Domain: mozilla.org
Stories and comments across the archive that link to mozilla.org.
Comments · 17,579
-
Re:Stupid?
-
Re:Hmmm..
On a similar note: This futz about "the password problem" is getting really, really old.
Firefox Password Hasher exists.
And for everything else you can just drop a similar program onto your cellphone, PDA or whatever gadget you carry around with you.
Yes, it's not "perfect" security but it's probably the best tradeoff between convenience and security that we'll see in a long while. It won't get much better as long as human brains are involved. -
Re:Not sure about one-touch...For Google Docs:
- Get the Google Docs:Download Greasemonkey script.
- Get DownThemAll! 1.0.3
- Profit!
For Google Calendar:
- Find your private iCal link in the settings
- Create a cron script to use wget and a timedate stamp.
or
- Install Conduit
- Set up a sync
For GMail:
- Use POP or IMAP
For Picassa:
- Install Picassa
or
- Install Conduit
- Set up a sync
For YouTube
- Install Conduit
- Set up a sync
-
Why no link to the project page itself?Is it really too much to ask that the story actually contains a link to the actual product?
Instead, you are given a link to a zdnet news story, which links to a blog, which contains the relevant link at the very bottom of the page.
At the very least, the zdnet news story was completely irrelevant.
-
Re:Webmaster?
I used to use the Read Easily Firefox extension, that adds a toolbar button and a hotkey (Ctrl-Z) to toggle styles on and off. Perfect for tiny fonts, bad colors, etc.
Now, Vimperator rendered many smaller extensions obsolete, I mapped the \ key to do it, with
:map \ :invnum<CR> -
Re:Seconded.
You appear to be confusing me with someone else.
You are correct, my mistake, there were two different people to who I replied in the same thread.
No, that's not an example.
Sorry my example was poorly worded, I meant the user in this case being the recipient, not the sender. The recipient received an encrypted mail (using his public key) that was unsigned. Must he disregard the content under all circumstances? Or could it possibly be that the encryption was meant to keep prying eyes from reading the content instead of serving another purpose? That was my point.
I agree in principle with all of your assertions.
If you agree with all of those assertions how can you call encryption without authentication useless? They are two different problems, and solving one problem is better than solving none. If you take a hard stance on this point because of another potential attack vector, then how is any solution ever good enough when there will always be another potential vulnerability? One of my points is that there is a line - there is always something that can be compromised that is out of your control, using a CA isn't a panacea.
Going back to your previous reply:You walk into a crowded, pitch black room and say "John, come over here; I want to tell you a secret."
Wouldn't it be more akin to calling John via cell phone (self cert SSL) instead of yelling out what you want to say for all to hear (plain text)? Sure, somebody (at the phone company) could re-route the call and maybe they could also mimick John's voice, and maybe they later call John and spoof your caller ID and mimick your voice and relay to him what you said, but if I'm not concerned with those things I'm still better off quietly calling John in the pitch black room instead of yelling it out for all to hear. I have prevented at least some people in the room from hearing what I have to say.
What's missing is how those assertions can lead you to conclude that Firefox should be more tolerant of self-signed certs than it is.
I'm glad we've cycled back to the original article. Let's talk about the recent versions of Firefox (Fx). Fx2 did in fact warn you of a self signed cert, to which a user could simply click OK. Fx3 now requires 3-4 clicks to do the same thing. That's just being in the way for no good reason - a warning message and maybe a colored URL bar would be fine. There was also a time during the Fx3 beta when it was not possible to bypass the dialog for self-signed certs AT ALL, thus rendering access to a self-signed cert site impossible. Fortunately the mozilla devs changed their minds on that one before the stable release. There is still, however, other cert errors that are not bypassable in Fx3 that were in Fx2. Here is one of them: https://bugzilla.mozilla.org/show_bug.cgi?id=312732. This one does have a "workaround" that is fairly difficult and requires some guessing. So Firefox is unnecessarily getting in the way for much SSL usage, going well past a simple warning dialog.
-
Re:Read Gruber's post too
Um, I think these many projects would LOVE to have someone do this for them, and would be very willing to implement any solid suggestions you might have. Firefox, for example, has this sort of thing going on already:
-
Mozilla, purveyors of corporate-marketing-koolaid
Mozilla, once a world of anti-corporate geeks, can only speak corporate-marketing-speak now. Have you seen Planet Mozilla lately? Where once there was lively open, even acrimonious, debate, now there is only harmonious agreement and talking points -- like sheep, all the bloggers repeat the talking points, and with that same fake corporate enthusiasm that causes Steve Ballmer to jump around the stage. What's the point of blogs? Just post the talking points once and save the bandwidth.
Allow me to excerpt from the
/. post above about the new browser:unveiled
... spectacular new ... bleeding-edge ... new ... encouraging ... contribute ... highly advanced ... collaborating ... spectacular ... like Google ... offbeatI can't wait!
-
new?
This seems like a rather old project. Am I wrong? http://www.mozilla.org/rdf/doc/aurora.html
-
Re:One QuestionMaybe because Mozilla publishes their motivation.
# We will not charge any fees to have a CA's certificate(s) distributed with our software products.
-
Re:no it does.
and they will add my ca just like that. is that it. what is the point of doing such stampede, if they are to add countless cas that are going to apply, then ?
I understand that perfect grammar, punctuation, and capitalization are not require to post on the Internet. Everyone makes mistakes. All I ask is that you at least put in a little effort.
With that said, no, the Mozilla CA approval process is not "just like that." See this page for more details. -
Re:addon to allow fast-add-exception of self signe
and here is the link... https://addons.mozilla.org/en-US/firefox/addon/6843
-
Link to BugZilla discussion
For lazy souls link to BugZilla bug 433422
Brief of discussion:
SecurityNazis: Self-signed SSL is untrusted!!!!
Admins and Users: Untrusted != invalid!!!
SecurityNazis: But self-signed SSL is really really untrusted!!!!
Admins and Users: Untrusted != invalid!!! We do not care!!!!
SecurityNazis: But we care!!!! Though we do not browse WWW - because it is untrusted.and so on. Not really informative on its own. Essentially, people who do only one thing with Web - exploit trivial bugs and claim credit for doing so, so called "security researchers" - against simple users who do only surf web - intranet and internet - argue with each other, constantly failing to find common ground. Because they, well, do not have one.
-
Bad Article
As mentioned on the Firehose comments page about this article (http://tech.slashdot.org/comments.pl?sid=634651&cid=24461415):
CAcert is working to be included by default in all Mozilla Foundation software. CAcert [cacert.org] is based on having certificates for everybody, not just for paying customers. They are already included in many current distro version of Firefox. There's no objection in the Mozilla Foundation to including certificate authorities like CAcert in Mozilla. Mozilla just needs to verify that they are secure - a process that takes a long time and doesn't cost any money - otherwise they could undermine the security of their users. Five minutes of research would have shown this.
For this problem to be solved, the most popular F/OSS browser(s) must accept self-signed certificates. If Mozilla is unwilling to change their policies, it would be worth the effort of trying to create a *more popular* fork with full SSL functionality.
This shows a lacking understanding of computer security practice. Self-signed certificates are something that 90% of users need to be wary of because if you allow them by default, phishing sites will use them to their advantage and steal data, and Mozilla will be blamed for it because they'd be the only one to not warn about self-signed certificates. This is why people are warned and this is why there's already and override procedure in place so if you're one of the 10% of the users impacted by it, you can work around it.
This article seems like an attempt to insert drama where recognized security professionals already have agreed that this is best practice. Wait until CAcert is in Mozilla, and if it gets special treatment by not being treated the same as all of the other CAs, then you'll have something.
If the purpose of the Firehose is to vet articles, it's not doing a good job.
-
Bad Article
As mentioned on the Firehose comments page about this article (http://tech.slashdot.org/comments.pl?sid=634651&cid=24461415):
CAcert is working to be included by default in all Mozilla Foundation software. CAcert [cacert.org] is based on having certificates for everybody, not just for paying customers. They are already included in many current distro version of Firefox. There's no objection in the Mozilla Foundation to including certificate authorities like CAcert in Mozilla. Mozilla just needs to verify that they are secure - a process that takes a long time and doesn't cost any money - otherwise they could undermine the security of their users. Five minutes of research would have shown this.
For this problem to be solved, the most popular F/OSS browser(s) must accept self-signed certificates. If Mozilla is unwilling to change their policies, it would be worth the effort of trying to create a *more popular* fork with full SSL functionality.
This shows a lacking understanding of computer security practice. Self-signed certificates are something that 90% of users need to be wary of because if you allow them by default, phishing sites will use them to their advantage and steal data, and Mozilla will be blamed for it because they'd be the only one to not warn about self-signed certificates. This is why people are warned and this is why there's already and override procedure in place so if you're one of the 10% of the users impacted by it, you can work around it.
This article seems like an attempt to insert drama where recognized security professionals already have agreed that this is best practice. Wait until CAcert is in Mozilla, and if it gets special treatment by not being treated the same as all of the other CAs, then you'll have something.
If the purpose of the Firehose is to vet articles, it's not doing a good job.
-
Re:this has been the case all along
Assuming that Apple has no problem with the GPL, then I suppose the Mac users of the world should submit feedback. Thunderbird users can leave feedback here. Hell, leave feedback for both. Widespread adoption of GPG can't hurt anyone.
And you're right, GPG doesn't encrypt headers. If we did encrypt headers, we'd have to find a replacement for SMTP⦠SMTPSEC? Given the popularity of DNSSEC compared to DNS, I don't see that happening.
-
WONTFIX
I guess you missed comment #35:
Since this bug effects only a small portion of Firefox users, proposing this as
WONTFIX.Perhaps interested parties can create an extension?
Robert Accettura wins that bug.
-
More fun Summit facts
Don't forget the other fun facts of the summit.
The ever-present bear menace: http://www.rumblingedge.com/2008/07/29/bear-with-me-while-you-sleep-at-whistler/.
The power in the hotel going out for half a day: https://bugzilla.mozilla.org/show_bug.cgi?id=448604#c88. -
It was a great summit, nevertheless
Even through the bear encounter, rock slide, power outage, and overnight bus trips to the airport, the organizers (especially Dan Portillo) made everything happen as smoothly as it could. Everyone had a great time, and (most) of the almost 400 attendees made their flights home. There was even a "Mozilla Camp" at the Vancouver airport where everyone was waiting for hours. Pictures of the summit are being aggregated on summit.mozilla.org. We all learned a lot and met lots of people, and overall the summit was a huge success.
-
Re:amount of content
Wikipedia could also use SVG animation overlays to make the playing experience and menu systems identicle to youtube's.
Opera and Safari already support SVG animation and here are windows,linux and mac builds for it in firefox. -
Re:YouTube
Youtube's business model (such as it is) revolves around keeping you coming back to their site to watch the videos
And Firefox relies on the power of customization to offer add ons such as Video Download Helper which allows you to download media on a page with two clicks. I find excellent for saving hard to find music videos on YouTube, reminds me what DVDs to look for when I visit my local independently owned record shop.
-
Firefox developers lost in Canada :-)
I am not sure whether Firefox 3.1 will ever be finished as most Firefox developers seem to be trapped without power in Canada...
:-) See: http://planet.mozilla.org/ -
Re:Random Crashes FTW
that bug was fixed today, the fix will be in tommorrow's trunk build
-
Re:SVG Animation
it is actually on-track for ff3.1
bug -> https://bugzilla.mozilla.org/show_bug.cgi?id=216462
latest ff3.1 status meeting (look for SMIL) -> http://wiki.mozilla.org/Firefox3.1/StatusMeetings/2008-07-22 -
Re:SVG Animation
it is actually on-track for ff3.1
bug -> https://bugzilla.mozilla.org/show_bug.cgi?id=216462
latest ff3.1 status meeting (look for SMIL) -> http://wiki.mozilla.org/Firefox3.1/StatusMeetings/2008-07-22 -
Re:Hmm, not sure about this
Well, perhaps, but the setting I'm referring to is mentioned on the discussion on the following Firefox bug report:-
https://bugzilla.mozilla.org/show_bug.cgi?id=407836 -
Re:Hmm, not sure about thisDigging deeper into TFA, I see that this ctrl-tab was someone's add-in that got included, because one of the developers ("user experience designer") liked it.
I can only say it is a real shame that no-one has noticed any of the mouse gesture add-ons and would like to incorporate mouse gestures and wheel-based tab switching natively.
Disclosure: my main browser is Opera. I do use Seamonkey and Firefox (as well as other browsers). I currently use Firegestures, and have used Optimoz and "All-in-one gestures" in the past.
-
Re:Hmm, not sure about thisDigging deeper into TFA, I see that this ctrl-tab was someone's add-in that got included, because one of the developers ("user experience designer") liked it.
I can only say it is a real shame that no-one has noticed any of the mouse gesture add-ons and would like to incorporate mouse gestures and wheel-based tab switching natively.
Disclosure: my main browser is Opera. I do use Seamonkey and Firefox (as well as other browsers). I currently use Firegestures, and have used Optimoz and "All-in-one gestures" in the past.
-
Re:Hmm, not sure about thisDigging deeper into TFA, I see that this ctrl-tab was someone's add-in that got included, because one of the developers ("user experience designer") liked it.
I can only say it is a real shame that no-one has noticed any of the mouse gesture add-ons and would like to incorporate mouse gestures and wheel-based tab switching natively.
Disclosure: my main browser is Opera. I do use Seamonkey and Firefox (as well as other browsers). I currently use Firegestures, and have used Optimoz and "All-in-one gestures" in the past.
-
Re:Well
Thank you!
(here's a link for you lazy bums: https://addons.mozilla.org/en-US/firefox/addon/2517)
-
Re:SVG Animation
SVG animation is available in Firefox using JavaScript or HTML. I suppose you mean SVG animation using SMIL? That's planned for Mozilla 2. I think some SMIL support is needed to pass Acid3, so I would suspect some SMIL support would be coming soon after Firefox 3.1 (in other words, next year).
-
Re:Awesome bar disable?
Old location bar brings back about 90% of the functionality of the 2.0 bar. I think most of what it does can be done through prefs, but it's a convenient way to make it just work.
-
Re:Resizable text fields?
That's bug 167951 and still has not been fixed (but it's really an enhancement, so I can understand the non-priority).
-
Re:Awesome bar disable?
I didn't use Firefox 2, so I don't know the exact functionality, but I don't think it takes much to get the "Awesome Bar" like people seem to want (matches only at the beginning of URL, no match on titles).
First install the Hide Unvisited extension. Next, set "browser.urlbar.search.chunkSize = 0" in about:config. Last, add the following to your "userChrome.css" file:
.autocomplete-richlistitem spacer,.autocomplete-richlistitemlabel{display:none} .ac-title description{font-size:11px!important} .autocomplete-richlistitem{border:none!important} .ac-title{margin:-4px 4px 0px 0px!important;display:none} .ac-url{margin:-19px 0px 0px 20px!important} .ac-url description{color:MenuText!important} .ac-url description[selected="true"]{color:White!important} -
Re:woohoo!
Sadly they still haven't fixed the Mac OS X copy and paste (with formatting) bug.
-
Re:Awesome bar disable?
First time I see anyone complaining about the Awesome Bar of Desire. Just stick to FF2 if that's what you want. Or switch to safari or opera, they're excellent browsers too. You can try https://addons.mozilla.org/es-ES/firefox/addon/7637 it's not quite what you want but might help.
-
Re:Resizable text fields?
-
Re:Awesome bar disable?
The nice thing about the old URL bar is that it allows you to go back to recently visited sites with only two mouse clicks. No typing required at all.
It would have been better if selecting a URL from the drop-down had actually moved it to the top of the list, so that the most recently visited entries would always be at the top, but for some reason (and despite many requests, just check the bugzilla), the FF gods decided that that feature, which Mozilla had had since time immemorial, should no longer exist. I guess this was when I started to get that creepy feeling that the FF architects no longer cared what actual users think, since they are so much smarter and will therefore do our thinking for us.
FWIW, I actually created and submitted a patch for the FF2 URL bar, but it was not accepted. Developers too busy with the Awesome Bar, I guess... So now, after first having seen the URL bar take an (admittedly small) turn for the worse in FF compared to Mozilla, now we have this monstrosity that shows tons of pages whose URL I never typed; instead of it being a convenient most-recently-selected list, it has become a search engine.
I don't object to improvements and new features, but why on Earth the FF architects feel this intense need to remove a popular feature is beyond me. Is it stupidity or arrogance or what? The comments here on /. also tend to be in the same vein: the Awesome Bar is better, if you don't like it there is something wrong with you -- obviously never having paid attention to the criticism that useful functionality was removed. Sheesh. -
Awesome bar disable:
https://addons.mozilla.org/en-US/firefox/addon/6227
Now hand in your geek badge and your PDA, you're on hardware lugging duty for the next 3 months.
-
Re:Awesome bar disable?
As far as I can tell, no.
This is assuming you're using "disable completely" to mean "FF2-like functionality". I dislike the Awesome Bar, but it's better than having no location bar dropdown at all (which, for some reason, is what people seem to recommend when I complain--maxRichResults is not what I want, and neither are the other about:config options).
-
Will it finally print selections again?
(Apparently not in Firefox 3 for some strange reason...)
And maybe even print full URLs ? -
woohoo!
it's only taken 6 years, but finally Firefox has the option to use the Mac OS X System specified proxy. here's hoping it actually works
-
Re:Google's information gathering techniques.
You need NoScript, it allows you to selectively enable JS on websites. It is simple, fast, and unobtrusive (although YMMV on the last). Default behavior is all scripts not explicitly enabled are disabled by default.
https://addons.mozilla.org/en-US/firefox/addon/722
http://noscript.net/ -
Re:Google's information gathering techniques.
If you refer to the "onmousedown" event, I think you get it wrong. It just informs google that you clicked on a link.
They use javascript instead of href so they can record the rank of the result you clicked on (it's a parameter of the javascript function). This would not be possible with href.
As I'm working on a FF extension which simulates search activities to protect privacy, I investigate the javascript code (to simulate click). ASFAIK, they do not record other events than clicks. I have made couple of captures, but let me know if I missed something. Furthermore, they do not obfuscate code, I think they just want to reduce the size of the code to reduce bandwidth consumption.
Anyway, if you worry about privacy, you might:
+ Block google cookies (google-analytics, safebrowsing, adsense, ...)
+ Use a query obfuscation tool (either the one I am working on or TrackMeNot) -
Re:Google's information gathering techniques.
If you refer to the "onmousedown" event, I think you get it wrong. It just informs google that you clicked on a link.
They use javascript instead of href so they can record the rank of the result you clicked on (it's a parameter of the javascript function). This would not be possible with href.
As I'm working on a FF extension which simulates search activities to protect privacy, I investigate the javascript code (to simulate click). ASFAIK, they do not record other events than clicks. I have made couple of captures, but let me know if I missed something. Furthermore, they do not obfuscate code, I think they just want to reduce the size of the code to reduce bandwidth consumption.
Anyway, if you worry about privacy, you might:
+ Block google cookies (google-analytics, safebrowsing, adsense, ...)
+ Use a query obfuscation tool (either the one I am working on or TrackMeNot) -
Re:Firefox 3?
-
Re:Firefox 3?
Don't know about your resolution issues, but about the Firefox thingy, check out Kde4 + Firefox3 0.10 Mozilla add-on.. It looks quite ok for me at least.
-
Re:So how does this solve anything in the real wor
Was there even a point to your tirade?
My comment was in reply to your sweeping generalization that “everyone” knew using eval() is just setting oneself up for failure. json2.js is proof that, with adequate attention given to security, eval() usage isn't a problem.
To the best of my knowledge, as of this writing, the only browser that supports native JSON is Firefox 3/Mozilla 1.9: http://developer.mozilla.org/en/docs/nsIJSON -- this still excludes most people, however.
The rest all require an external parser, such as Crockford's, which eval()s JSON code for everyone else. If you personally feel like writing a JSON parser based entirely on a combination of regex and String.substring()/String.indexOf(), for the sole purpose of avoiding evil eval(), be our guest.
-
Re:How long till..
Actually, If you go to the cached version of those pages, you can see all the answers. You can also just use the Googlebot's user agent via the User Agent Switcher.
-
Re:Homework
Just to follow up on it, I read through the thread and found that Foxconn linked to a page on Microsoft's site which supposedly explains ACPI compliance. Interestingly enough, that page refused to display on anything but IE.
The page does work in Firefox 3 if you use the User Agent Switcher extension to fool it into thinking you have IE (6 or 7).