Security issues such as specific security problems or ideas for making the code as a whole more secure can be discussed here

Gervase Markham | 11 Jan 2012 18:36

Picon

Re: Policy discussion list that is read-only for the public

Hi Ben,

On 11/01/12 17:07, Ben Bucksch wrote:
> The majority of discussions here on this list are policy discussions
> that are not specifically about bugs that are still embargoed, but
> either general "what should we do about this whole class of problems" or
> about security bugs that are already in the wild and we need to react to
> that. So, there is no inherent need to keep these discussions hidden.
> 
> For those discussions which do need to stay hidden from public view, we
> can keep this list. For all others, we could theoretically use
> mozilla.dev.security, but there's way too much noise there, so nobody of
> importance reads it. I tried posting there several times, and got
> practically no  relevant responses. 

There hasn't been a post in mozilla.dev.security since October; what do
you mean by "way too much noise"?

If our security community is not, on the whole, members of our public
security discussion forum, then that's a problem - but setting up
another forum is not necessarily the solution to it.

Perhaps people on s-g who are not members of m.d.s can say why they
aren't? Didn't know about it? Was once a member but it seemed off-topic?
Something else?

> The point would be that there is a public track record of our decisions
> and why we made them, but we avoid the noise.

I don't think discussions happen here solely for lack of a suitable

(Continue reading)

Ben Bucksch | 11 Jan 2012 18:07

Policy discussion list that is read-only for the public

Hey all,

dveditz <#dveditz> just said on IRC: "this is better as a mail 
conversation I think -- either mozilla.dev.security or security-group 
(depending on your taste for open-but-small-audience vs 
better-audience-but-hidden)"

This perfectly phrases and frames the problem. We're an open-source 
project and for me that also means openness in project structure, 
decision-making and leadership. Transparency.

The majority of discussions here on this list are policy discussions 
that are not specifically about bugs that are still embargoed, but 
either general "what should we do about this whole class of problems" or 
about security bugs that are already in the wild and we need to react to 
that. So, there is no inherent need to keep these discussions hidden.

For those discussions which do need to stay hidden from public view, we 
can keep this list. For all others, we could theoretically use 
mozilla.dev.security, but there's way too much noise there, so nobody of 
importance reads it. I tried posting there several times, and got 
practically no  relevant responses. I suggest:

Create a mailing-list that is moderated. Members of the security-group 
get automatically subscribed (but they can optionally unsubscribe 
themselves, if they really don't want it), and they can post without 
moderator approval. Everybody else can read it, and it has a newsgroup 
equivalent, but nobody can post from there.

The point would be that there is a public track record of our decisions

(Continue reading)

Kyle Hamilton | 12 Jan 2012 04:38

Picon

Re: Policy discussion list that is read-only for the public

On Wed, Jan 11, 2012 at 9:36 AM, Gervase Markham <gerv <at> mozilla.org> wrote:
> Mozilla needs a space in between "public" and "security group" (or
> "employees"). We've needed one for a long time; this is just another
> manifestation of the issue.

So how about representation of the users' interests within the "security group" or "employees" via an
elected or appointed position?

Right now, the security group (particularly the participants in the CABF from Mozilla) seems to be a place
where the end users, particularly the well-informed and strongly-motivated end users, have no voice at
all.  It seems to be a place where shadowy decisions are made in back-room deals by shady, non-elected characters.

Unfortunately, it also is the place where the end-users who want to do their own due diligence need to have
someone they can trust, but are stonewalled and stymied every time they try to effect any kind of change.

The "security group" and "employees" involved here are operating contrary to Mozilla's board-approved
principles.  Unless and until Mozilla shows that it has effective corporate governance and decision
auditing, it's getting no more of my donor dollars.  It's also getting my anti-Mozilla opinions slapped
everywhere.  (I live in Mountain View, 1.1 miles from the Castro Street headquarters.  Guess where much of
my oration is going to be?)  The security group's service to the Mozilla principles is a joke, it's a farce,
and Mozilla needs someone in that group who isn't going to just say "PKI me harder", who isn't so certain
that his or her vision of PKI is the only correct interpretation that he/she/they completely shut out any
and all attempts to change the PKI status quo with "RESOLVED INVAL
 ID", without any engagement in any kind of dialogue about why or how these attempts might actually have merit.

In other words, the employees need to have their ivory tower demolished.  Until that happens, no progress
toward actual user security can be made.

-Kyle H

(Continue reading)

Henri Sivonen | 12 Jan 2012 09:10

Picon

Picon

Is Mozilla actively working to introduce CAless TLS public key checking?

After reading about CA compromises again and again, I am wondering:

Is Mozilla actively working on a TLS public key checking system that
has real trust agility (not DNSsec!) and that doesn't require CAs to
work (but that can work in parallel with the CA system)?

Building Convergence into Firefox perhaps? (I'm aware that Convergence
doesn't work in captive portals and that business incentives that'd
result in a diverse high-availability network of notaries are
unclear.)

--

-- 
Henri Sivonen
hsivonen <at> iki.fi
http://hsivonen.iki.fi/

Daniel Veditz | 12 Jan 2012 17:10

Re: Policy discussion list that is read-only for the public

On 1/11/12 7:38 PM, Kyle Hamilton wrote:
> Right now, the security group (particularly the participants in
> the CABF from Mozilla)

There have been zero discussions about CABF stuff on the private
security-group mailing list. The only time I recall PKI-in-general
topics coming up is in the heat of dealing with recent CA compromises.

> seems to be a place where the end users, particularly the
> well-informed and strongly-motivated end users, have no voice at
> all.  It seems to be a place where shadowy decisions are made in
> back-room deals by shady, non-elected characters.

I think you're confusing this dev-security list with
dev-security-policy, which might have been better called
dev-tech-crypto-policy to emphasize it's relation with the crypto
group. This list covers pretty much everything BUT the crypto/PKI
policy.

> (I live in Mountain View, 1.1 miles from the Castro Street
> headquarters. Guess where much of my oration is going to be?)

We should have lunch then. Come on down! Mail in advance to
schedule, would be a bummer if you dropped in on a day I already had
something planned. If you're only interested in PKI-related security
issues we can make sure some of those folks are around, too. Some of
the Red Hat guys who work on NSS are just a couple blocks down from
Mozilla.

-Dan Veditz

(Continue reading)

Daniel Veditz | 12 Jan 2012 17:10

Re: Policy discussion list that is read-only for the public

On 1/11/12 7:38 PM, Kyle Hamilton wrote:
> Right now, the security group (particularly the participants in
> the CABF from Mozilla)

There have been zero discussions about CABF stuff on the private
security-group mailing list. The only time I recall PKI-in-general
topics coming up is in the heat of dealing with recent CA compromises.

> seems to be a place where the end users, particularly the
> well-informed and strongly-motivated end users, have no voice at
> all.  It seems to be a place where shadowy decisions are made in
> back-room deals by shady, non-elected characters.

I think you're confusing this dev-security list with
dev-security-policy, which might have been better called
dev-tech-crypto-policy to emphasize it's relation with the crypto
group. This list covers pretty much everything BUT the crypto/PKI
policy.

> (I live in Mountain View, 1.1 miles from the Castro Street
> headquarters. Guess where much of my oration is going to be?)

We should have lunch then. Come on down! Mail in advance to
schedule, would be a bummer if you dropped in on a day I already had
something planned. If you're only interested in PKI-related security
issues we can make sure some of those folks are around, too. Some of
the Red Hat guys who work on NSS are just a couple blocks down from
Mozilla.

-Dan Veditz

(Continue reading)

Daniel Veditz | 12 Jan 2012 20:24

Re: Is Mozilla actively working to introduce CAless TLS public key checking?

On 1/12/12 12:10 AM, Henri Sivonen wrote:
> Is Mozilla actively working on a TLS public key checking system that
> has real trust agility (not DNSsec!) and that doesn't require CAs to
> work (but that can work in parallel with the CA system)?

Not "actively", no. It's too early to determine if that's a fruitful
approach to build it into Firefox. We should, however, make some
changes so it's easier to develop experiments like Convergence.

-Dan Veditz

Kevin Chadwick | 24 Jan 2012 23:53

Picon

Please bring back JIT options in about:config for PAX/Grsecurity compatibility (Hardened Linux)

Currently the only web browser I've found that runs with grsecurity/pax
with all security features such as "PAX" Mprotect and RANDMMAP is Opera.

"http://pax.grsecurity.net/docs/mprotect.txt"
"http://en.wikibooks.org/wiki/Grsecurity/Appendix/PaX_Flags"

I care more about security than javascript speed but I don't wish to
spend the time or energy fixing and compiling firefox to work with a
secure linux kernel that avoids so many 0-day exploits.

I run firefox in a sandbox for the occasional time flash is required
and I am being pushed towards the closed source Opera for general use
by my businesses when I'd prefer to stick with firefox outside the
sandbox which I have been using since firebird.

A bug has been opened in the past but was mistaken for firefoxes
mprotect and incorrectly closed.

The problem is Just In Time execution which requires write and execute
at the same time which should be optional and not explicitly compiled
in. Users should atleast be able to allow RWX via paxctl, load up
firefox set methodjit and tracejit off in about:config and re-enable the
security (disable RWX).

It used to be possible

"http://hardenedgentoo.blogspot.com/2010/07/grsecurity-firefox-mprotect-and-you.html"

Then it got harder for firefox 4

(Continue reading)

Ian Melven | 25 Jan 2012 00:33

Re: Please bring back JIT options in about:config for PAX/Grsecurity compatibility (Hardened Linux)


Hi Kevin,

in a current FF 9 release I see the following prefs :

javascript.options.jitprofiling.chrome;true
javascript.options.jitprofiling.content;true
javascript.options.methodjit.chrome;true
javascript.options.methodjit.content;true
javascript.options.methodjit_always;false
javascript.options.tracejit.chrome;true
javascript.options.tracejit.content;true

does setting these options to false let Firefox run under PAX 
with RWX disabled ?

(also please note that there is no more tracejit in Firefox 10 and later)

thanks !
ian

----- Original Message -----
From: "Kevin Chadwick" <ma1l1ists <at> yahoo.co.uk>
To: dev-security <at> lists.mozilla.org
Sent: Tuesday, January 24, 2012 2:53:24 PM
Subject: Please bring back JIT options in about:config for PAX/Grsecurity	compatibility (Hardened Linux)

Currently the only web browser I've found that runs with grsecurity/pax
with all security features such as "PAX" Mprotect and RANDMMAP is Opera.

(Continue reading)

weizhong qiang | 25 Jan 2012 10:06

Picon

How can I output the uncrypted private key as part of p12

Hi all,
I find the method PK11_ExportPrivateKeyInfo is empty. Could you tell me how can I output the private key
(without encryption) as part of pkcs 12 file?

Best Regards,
Weizhong Qiang

Group

gmane.comp.mozilla.security.

Search Archive

Page

1 | 2

Articles in period: 13

January 2012

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane

Recent entries

Get the finished message of TLS handshake (14 May 2013)
It's time to remove plugin support from Firefox mobile (13 May 2013)
Removal of "Revocation Lists" feature (Options -> Advanced -> Revocati (11 May 2013)
It's time to remove plugin support from Firefox mobile (10 May 2013)
Removal of "Revocation Lists" feature (Options -> Advanced -> Revocati (1 May 2013)
OCSP Stapling w/ Delegated Signers (27 Apr 2013)
Safebrowsing (22 Apr 2013)
Orangfuzz – an experimental user interaction fuzzer for Firefox OS (17 Apr 2013)
Firefox behavior with CDPs and AIAs (12 Apr 2013)
Firefox behavior with CDPs and AIAs (11 Apr 2013)
Warnings about non-default certs in Private Browsing Mode? (7 Apr 2013)
Building NSS failed on both Ubuntu 12.04 and Linux Mint 14 (6 Apr 2013)
Content Type Dependencies (6 Apr 2013)
Calling function from nsIContentSecurityPolicy.idl (6 Apr 2013)
Proposal: tougher CA standards in "private browsing" mode. (4 Apr 2013)
Confusion about abstract strings (4 Apr 2013)
Case sensitivity in FF (4 Apr 2013)
Proposal: tougher CA standards in "private browsing" mode. (4 Apr 2013)
Biggest Fake Conference in Computer Science (3 Apr 2013)
Advanced Image Gallery DW Extension (1 Apr 2013)
kids nude, hidden cams on nude kids, little kids nude (31 Mar 2013)

Archives

7	May 2013
54	April 2013
26	March 2013
17	February 2013
14	January 2013
6	December 2012
19	November 2012
10	October 2012
7	September 2012
42	August 2012
25	July 2012
96	June 2012
35	May 2012
239	April 2012
332	March 2012
20	February 2012
13	January 2012
1	December 2011
4	October 2011
27	September 2011
14	August 2011
10	July 2011
12	June 2011
9	May 2011
37	April 2011
21	March 2011
6	February 2011
3	January 2011
26	December 2010
3	November 2010
3	October 2010
10	September 2010
9	August 2010
4	July 2010
22	June 2010
4	May 2010
11	April 2010
40	March 2010
50	February 2010
9	January 2010
15	December 2009
94	November 2009
122	October 2009
3	September 2009
42	August 2009
88	July 2009
16	June 2009
9	May 2009
54	April 2009
30	March 2009
36	February 2009
27	January 2009
40	December 2008
26	November 2008
13	October 2008
43	September 2008
27	August 2008
47	July 2008
60	June 2008
20	May 2008
23	April 2008
14	March 2008
25	February 2008
31	January 2008
13	December 2007
9	November 2007
8	October 2007
24	September 2007
17	August 2007
15	July 2007
14	June 2007
44	May 2007
41	April 2007
87	March 2007
266	February 2007
47	January 2007
11	December 2006
203	November 2006
20	October 2006
10	September 2006
23	August 2006
32	July 2006
8	June 2006
6	May 2006
4	April 2006
3	March 2006
7	January 2006
12	December 2005
11	November 2005
3	October 2005
8	September 2005
46	August 2005
18	July 2005
165	June 2005
205	May 2005
196	April 2005
312	March 2005
219	February 2005
21	January 2005
55	December 2004
15	November 2004
30	October 2004
35	September 2004
40	August 2004
54	July 2004
51	June 2004
29	May 2004
49	April 2004
42	March 2004
31	February 2004
34	January 2004
30	December 2003
91	November 2003
24	October 2003
40	September 2003
58	August 2003
30	July 2003
27	June 2003
29	May 2003
27	April 2003
25	March 2003
31	February 2003
18	January 2003
36	December 2002
46	November 2002
38	October 2002
37	September 2002
26	August 2002
28	July 2002
19	June 2002
37	May 2002
41	April 2002
1	February 2002

Design

Zawodny | Right Menu | Left Menu

Your Own Design

Paste the URL of your CSS below. Download CSS template