Slashdot Mirror

oldversion.com

If you're going to download old Mozilla software, at least download it from Mozilla's FTP site where all versions are archived.
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/

The problem is that cross-domain cookie setting, and resource requests are a core functionality in web browsers... Not just for advertising, but simply a working site that loads remote resources.

So is JavaScript, but I still browse with NoScript on by default and selectively enable when I want JavaScript. Along those lines, I also use RequestPolicy to block cross-domain requests by default, and selectively enable pages that need it. This works "fine" for a surprising number of sites (I put "fine" in quotes because the experience is quite different than standard browsing: in many ways better, but in some ways worse).

It is about targeting the low end, but then again don't underestimate what you can do with emscripten and asm.js.

That's a great argument for javascript and webgl - which we already have on Android and iOS - but still doesn't suggest why Firefox OS is a good idea for anybody.

It lets the sites set their cookies, waits a few seconds (or until tab is closed), then nukes 'em. There's a whitelist for sites you actually use.

https://addons.mozilla.org/En-us/firefox/addon/self-destructing-cookies/

I like this solution because you don't have to wait for Ghostery to add support for an advertiser, or an updated filter definition for adblock. EVERYTHING gets nuked, except the sites you care enough about to whitelist. It's a better default cookie policy.

So given that HTML apps can already run on any modern smartphone I still fail to see what the appeal of Firefox OS is supposed to be unless it's about just targeting the really low end.

It is about targeting the low end, but then again don't underestimate what you can do with emscripten and asm.js.

Using a classic XKCD poster.

Also for changing the page's background color

Google doesn't negatively influence Mozilla in any way, though.

you just continue to trust that, mozilla exists at the whim of google thanks to their confidential agreement, it's utter stupidity to ignorantly trust that they are just acting in your best interests. would you be equally happy if microsoft signed a confidential agreement to fund mozilla?

Competing in the mobile market won't suddenly cut funding. Let's not pretend otherwise.

yeah let's not pretend google is a corporation existing to make money...oh wait! so don't be so naive.

Perhaps if you are running Firefox you should consider this https://addons.mozilla.org/En-us/firefox/addon/smartvideo-for-youtube-mytube/. It gives greater control of video stopping them from automatically running.

Mozilla in their 'wisdom' decided to disable the ESC key that a lot of people used to stop animated gifs running https://bugzilla.mozilla.org/show_bug.cgi?id=614304/. It also stopped the page loading - dead in its tracks - which I personally loved. However some Mozilla devs didn't like it (as scripts etc may not be loaded properly). So they've now taken control away from the annoyed user who is going to cop entire page loads of crap.

Firstly: Firefox's license is GPL compliant. And before that switch it was tri-licensed under both GPL and LGPL and Mozilla's license. I consider Firefox to be a browser worth its name. [citation]

Secondly: If I have a keyfile in my possession and the software to decode it is open source it wouldn't take much work to write a compliant keyfile reader that spits out a decrypted stream. It is not possible to have an open source DRM scheme without also a system of signed binaries for every OS that wants to access the DRM system. The owner of the machine has to be locked out in some manner because if the computer knows how to decrypt the stream then the computer can decrypt the stream.

Programming this in JS is entirely non-trivial, because the language doesn't provide the necessary features to prevent side-channel and time attacks.

The proper features to prevent against these is making sure your wires are coated and injecting random delays into code execution. You can certainly randomly delay js code. And the language can get damn near assembly performance: https://blog.mozilla.org/luke/2013/03/21/asm-js-in-firefox-nightly/

Exactly. A tin-foil hat discussion.

You are the one who brought up side channel and timing attacks on AES, which are used to snoop info from the stream *as an onlooker*, someone outside the AES connection. Do you really think people are going to be snooping random internet connection streams and trying to decrypt them so that they can get free videos? That is a FAR more ridiculous tin foil argument than mine. Furthermore, the person who is decrypting the DRM stream is someone who has full access to the operating system, browser, and crypto library source code. If they want to alter the linux scheduler to make timing attacks easier, recompile the browser so the returned decrypted stream is sent to a file, or just rewrite the cryptographic decoders to dump the decoded streams to files, they can do so trivially.

And if you decide to make this DRM start requiring hardware decryption, well, it will just not catch on, and will recreate the problems of flash and random devices not working. Not to mention that there are already ways to decrypt hdcp streams anyway.

So really, what the hell is the point of all this?

For anyone unaware, they were quite aware of the Ghostbusters reference. The XML namespace is:

http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul

which of course links to:

There is no data.
There is only XUL!

Brazil. So this kind of action is a natural extension of that.

Don't forget Googlesharing

https://addons.mozilla.org/nl/firefox/addon/googlesharing/

GoogleSharing is a system that mixes the requests of many different users together, such that Google is not capable of telling what is coming from whom. GoogleSharing aims to do a few very specific things:

Took me under 5 seconds to put "firefox prevent google tracking" into my google toolbar and that brings up:

https://addons.mozilla.org/en-us/firefox/addon/remove-google-tracking/

https://addons.mozilla.org/en-us/firefox/addon/gdc/

and a hella comprehensive guide for thick tin-foil hats:

http://www.leavegooglebehind.com/how-tos/how-to-build-a-firefox-privacy-arsenal/

Took me under 5 seconds to put "firefox prevent google tracking" into my google toolbar and that brings up:

https://addons.mozilla.org/en-us/firefox/addon/remove-google-tracking/

https://addons.mozilla.org/en-us/firefox/addon/gdc/

and a hella comprehensive guide for thick tin-foil hats:

http://www.leavegooglebehind.com/how-tos/how-to-build-a-firefox-privacy-arsenal/

You lose the multiple passwords, which is the real security benefit. This is the claimed benefit. And it is successful.

Low hanging fruit right there:

https://blog.mozilla.org/beyond-the-code/2013/04/09/persona-beta2/

Persona: more privacy, better security while making developers and users happy!

More security is not THE claimed benefit, it is only A claimed benefit.

That's not the first time you under-represented the claims:

It's not about increasing privacy. It's about increasing security by killing extra passwords.

This entire sub-thread which I started is not about increasing security, despite your constant efforts to muddy the waters.

Come on, don't try to put words in my mouth. It is MY OBJECTION and I don't care that it is based on email. OK? What I am objecting to is the fact that it uses a unique ID across multiple websites. THAT IS THE OBJECTION.

I'm not putting words into your mouth, I'm saying nothing has changed. How many websites don't track your email address? And how many people change their email address across websites? If you change the email, then you have no change in your privacy level. If you don't, then your privacy stays the same too. Nothing changes.

It improves upon those systems in one way, the authentication source never knows where the person signed into.

That is a benefit so small as to be meaningless. If anything this makes the situation worse because instead of just one company tracking you across all those logins now you have a unique id that any tracker can key off.

If you are so worried about being tracked, it should be important. BrowserID stops one company from tracking you across every website you login too just by having you use their service. Of course if companies compare notes, then yes they can track your email address. But that is no different then before, and no different with OpenID.

The fact BrowserID standardized on it doesn't reduce privacy for most people,

However it does not significantly INCREASE privacy for most people either. So what is the point?

It's not about increasing privacy. It's about increasing security by killing extra passwords. That is its goal. It is about a decentralized single sign on. And BrowserID is working on that goal quite well.

No, only some of the credentials are temporary. The private keys used to sign those temporary credentials are permanent. My point is not about leaving them behind for someone else to misuse, my point is that those private keys are not there to begin with. You can't sit down at someone else's browser and just use it to log in because those private keys used to sign the credential are only stored back on your own computer.

According to this overview, that is not true. There are keys generated and used, but they are only valid for up to 24 hours (mentioned inside the above document). So yes you can just sit down at a computer and login to your favourite site, the computer will just generate a new key pair. It can even destroy the key pair once you are done, ensuring no one else can steal your identity.

And yes the private key can be re-used, but the public key is what expires and that is the signed component that matters. Thus after 24 hours, it doesn't matter that you have the private key.

Mozilla is a not for profit.

Don't be so sure. Mozilla is the pipeline... Why else would Google 'value' them so much?
Hyman Roth always makes money for his partners.

Aren't firefox extensions open-source code, by requirement, (also in order to be hosted by Mozilla)? A search engine took me to this page, and this seems to be the case. https://developer.mozilla.org/en-US/docs/XUL/School_tutorial/The_Essentials_of_an_Extension

Okay, the same extension is in the Chrome store too, but from what I gather, in terms of being safe from malware, the chrome store offers no really-certain safety. It seems like a hack on the reporting mechanisms that otherwise shutdown service. Or, maybe my firefox is now mining bitcoins. But hey, at least it runs on Linux.

The sad thing is that that isn't even the reason. The original code used nsIWebNavigation's STOP_ALL constant, which stops XHRs as you said. If they'd changed the flag to STOP_CONTENT, it would stop image animation without stopping XHRs.

As far as I can tell from the bug, there are two problems with this functionality: one is that, if Firefox had it, people might trigger it accidentally when using Esc to close dialogs in (some tiny number of) webpages, and two is that nobody will use it anyway because nobody is intelligent enough to use their keyboard to do anything, so let's just remove it. (These seem contradictory to me, but what do I know?)

You might be interested in this extension instead, which fixes it the right way by default, and without requiring you to change to an awkward key combination.

meant to say:
Unless you're talking about IE < 9, yes there is: https://developer.mozilla.org/en-US/docs/HTML/Element/audio

In other news today, Samsung, have very clearly said NO to this new browser direction of Google's. They're going for a different new projectwith Mozilla. And given that they are about the only successful Android OEM, that's going to be interesting.

http://blog.mozilla.org/blog/2013/04/03/mozilla-and-samsung-collaborate-on-next-generation-web-browser-engine/

Sadly and unbelievably, it is. The alleged reason is that "some sites" use ESC to close dialogs and if the key is not captured will stop further XHTMLReq network transfers.

Now you are forced to install an extension to get that functionality back pressing SHIFT-ESC.

FF is getting worse removing nice long features on every new version. It's sad.

Version 0.9.6.3 (released 2008) through 0.9.7.2 (released 2010) was under the MPL: https://addons.mozilla.org/en-US/firefox/addon/download-statusbar/license/0.9.7.2

The licence for versions prior to that aren't documented on the Addons site.

They took away the javascript "for each" statement without even throwing a misserable warning the previous versions to alert people.

The error console in the previous FF 19.0.2 didn't complain at all about the now deprecated "for each" code, but hey. lets break a lot of code instead of allowing people to fix it beforehand. Very nice of them. :(

Please don't disable updates, then you won't get security patches. A better solution is to use the Firefox Extended Support Release . It's feature-frozen but gets the security fixes.

Try the Self-Destructing Cookies add-on.

I think it has to do with the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=847627 The list of downloads at the downloads windows and the list of downloads at the history (History menu / CTRL+SHIFT+H) was separated. The second list was always accessible through the History menu. I did know about it and I didn't think its a bug.

I don't understand why Mozilla never just worked with the author of Download Statusbar to integrate it. That extension has been one of the most popular addons since it was released in 2004. In fact, the addons site show it is currently the 7th most-used plugin with 1,930,345 current users.

The license of Download Statusbar isn't compatible with Firefox's license. From the add-on page:
https://addons.mozilla.org/en-US/firefox/addon/download-statusbar/license/0.9.10

Source Code License
Custom License

Copyright 2011 Enzymatic Software, LLC. All Rights Reserved.

I don't understand why Mozilla never just worked with the author of Download Statusbar to integrate it. That extension has been one of the most popular addons since it was released in 2004. In fact, the addons site show it is currently the 7th most-used plugin with 1,930,345 current users.

Oh, come on.

At least something my silly FF extension is still good for - April fool jokes.

The built-in ROT13 feature was causing the author of Leet Key to complain about Mozilla choking his source of fame. Therefore, they had to remove it.

> WebGL gives any website in the world nearly direct access to exploit bugs in GPU drivers, significantly increasing the attack surface of the browser.

You are stating overblown past issues with zero evidence about future possible ones.

Exactly _how_ many bugs and exploits in WebGL has there been? Aside from _THREE_ issues about:

1. CORS / Cross-domain textures (fixed),
2. GPU VRAM reading using as WebGL texture (OSX only!), and
3. DoS

I am not aware of any other code "exploiting bugs in the GPU drivers". Frankly , this is not primarily a GPU driver's issues but an OS and Browser issue. The fact that VRAM is not cleared when a WebGL program starts up is the bug, not unfettered access. This is like complaining a program can be run as 'admin/root' and read the memory of ALL processes. I say "like", because there is no concept of separate memory spaces on the GPU's VRAM.

Of course the bigger problem is why the browsers don't pass the Khronos security conformance tests. I am not sure what the _current_ status of modern browsers are.

Anytime "exploits" are mentioned the year/month should be included so we can gauge if we are discussing issues already fixed or relatively new ones.

References:
  * http://www.contextis.co.uk/research/blog/webgl-new-dimension-browser-exploitation/
  * http://www.contextis.co.uk/research/blog/webgl-more-webgl-security-flaws/
  * https://hacks.mozilla.org/2011/06/cross-domain-webgl-textures-disabled-in-firefox-5/

https://wiki.mozilla.org/Legal/Infringement_Notices/3_June_2011

So, that's it then...

Why? Because you're in a browser right now and it's the most popular software platform ever.

Where's the controller/joystick API for the web browser?

https://wiki.mozilla.org/GamepadAPI

WebGL is just VRML version 2.

No it isn't.

We have too many layers of cruft/abstraction layers/API's to deal with.

WebGL sends shader programs to the GPU which executes them. There isn't a layer underneath it.

A properly designed "world browser" that actually starts in the 3D environment and perhaps renders flat 2D web pages as such would make a lot more sense instead of trying to shoehorn 3D into a 2D "web page"

People had no interest in such world browsers, several companies including Microsoft offered them in the 90s and they all died. Microsoft's 1997 technology was called Chrome (yes, really), and they promised "Chromeffects would turn a web browser into a rippling, 3D space with audio and video playback".

Meanwhile people do like 3D games, they do love running things in their browser, and the fullscreen API lets the game canvas go fullscreen. Enjoy your lawn.

"this is to notify you of activity occurring on the Mozilla site listed below which infringes on the exclusive intellectual property rights of Id Software LLC .. The copyrighted work at issue is .. DOOM

The link below offers an unauthorized derivation or version of Id Software's DOOM game". link

So they're also invented IETab for IE too now.

<!--[if lte IE 9]>We have detected that you are using Microsoft Internet Explorer which may be running the plugin called StealYourCreditCardInformation.virus.B. That plugin tends to break the layout you see on our site because our site is very secure and that plugin can not operate on our site. If things look broken, we suggest you uninstall that plugin, or use a good web-browser like Google Chrome, Mozilla Firefox, or Opera.<![endif]-->

That goes on the top of the page. I then go out of my way to make use of all CSS that triggers IE-specific bugs.

We don't have the actual headers of the request he used. But we know he didn't just construct a URL. We know that he constructed a request pretending to be (spoofing) a request from an iPad. So he set up the User Agent to claim to be from a particular iPad app (not the same as pretending to be a generic browser). And he set up a request for a particular iPad identity. Which would typically be in the body of a request, not the URL. He may have spoofed other elements, but as I say we don't have the actual request in question.

So users of the User Agent Switcher are hackers now? None of this amounts to any type of authentication or authorization, so it's impossible for any reasonable person to say his access was unauthorized.

But you did it in the knowledge that you could have navigated there using the intended links.

How am I supposed to know whether a URI has links to it or not? Why is the presence of a link (which could be created by third parties) more important than the actual security settings of the web server?

Just because something isn't protected by locks or other security measures doesn't mean it's OK for you to steal it.

Again, the internet operates on an assumption of default allow. The only way I know whether I am allowed to access a resource is to try and see if it is available.

TrackMeNot?

So where's the iOS version of firefox? Or firefox for the Kindle?

Talk to the boys in cupertino about FF for iOS. Cupertino doesn't allow other browsers than webkit. What we've got here is failure to communicate. Some companies you just can't reach. So you get what we had here last week, which is the way Apple users want it...well, they get it. I don't like it any more than you might.

As for kindle, you can download FF for kindle from the ftp here: http://ftp.mozilla.org/pub/mozilla.org/mobile/releases/15.0/android/multi/fennec-15.0.multi.android-arm.apk It used to be available from the amazon store but the Mozilla team pulled it because Amazon modified the apk! I think it only works on Kindle fire HD.

TLS 1.1 support is enabled by default in Chrome. Read about that here.

If you want TLS 1.2 in chrome, please star this bug.

As for Firefox, TLS 1.1 and 1.2 support are still not ready. If you want to help, vote for this bug, this bug, this bug, and this bug.

The bugs to get TLS 1.2 support into Firefox are this one and this one.

Both Opera and IE support TLS 1.1 and 1.2. If you want to see this in Firefox and Chrome, vote for the bugs above. But, please don't comment on the bugs. That won't help.

TLS 1.1 support is enabled by default in Chrome. Read about that here.

If you want TLS 1.2 in chrome, please star this bug.

As for Firefox, TLS 1.1 and 1.2 support are still not ready. If you want to help, vote for this bug, this bug, this bug, and this bug.

The bugs to get TLS 1.2 support into Firefox are this one and this one.

Both Opera and IE support TLS 1.1 and 1.2. If you want to see this in Firefox and Chrome, vote for the bugs above. But, please don't comment on the bugs. That won't help.

TLS 1.1 support is enabled by default in Chrome. Read about that here.

If you want TLS 1.2 in chrome, please star this bug.

As for Firefox, TLS 1.1 and 1.2 support are still not ready. If you want to help, vote for this bug, this bug, this bug, and this bug.

The bugs to get TLS 1.2 support into Firefox are this one and this one.

Both Opera and IE support TLS 1.1 and 1.2. If you want to see this in Firefox and Chrome, vote for the bugs above. But, please don't comment on the bugs. That won't help.

TLS 1.1 support is enabled by default in Chrome. Read about that here.

If you want TLS 1.2 in chrome, please star this bug.

As for Firefox, TLS 1.1 and 1.2 support are still not ready. If you want to help, vote for this bug, this bug, this bug, and this bug.

The bugs to get TLS 1.2 support into Firefox are this one and this one.

Both Opera and IE support TLS 1.1 and 1.2. If you want to see this in Firefox and Chrome, vote for the bugs above. But, please don't comment on the bugs. That won't help.

TLS 1.1 support is enabled by default in Chrome. Read about that here.

If you want TLS 1.2 in chrome, please star this bug.

As for Firefox, TLS 1.1 and 1.2 support are still not ready. If you want to help, vote for this bug, this bug, this bug, and this bug.

The bugs to get TLS 1.2 support into Firefox are this one and this one.

Both Opera and IE support TLS 1.1 and 1.2. If you want to see this in Firefox and Chrome, vote for the bugs above. But, please don't comment on the bugs. That won't help.

TLS 1.1 support is enabled by default in Chrome. Read about that here.

If you want TLS 1.2 in chrome, please star this bug.

As for Firefox, TLS 1.1 and 1.2 support are still not ready. If you want to help, vote for this bug, this bug, this bug, and this bug.

The bugs to get TLS 1.2 support into Firefox are this one and this one.

Both Opera and IE support TLS 1.1 and 1.2. If you want to see this in Firefox and Chrome, vote for the bugs above. But, please don't comment on the bugs. That won't help.