/identity-in-the-browser/

I have a quibble with your section on HTTPOnly cookies. By mentioning
only IE by name when you follow with "other browsers have been slow to
adopt this feature" people will naturally assume that includes Firefox,
the only other browser with significant marketshare. Firefox has
supported HTTPOnly since 2007. Although perhaps "slow" compared to when
Microsoft invented the feature that's pretty irrelevant for a paper
written three years later when nearly all Firefox users will have
support for it.

Continuing that quote with "and continue to have difficulties fully
enforcing this rule in light of newer features (such as AJAX
requests/responses)" people will again assume Firefox, when Firefox was
the first to get this right and in fact IE is one of the browsers with
difficulties. You don't have to take my word for it, this is right in
the OWASP chart linked to from your paper and in the "[16]" link from

(Continue reading)

Timothy D. Morgan | 27 Jan 2010 21:20

Re: Paper: Weaning the Web off of Session Cookies

Hi Daniel,

Thanks for taking the time to read through it.

> This is an area Mozilla has been interested in. You should talk to our
> "Mozilla Labs" folks who have been working on Identity in the browser.
> They are coming at it from a different angle but there's a lot of
> overlap between the problems you and they are trying to solve.
> 
> http://www.azarask.in/blog/post/identity-in-the-browser-firefox/
> http://mozillalabs.com/blog/2009/05/identity-in-the-browser/

Cool, there are some great UI ideas there.  I particularly like the
examples that eliminate favicons. 

I would think that moving toward HTTP authentication schemes, such as
digest, would make it much easier to automate a good identity manager.
Would you agree?

> I have a quibble with your section on HTTPOnly cookies. By mentioning
> only IE by name when you follow with "other browsers have been slow to
> adopt this feature" people will naturally assume that includes Firefox,
> the only other browser with significant marketshare. Firefox has
> supported HTTPOnly since 2007. Although perhaps "slow" compared to when
> Microsoft invented the feature that's pretty irrelevant for a paper
> written three years later when nearly all Firefox users will have
> support for it.
>
> Continuing that quote with "and continue to have difficulties fully
> enforcing this rule in light of newer features (such as AJAX

(Continue reading)

Daniel Veditz | 28 Jan 2010 08:47

Re: Paper: Weaning the Web off of Session Cookies

On 1/27/10 12:20 PM, Timothy D. Morgan wrote:
> Cool, there are some great UI ideas there.  I particularly like the
> examples that eliminate favicons. 
> 
> I would think that moving toward HTTP authentication schemes, such as
> digest, would make it much easier to automate a good identity manager.
> Would you agree?

We can't control what web sites do, but if we make the experience nicer
more sites may be encouraged to use things like HTTP Auth. Personally
I'd like to see client certs used for auth but we really have a lot of
work to do to make that a pleasant experience for anyone.

> Another thought I had on performing logouts, which is not presented in
> the paper, is that if the XMLHttpRequest W3C standard is finalized and
> fully adopted by browsers as is, then one might be able to use
> JavaScript to clear credentials

As someone who regularly disables JavaScript I'd hate to see client auth
require it.

>> You must be the Tim who started the "Past proposals for HTTP Auth
>> Logout" thread and if so you're already involved in the right place for
>> that.
> 
> Heh, you did your homework.  Yes, I did start that thread. 

No creepy stalking involved, honest  I remembered the topic came up
on the httpbis mailing list recently so I went to see if they had
reached any kind of consensus in the group.

(Continue reading)

Chris Hills | 30 Jan 2010 08:33

Re: Paper: Weaning the Web off of Session Cookies

On 28/01/2010 07:47, Daniel Veditz wrote:
> We can't control what web sites do, but if we make the experience nicer
> more sites may be encouraged to use things like HTTP Auth. Personally
> I'd like to see client certs used for auth but we really have a lot of
> work to do to make that a pleasant experience for anyone.

This is why I try to use OpenID where possible, since my provider
supports certificate login, which removes the necessity from the web
site to support it (as long as it supports OpenID of course).

Timothy D. Morgan | 31 Jan 2010 19:12

Re: Paper: Weaning the Web off of Session Cookies

> This is why I try to use OpenID where possible, since my provider
> supports certificate login, which removes the necessity from the web
> site to support it (as long as it supports OpenID of course).

That's handy, but doesn't that mean the website you're accessing will
still use cookies once you're authenticated?

tim

Group

gmane.comp.mozilla.security.

Search Archive

Page

1

Articles in period: 9

January 2010

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Get the finished message of TLS handshake (14 May 2013)
It's time to remove plugin support from Firefox mobile (13 May 2013)
Removal of "Revocation Lists" feature (Options -> Advanced -> Revocati (11 May 2013)
It's time to remove plugin support from Firefox mobile (10 May 2013)
Removal of "Revocation Lists" feature (Options -> Advanced -> Revocati (1 May 2013)
OCSP Stapling w/ Delegated Signers (27 Apr 2013)
Safebrowsing (22 Apr 2013)
Orangfuzz – an experimental user interaction fuzzer for Firefox OS (17 Apr 2013)
Firefox behavior with CDPs and AIAs (12 Apr 2013)
Firefox behavior with CDPs and AIAs (11 Apr 2013)
Warnings about non-default certs in Private Browsing Mode? (7 Apr 2013)
Building NSS failed on both Ubuntu 12.04 and Linux Mint 14 (6 Apr 2013)
Content Type Dependencies (6 Apr 2013)
Calling function from nsIContentSecurityPolicy.idl (6 Apr 2013)
Proposal: tougher CA standards in "private browsing" mode. (4 Apr 2013)
Confusion about abstract strings (4 Apr 2013)
Case sensitivity in FF (4 Apr 2013)
Proposal: tougher CA standards in "private browsing" mode. (4 Apr 2013)
Biggest Fake Conference in Computer Science (3 Apr 2013)
Advanced Image Gallery DW Extension (1 Apr 2013)
kids nude, hidden cams on nude kids, little kids nude (31 Mar 2013)

Archives

7	May 2013
54	April 2013
26	March 2013
17	February 2013
14	January 2013
6	December 2012
19	November 2012
10	October 2012
7	September 2012
42	August 2012
25	July 2012
96	June 2012
35	May 2012
239	April 2012
332	March 2012
20	February 2012
13	January 2012
1	December 2011
4	October 2011
27	September 2011
14	August 2011
10	July 2011
12	June 2011
9	May 2011
37	April 2011
21	March 2011
6	February 2011
3	January 2011
26	December 2010
3	November 2010
3	October 2010
10	September 2010
9	August 2010
4	July 2010
22	June 2010
4	May 2010
11	April 2010
40	March 2010
50	February 2010
9	January 2010
15	December 2009
94	November 2009
122	October 2009
3	September 2009
42	August 2009
88	July 2009
16	June 2009
9	May 2009
54	April 2009
30	March 2009
36	February 2009
27	January 2009
40	December 2008
26	November 2008
13	October 2008
43	September 2008
27	August 2008
47	July 2008
60	June 2008
20	May 2008
23	April 2008
14	March 2008
25	February 2008
31	January 2008
13	December 2007
9	November 2007
8	October 2007
24	September 2007
17	August 2007
15	July 2007
14	June 2007
44	May 2007
41	April 2007
87	March 2007
266	February 2007
47	January 2007
11	December 2006
203	November 2006
20	October 2006
10	September 2006
23	August 2006
32	July 2006
8	June 2006
6	May 2006
4	April 2006
3	March 2006
7	January 2006
12	December 2005
11	November 2005
3	October 2005
8	September 2005
46	August 2005
18	July 2005
165	June 2005
205	May 2005
196	April 2005
312	March 2005
219	February 2005
21	January 2005
55	December 2004
15	November 2004
30	October 2004
35	September 2004
40	August 2004
54	July 2004
51	June 2004
29	May 2004
49	April 2004
42	March 2004
31	February 2004
34	January 2004
30	December 2003
91	November 2003
24	October 2003
40	September 2003
58	August 2003
30	July 2003
27	June 2003
29	May 2003
27	April 2003
25	March 2003
31	February 2003
18	January 2003
36	December 2002
46	November 2002
38	October 2002
37	September 2002
26	August 2002
28	July 2002
19	June 2002
37	May 2002
41	April 2002
1	February 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template