Mozilla Halts Rollout of Firefox 65 on Windows Platform After Antivirus Issue

Mozilla has halted the rollout of v65 update to Firefox browser on Windows platform after learning about an issue with certain antivirus products. Users of Firefox 65, an update which was released last week, reported seeing "Your connection is not secure" error warnings when visiting popular sites. From a report: The issue mostly affected Firefox 65 users running AVG or Avast antivirus. The message appeared when users visited an HTTPS website and stated the 'Certificate is not trusted because the issuer is unknown' and that 'The server might not be sending the inappropriate intermediate certificates'.

The problem, reported on Mozilla's bug report page and first spotted by Techdows, is due to the HTTPS-filtering feature in Avast and AVG antivirus. Avast owns AVG. The bug prevented users from visiting any HTTPS site with Firefox 65. To limit the impact on users, Mozilla decided to temporarily halt all automatic updates on Windows. In the meantime, Avast, which owns AVG, released a new virus engine update that completely disabled Firefox HTTPS filtering in Avast and AVG products. HTTPS filtering remains enabled on other browsers.

Avats fault of doing MITM

[aepervius]

Basically avast and co are doing a MITM attack to scan the content of https traffic :
https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/
Why anybody would think that allowing an AV provider to scan all their traffic including bank traffic by extension, is more "secure" - is beyond me.

Re:Avats fault of doing MITM

but but viruses!

Re: Avats fault of doing MITM

B-b-but, everyone adopting HTTPS is making our firewall solution redundant!
- Skeevy ass security software developers.

Re:Avats fault of doing MITM

Basically avast and co are doing a MITM attack to scan the content of https traffic

Last I checked, when one program deliberately breaks functionality of another program to accomplish its purpose, it was more correctly called malware or a virus.

Re:Avats fault of doing MITM

[Junta]

To be fair, to the extent they can offer any protection against attack from javascript to browser they would have to pull this sort of trick. Replacing certificate with either a trusted or untrusted one so long as the CA private key is unique per endpoint and the software correctly validates before passing it on. It is of course ugly as hell, but at least not crazy bad in security.

Of course, on the practical side I'd want to see some examples of them actually doing anything on that front. Compared to 'download and run executable', the browser security models are a lot more restrictive and I can't think of specific scenarios where 'anti-virus' steps in rather than site operators fixing their CORS rules or similar in the face of an attack. I suppose if you are not updating your web browsers there could be risks, but updating web browsers would be easy enough...

Re: Avats fault of doing MITM

I don't think you understand what a firewall does.

Re: Avats fault of doing MITM

[jellomizer]

The problem isn't what they are doing, but how they are implementing it.
Is it a Man In the Middle Attack, or is it port forwarding?

The biggest problem with IT Security, is a lot of the hacks and tricks have valid uses as well, and normally when ever such a hack has been shown to cause a greater problem, an other tool in your toolbox is tossed out... Often without a good replacement.

Re:Avats fault of doing MITM

>Basically avast and co are doing a MITM attack

That's kind of a dumb way to put it considering that antivirus products are ultimately MITM software intercepting syscalls, scanning disk and network io, etc in order to its job. Presumably users want that to occur since they installed the antivirus software to begin with. If it wasn't for the fact that Mozilla maintains it own certificate store instead of just using the OS's (like every other non-Mozilla based browsers on the market) on then this problem would never have occurred.

Re:Avats fault of doing MITM

[thegarbz]

Basically avast and co are doing a MITM attack to scan the content of https traffic :

And so do many corporations. How anyone didn't see this coming is beyond me. There's legitimate reasons to MITM something providing you have trust in that man who is in the middle.

Re: Avats fault of doing MITM

[fahrbot-bot]

normally when ever such a hack has been shown to cause a greater problem, another tool in your toolbox is tossed out... Often without a good replacement.

I feel that way about politics -- hacks causing greater problems, no good replacements.

Re: Avats fault of doing MITM

Why don't we ask Avast?

The Avast WebShield must use a MITM approach in order to scan secure traffic, but the important difference is that the “middle man” we use is located in the same computer as the browser and uses the same connection.

Oh right. So it is officially a MITM, but this is supposedly ok because the application that is hijacking your data stream is running on your own PC. And of course that data could never go astray once it's been hijacked.

Re: Avats fault of doing MITM

All antivirus software that realtime scans https streams do it the same way, not just AVG/Avast. In fact, its not just antivirus software that uses this technique, but any network security software employed in the enterprise. This problem is just another example of Firefox making itself more unsuitable for deployment in large organizational networks.

Re: Avats fault of doing MITM

[AmiMoJo]

They should implement it as a browser plug-in. Problem is that all the major browsers block their plug-ins now because local plug-in installation was widely abused. Now they only allow installation via the user clicking to accept within the browser itself, and apparently that's not a good enough user experience for AV companies.

Re:Avats fault of doing MITM

[mysidia]

I was complaining about this in another thread just last week.

It would sure be nice if these companies like Mozilla and Google would show a little more consideration for organizations,
  especially enterprises who are deploying their product, and stop making such high risk changes without considering the ramifications -- and testing appropriately in real-world environments.

Historically; it seems like Microsoft was the only browser developer sensitive to issues managing the deployment and
  operation of their product in an enterprise setting --- where you can't just go updating web apps every 12 months or even more often for a browser API change, unfortunately it gets worse now that development of Edge's engine is being abandoned to switch to Chromium ---- threatening browser monoculture and proprietary "experience" features to start all over again - with Chrome as the offender now, in the same vein as MSIE6 was.

Re: Avats fault of doing MITM

[Bengie]

HTTPS scanning and proxy is a known attack vector. HTTPS provides both encryption and authentication. MITM breaks authentication. Unfortunately, HTTP does not support signing content, only the outer stream can be signed.

Re: Avats fault of doing MITM

[0ld_d0g]

The software is already running in the kernel. If the software was malicious, you're already screwed. MITM doesn't make it worse IMO.

Re:Avats fault of doing MITM

[Teun]

Corporations have an IT department and are in a much better position than private users to check and approve of browser updates, this does not need to take many days or even longer.
Historically Microsoft products are the main target of viruses and other unwanted issues, abandoning this monoculture is one way to avoid being in the group of low hanging fruit for the scammers. Looking a little further back MS was the main instigator of non-standard browsers (IE6)
Yet I'm not agreeing with MS to go Chromium.

Re:Avats fault of doing MITM

[thegarbz]

Corporations have an IT department and are in a much better position than private users to check and approve of browser updates, this does not need to take many days or even longer.

You said approve. That isn't a solution. What we have here is an update that changed a functionality delivered in a take it or leave it approach without central management and declining it results in security gaps.

Regardless of how competent your IT department is, the only way to win this game is not to play it with Mozilla.

Re: Avats fault of doing MITM

[scdeimos]

Avast isn't part of the kernel. It's a user-space service taking advantage of networking hooks.

Re: Avats fault of doing MITM

[Darinbob]

Man in the middle is not automatically bad, if you trust the man in the middle. If the third party called Microsoft did this then everyone would be happy, but because it's a different third party then it's bad. Even the kernel is a man in the middle here . How else do you scan the data between a browser and the internet without a man-in-the-middle? You could alter the browser, but assume that you can't.

Re: Avats fault of doing MITM

[Darinbob]

Do browser plug-ins have this level of access?

Re: Avats fault of doing MITM

[0ld_d0g]

I was referring to their antivirus software in general. If the WebSheild part isn't a kernel component, I stand corrected..
 

Re: Avats fault of doing MITM

[zaphirplane]

Anti virus software intercept file open, there is no mitigation to their control of your device

Re: Avats fault of doing MITM

[zaphirplane]

I thought itâ(TM)s called a bug if itâ(TM)s not intended

Feature, Not A Bug

We recently had an article that Firefox was releasing a feature which blocked a page if the certificate it provided was different from a certificate a 3rd party received when visiting the same site. Sounds like it's working exactly as designed. Perhaps next time they shouldn't think they know better than the user. Perhaps they should ask if a new feature should become enabled when upgrading.

This scenario should have been thought of before they developed the feature.

Re:Feature, Not A Bug

is working as intended, yes, but your final opinion is totally wrong. the problem is with the antivirus vendor and its feature, not firefox; and mozilla, in this case, is absolutely correct and does 'know better' than you do. mitm vector plugged. avast can fuck off with their snooping of every bit you transmit or receive via https.

Re:Feature, Not A Bug

[HarrySquatter]

What is supposed to be the problem with Firefox? It seems they are doing exactly what they're supposed to which is flagging that shitty AV software is doing a man in the middle attack on your traffic

Mozilla needs to take bugs seriously

[xack]

There are bugs that haven't been fixed for decades and they regularly WONTFIX many bugs. It's time Mozilla stops drinking the Chrome-aid and listen to it's users for once. Until Mozilla does, use Waterfox or Pale Moon.

Re:Mozilla needs to take bugs seriously

Please think before you shill. Pale Moon and Waterfox also have Firefox's old bugs, and also haven't resolved them.

Re:Avast's (and others) fault of doing MITM

I agree. If anything, Mozilla should not accept Avast's (and all other's - because there aren't a zillion ways to scan HTTPS traffic) fake MITM certificates, but change the error message explaining the user's choice, limited by the current state of technology: Either their AV provider get cleartext access to all their HTTPS traffic, or their HTTPS traffic won't be scanned.

Some sites could start using Mutual Authentication, with their own CA, since this will make the MITM fail. I've encountered this when working on electronic identity cards ; when you set authenticate both the client (using their eID) and the server (using a commercial CA), the latter fails, because the MITM does not have the user's private key and the client auth is part of the data signed in the server auth..

We had to tell our citizens that they had to choose between securely authenticating and accessing their official (tax, etc..) data, and virus scanning. Because those are the limits of using an attack technique for user security.

You can't have everyone using OpenBSD ;-)

Inappropriate Certificates?

'The server might not be sending the inappropriate intermediate certificates'.

Please help me identify where I might obtain one of these inappropriate certificates and how I might not send one.

The Slashdot excerpt cites that directly from TFM. Is that really the AVG error message? Where is Avast located? Russia? Who writes these error messages?

And, yes, AVG is running a stinkin' Man-in-the-Middle attack. Talk about an exciting place to hoover up all important accounts, usernames, passwords, financial transactions, etc..

Re:Inappropriate Certificates?

[Junta]

In that terminology, 'intermediate' does not refer to a MITM intermediate, but instead if your server cert is signed by a subordinate CA that is in turn signed by a really trusted authority. For example, lets encrypt certs at least at one point *required* that the servers offer up the full chain, since the server cert was not directly signed by any authority installed in the browsers.

Re:Inappropriate Certificates?

That's not the quibble. Look at the work inappropriate in conjunction with "might not be sending". So is the message indicating that the server should send an inappropriate intermediate certificate for proper functionality?

Re:Inappropriate Certificates?

[Junta]

Oh, whoops, yeah that is an... interesting phrasing...

Why use Avast?

[sjbe]

Why anybody would think that allowing an AV provider to scan all their traffic including bank traffic by extension, is more "secure" - is beyond me.

Perhaps someone knows more about Avast and AVG than I do but I fail to see any meaningful advantage in them over the built in security software in Windows. Like so much AV software they just seem to slow things down and gum up the works while providing little real protection in the process for a lot of money. What are they doing that anyone actually needs?

Re:Why use Avast?

Why go to In&Out when there's a McDonald's...

Sometimes, one product is better than another.

Re:Why use Avast?

[AmiMoJo]

In theory they can block dangerous downloads before they even hit your hard drive, block malicious Javascript, and block access to "bad" sites. They often have some kind of phishing detection for webmail built in too.

All stuff you can get for free elsewhere, e.g. most browsers have site blocklists enabled by default, decent webmail will detect and at least warn about potential phishing etc. I'm sure the AV companies would claim that they do a better job and have more coverage, and I suppose to be fair they do offer an all-in-one simple solution for people who can't install uBlock Origin themselves.

I get the impression that most of their sales are people who heard that it's a good idea to have AV software or who just paid up when the free McAfee trial pre-installed on their computer expired and wouldn't stop nagging them.

Re:Why use Avast?

[drinkypoo]

I agree. Avast absolutely beats my system down. And when AVG was new, it was good, but it started using up the whole system ages ago. I went back to just using the Mickeysoft stuff, which for some reason doesn't do that even though it seems to actually work pretty well according to independent tests.

Re:Why use Avast?

[hairyfeet]

Because I have yet to see Windows "built in security software" do diddly damn shit when it comes to zero days and drive by malware on sites like Facebook? I use Avast for my customers that are FB junkies and believe me it helps a great deal as Windows defender has exactly ZERO fucks to give about malware on Facebook, it will happily ignore when a user clicks a link from a "friend" that takes them to a page filled with browser exploits, it will not care in the slightest.

Windows Defender is fine for your smart users, the kind using Privacy Badger and ABP or Ublock Origin to filter malware via ads and who aren't likely to click on any links sent to them by friends that may have been compromised, but for Joe and Jane Average? Yeah you kinda need that extra layer that AV like Avast provides because Windows Defender just royally sucks balls when it comes to blocking browser based malware.

Re: Why use Avast?

You can tell by the way you use rude words your a cool kid who knows all. Except your not and clearly don't actually have freak experience with defender

Re:Why use Avast?

Perhaps someone knows more about Avast and AVG than I do but I fail to see any meaningful advantage in them over the built in security software in Windows.

McAffee is my personal favorite AV to hate. Seriously I'm supposed to be doing dev work, a I look at the McAfee processes and there is more than a page of them.

The question isn't whether more intrusive software can manage to catch more. It probably can, but your also eating a continuous loss in productivity due to it being installed over a lighter solution that doesn't bog down your computer. Hell just the electric bill delta is probably way more than the McAfee licenses.

Re:Why use Avast?

[Darinbob]

I went with Avast when I had a rootkit that the expensive anti-malware system I had failed to find it. Avast found it quickly and it left my computer much more responsive than the big-name variant. I haven't seen any real slowdown since.

I put it on my mother's computer because she's much more virus prone because she clicks on everything that promises to save her money or stop Hillary. And on her computer which is not as beefy it has a detectable slowdown, but the advantage is that it catches more things than the Windows defender appears to.

I haven't run definitive tests, but there are other places that do independent testing and Defender sticks somewhere in the middle. Ie, av-comparatives.org.

Bugs?

[sjbe]

There are bugs that haven't been fixed for decades and they regularly WONTFIX many bugs.

A lot of things that people think are bugs are really just design decisions they don't prefer. While Firefox is certainly not perfect I don't see any of the other browsers being meaningfully better about dealing with their faults.

It's time Mozilla stops drinking the Chrome-aid and listen to it's users for once.

Has it occurred to you that maybe they are? Believe it or not, people have different opinions about what they want out of Firefox. Just because they don't agree with some vocal users doesn't mean they aren't listening to the others as well. If you don't like their choices you have other browsers that you can use and that's totally fine.

Until Mozilla does, use Waterfox or Pale Moon.

Yeah they don't really solve any problems for me and they create some new ones. If they work for you that's great.

Re:Bugs?

[fahrbot-bot]

There are bugs that haven't been fixed for decades and they regularly WONTFIX many bugs.

A lot of things that people think are bugs are really just design decisions they don't prefer. While Firefox is certainly not perfect I don't see any of the other browsers being meaningfully better about dealing with their faults.

Exactly. For example, Firefox 65 dropped support for the preference "browser.urlbar.suggest.history.onlyTyped" -- only suggest URLs that were actually typed -- saying the behavior was "not-so-useful" (and, apparently, because their "typed implementation is a mess"), while *I* found it extremely useful.

Re:Bugs?

[gustygolf]

Has it occurred to you that maybe they are [listening to their users]? Believe it or not, people have different opinions about what they want out of Firefox.

Mozilla's bugzilla installation has a feature where people can vote on bugs (i.e. express their interest in getting a bug fixed or feature implemented), and this feature of the bug tracker has been there for 15+ years.

I can't remember the last time a bug with lots of votes was resolved.

In fact, I can't remember the last time a bug that was filed by a non-developer got resolved.

Here is a list of currently open bugs with at least 100 votes.

(My memory might be playing tricks on me, but I remember there being much more votes on bugs. Thousands, at least. The current number one has 571 votes. Perhaps they did a user purge which wiped out votes? It would certainly explain why the list is dominated by WebExtensions bugs -- a recent feature.)

Thank you Captain Obvious!

[sjbe]

Sometimes, one product is better than another.

Now if you would only clarify under what circumstances a reasonable person might consider Avast or AVG to actually be the better option you would actually have answered the question that was asked.

Re:creimer's phat booty makes you go HNNNNNNNG!

Meanwhile, creimer is planning to take the Windows 10 exam before it retires on March 31, 2019.

Antivirus

Avast and AVG are two of the worst AV's I've used. I had a friend that has a windows 10 laptop and Avast would just spontaneously wig out can cause windows to come to a crawl. It took me forever to figure out what the problem was. I uninstalled and reinstalled it and everything was good. A month or two later the same thing happened. I just removed it and let the MS AV take over and its been fine since then.
AVG is a bit better in some ways but it still a hog.
Kaspersky has\had been pretty good but it can be a hog.
Trend Micro is ok its kinda of a hog.
Symantec, unless its changed was a big hog.
McAfee was a turd and a hog.

Re:Avast's (and others) fault of doing MITM

Can't you have a system where the browser can send the decrypted plaintext to the AV system if it want's it to be scanned before running it? Configure a setting to scan using .

There shouldn't be a need to MITM attack the browser.

66b4

[p51d007]

I'm on the beta channel, had 65.0, but it updated to 66beta4 this morning.

The server might not be sending the inappropriate

Lol

Re: creimer's phat booty makes you go HNNNNNNNG!

chris ain't here man

Re: No, I'm not "jealous of creimer", lol... apk

If you were in good standing, your posts wouldn't be constantly getting deleted.

Re:No, I'm not "jealous of creimer", lol... apk

If you feel that way why don't you do your own video "busting on" this site? Unless of course you don't have the balls.

sounds like ff was good

if the description is correct, it sounds like ff did the right thing, not allowing hijacking... the issue is with the bad actors in this case...

Re: LOL! You're the one MINUS BALLS... apk

While you continue to post your bullshit anonymously...

Re:I see you're "PhaNtaSiZiNg" again, lol... apk

Texas De Brazil is the name you gave to creimer's asshole.

Re: I see you're "PhaNtaSiZiNg" again, lol... apk

I hope you get food poisoning.

Re: LOL! You're the one MINUS BALLS... apk

Apk does ID himself signing his posts. You don't unless you impersonate him which we all see and he refutes immediately when you aren't stalking him as you are now by unidentifiable anonymous. You post the bullshit.

Re: LOL! You're the one MINUS BALLS... apk

Why, then, are you hiding behind "unidentifiable anonymous" posts?

Re: No, I'm not "jealous of creimer", lol... apk

Whipslash defamed himself saying he could stop apk posting 2 years ago and failed defaming himself.

IMPERSONATING me AGAIN? apk

MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen in my work https://news.slashdot.org/comm...

U IMITATING me means ya WISH ya were me!

* HILARIOUS you ADMIT you have a registered 'luser' account & yet you STALK me by UNIDENTIFIABLE anonymous too https://hardware.slashdot.org/... - YOU have ISSUES, lunatic!

APK

P.S.=> Hopefully, this 'sinks in' to your DULL BRAIN @ last, finally (for the 200th time now)... apk

Re: IMPERSONATING me AGAIN? apk

It would be funny as hell if gweihir was doing this to you. Reading that post certainly makes gweihir a likely candidate.

Re: No, I'm not "jealous of creimer", lol... apk

And here we have APK knowing he lost an argument, so he's not signing his posts, and pretending to not be APK.

Re: LOL! You're the one MINUS BALLS... apk

Why are you? Don't worry we know the answer. Apk has thoroughly intimidated you under all your sockpuppet accounts so many times you fear him. Don't pick fights you never win then.

Re: LOL! You're the one MINUS BALLS... apk

We all know you're APK's live-in butt buddy ex-marine boyfriend.

Re: No, I'm not "jealous of creimer", lol... apk

You pretend to be APK and he put you in your place for it as you tried to impersonate him https://news.slashdot.org/comm... proving you wish you were APK.

You're DYING of MALNUTRITION, lol... apk

See subject, as EATING YOUR WORDS isn't GOOD nutrition https://yro.slashdot.org/comme... & you don't seem to want to tell us all HOW THEY TASTE!

* RoTfLmAo @ U!

APK

P.S.=> I'm sure you've grown RATHER ACCUSTOMED to that 'diet' of yours vs. me (lol) - the BITTER TASTE of SELF-DEFEAT vs. me as you EAT YOUR WORDS & your FOOT is in your BLOWHARD MOUTH ramming them back down your chicken-neck throat, lol - & you say "Ah, that FINE flavor - So TASTY!" hahahaha... apk

Avast, Ye Mateys!

All your secure packets belong to us. We would never do anything bad with them.

Besides, my work blocks food poisoning... apk

It's here! APK Hosts File Engine 1.0++ 64-bit for MacOS h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r M a c O S . z i p

Yields more security/speed/reliability/anonymity vs. any 1 solution (99% of threats use hostnames vs. IP address most firewalls use) more efficiently/FASTER + NATIVELY 4 less!

Vs. "Bolt on 'MoAr' illogic-logic" slowing you hosts speed u up 2 ways: Adblocks + Hardcode fav. sites u spend most time @ vs. competition loaded w/ security bugs (DNS/AntiVir) + overheads slowing u (messagepass 'souled-out' to advertisers easily detected & blocked addons + firewall filtering drivers) & their complexity leads to exploitation!

* ONLY 1 of its kind in GUI 4 MacOS!

(Better vs. Windows model in speed/efficiency)

APK

P.S.=> Protects against ALL known & unknown vulnerabilities. Now supports port filters in hosts. My work is world-class & China copied it because they can't do better. I am God's gift to Slashdot... apk

IMPERSONATING me YET AGAIN? apk

MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen in my work https://news.slashdot.org/comm...

U IMITATING me means ya WISH ya were me! Imitation IS the sincerest form of FLATTERY you know...

* HILARIOUS you ADMIT you have a registered 'luser' account & yet you STALK me by UNIDENTIFIABLE anonymous too https://hardware.slashdot.org/... - YOU have ISSUES, lunatic!

APK

P.S.=> Hopefully, this 'sinks in' to your DULL BRAIN @ last, finally (for the 200th time now)... apk

IMPERSONATING me still yet AGAIN? apk

MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen in my work https://news.slashdot.org/comm...

U IMITATING me means ya WISH ya were me! Imitation IS the sincerest form of FLATTERY you know...

* HILARIOUS you ADMIT you have a registered 'luser' account & yet you STALK me by UNIDENTIFIABLE anonymous too https://hardware.slashdot.org/... - YOU have ISSUES...

APK

P.S.=> Hopefully, this 'sinks in' to your DULL BRAIN @ last, finally (for the 200th time now)... apk

Re: "but, But, BUT - /. doesn't delete posts"... a

See the subject of the post you replied to. Slashdot is known for boasting that they don't delete posts yet they do. Guess that's all you have as apk makes mincemeat of the downmoderation system reposting at will with no limits which makes mincemeat of you stalking him and downmodding him abusing the system just because he trashed you so easily and makes us all laugh at you.

Are you such a chickenshit that you...

Are you such a chickenshit that you have to pretend you're someone else, APK?

Re:Are you such a chickenshit that you...

At least you're not pretending you are the nobody you really are as you stalk apk by unidentifiable anonymous.

Re:Avast's (and others) fault of doing MITM

[0ld_d0g]

They probably want a general solution for all HTTPS traffic.

Another Firefox 65 + Windows 10 bug

Another thing i havent found anywhere else with Firefox 65 on Windows 10 is that the outer window frame keeps disappearing, all by itself, continually.
Leaving the window in an un-resizable state.
Trying to search for this bug on their site is nigh impossible :(

Thankfully a double-tap on F11 makes the frame reappear, but it is annoying to have to do it so often.

Re:Avast's (and others) fault of doing MITM

We had to tell our citizens that they had to choose between securely authenticating and accessing their official (tax, etc..) data, and virus scanning. Because those are the limits of using an attack technique for user security.

One person's attack is another person's security. You're effectively telling the vast majority of them to completely disable their antivirus to access your site. Why? Because the vast majority of them won't know the difference between "disable for this site" and "disable system wide." Nor will they want to learn the difference because "appliance." If any of them suffer for it, you'd had best hope they don't see your post here.

Also, why should it be considered an "attack?" Because the site operator wasn't expecting the data they sent to be checked? Obviously the user expected it. So who is the attacker and who is the victim here? Who is guilty of foul play? Because from the user's perspective the antivirus installed on their machine is doing it's job. So the attacker is clearly not the AV nor the user....

We seem to have created a world in which data that is sent to others is somehow still believed to be under the protection of the sender, and that any access the sender disagrees with is an "attack." Hate to break it to the senders, but the laws of nature disagree with you. Once you hit that submit button, it's under the control of whoever receives it.

WebP support from Firefox delayed again

The CEO of Mozilla, Chris Beard is quick to point out that Microsoft move from Edge to a Chromium/Blink based browser is problematic. He claims that social, civic and individual empowerment perspective should have been considerations for the decision. Instead Microsoft decided on the technical merits that the rendering engine the most compatible with website coded for Chrome is Chromium/Blink.

What Chris Beard seems to miss when Mozilla exists to provide choice is that Microsoft is just doing the same thing Mozilla did to WebP. Advocates of WebP has pointed out that giving the JPEG committee so much power over the web's lossy image format has issues from a social, civic and individual empowerment perspective. Such advocates were shutdown by Mozilla's Josh Aas that indicated the WebP doesn't have enough of a *techincal* advantages and nothing else seem to matter to him.

It wasn't until after Chrome, Opera and Microsoft Edge supported WebP that Mozilla finally decide they would be about "choice" that the other browsers already provided. And now it seems that "choice" will be delayed in being rolled out yet again. Because at the end of the day, Chris Beard just likes to hear himself talk and Mozilla really was never about being a leader in choice.

Re:Avast's (and others) fault of doing MITM

One person's attack is another person's security

Which is fine, if they're the same person/org :-)

You're effectively telling the vast majority of them to completely disable their antivirus to access your site. Why?

Because we're requiring mutual SSL, with the client cert and privkey on the electronic ID chip, so that citizens don't get into each other's tax, pension etc.. files.

When the antivirus impersonates the server, the SSL/TLS session will fail when mutual SSL is in use, because

---(from RFC 5246)---
Certificate Verify
[...]
            This message is used to provide explicit verification of a client
            certificate. [...] handshake_messages refers to all handshake messages sent or
            received, starting at client hello and up to, but not including,
            this message [...] This is the concatenation of all the
            Handshake structures (as defined in Section 7.4) exchanged thus
            far.
---cut here--
https://tools.ietf.org/html/rfc5246#section-7.4.8

Because it uses all handshake messages so far, the client and the server will calculate different versions, because the server will have a calculation involving it's own REAL certificate/key and the client will calculate using the FAKE cert/key from the MITM.

So the connection fails with a technically correct but terribly unhelpful message to the user.

The solution is to not to try and subvert a well-designed mechanism, and implement a different scanning technique.

Re:Avast's (and others) fault of doing MITM

Also, why should it be considered an "attack?" Because the site operator wasn't expecting the data they sent to be checked? Obviously the user expected it. So who is the attacker and who is the victim here? Who is guilty of foul play? Because from the user's perspective the antivirus installed on their machine is doing it's job. So the attacker is clearly not the AV nor the user....

When the government goes through the trouble of maintaining a CA and rolling out electronic ID based on that CA, and tells the citizens that this secures (confidentiality, integrity) their transactions with the government applications, it cannot risk third party access to those same transactions, which would violate that social contract.

Of course, this places the burden of ensuring that those sites remain clean squarely on the government. If that ever goes wrong, heads will roll and the press will have a field day ;-) But it's easily mitigated to a large extent, by requiring mutual SSL only on those critical apps, and not on most other stuff.

Re:creimer's phat booty makes you go HNNNNNNNG!

[Khyber]

So, you willingly fucked Creimer?

Even I can't scrape the bottom of that barrel. And I used to work in porn.

This is great

This is an awesome feature, I wonder if it will be possible to leave it on even after they "fix" (read: break) this scenario.

"but, But, BUT - /. doesn't delete posts"... apk

LMAO - see subject: If YOU were in "good standing" you'd STAND BEHIND YOUR WORDS & you don't.

Says all that needs saying & what are you talking about? My posts are still here - you replied to them (by UNIDENTIFIABLE anonymous posts STALKING me as usual, lol).

* Such "BRAVERY & COURAGE" on your part (not) & "STANDING BEHIND YOUR WORDS" (again, NOT, since you're a "WEEZIL", lol).

APK

P.S.=> Now, lol - you know you're the one PROJECTING your own issues onto me proving it, RoTfLmAo... apk

I see you're "PhaNtaSiZiNg" again, lol... apk

I see you're "PhaNtaSiZiNg" again, lol + PROJECTING your own "StRaNgE" desires too - please - have some dignity & keep it to yourself please.

* LMAO!

(Don't talk BALLS with anyone - you HAVE NO BALLS (hiding behind UNIDENTIFIABLE anonymous posts))

APK

P.S.=> Now it's time to go eat @ "Texas De Brazil" (iirc that's the name of a new restaurant I'm trying today) I think for lunch... apk

No, I'm not "jealous of creimer", lol... apk

See subject: I wouldn't even KNOW who he is IF you dolts wouldn't have "busted on him" nigh constantly & I truly suspect it's whipslash & his "henchman cronies" employees - why? Creimer DID do a video BUSTING on /. pretty bad (maybe even me w/ his "football jock" comment but that I'm not sure of, NOR do I care - I'm proud of having been an NCAA 1st string starter in Lacrosse (& I was BETTER @ football but left that game (I wouldn't use Steroids/HGH etc. & to become "pro", many guys do & I've seen the 'price' (early death)))!

* So give up already w/ that madness & lunacy of yours!

APK

P.S.=> My standing on this site is JUST FINE (yours isn't - I knocked your ass down - you're laying on your back) & so also is my 'standing' here - standing strong, taking on + ANNIHILATING all your kind. puny "ne'er-do-well" Do-NOTHING trolls easily, using facts to do so (the 1 thing you fear other than ME - & it's obvious you FEAR me since you STALK me by UNIDENTIFIABLE anonymous posts & perhaps YOU are JEALOUS OF ME "Lil' Jowie" (lol) - you also IMPERSONATE me nigh constantly too proving YOU WISH YOU WERE ME)... apk

LOL! You're the one MINUS BALLS... apk

See subject: Seeing as how you STAND BEHIND YOUR WORDS (not) trolling me using UNIDENTIFIABLE anonymous to STALK me!

* ... as to your 'point', such as it is?

Why??

I like /.!

APK

P.S.=> How IRONIC & droll + indicative of your LACK of intelligence on your part - telling me to "have balls" & YOU CLEARLY HAVE NONE, lol!... apk

Take your own advice - that post's not I... apk

Take your own advice: What u replied to's not I: I've no reason to bust creimer's balls & U HAVE NO BALLS in UNIDENTIFIABLE anonymous posts.

APK

P.S.=> Not even a "nice try" in "framing" me... apk

Feature requests are not (necessarily) bugs

[sjbe]

Mozilla's bugzilla installation has a feature where people can vote on bugs

Nice but popular does not necessarily equal important. As Henry Ford once said, "if I asked my customers what they wanted they would say 'a faster horse'."

I can't remember the last time a bug with lots of votes was resolved.

There is some survivorship bias in play there. Bugs with lots of votes are necessarily the ones that don't get resolved. That doesn't necessarily mean they are the most important things to resolve and those will tend to be bugs that get resolved before they get a lot of votes. So you are going to tend to see items with a lot of votes be items that have some sort of following but not generally high priority problems.

Furthermore most of the items on the list you linked to are not really bugs. They are feature requests. Nothing wrong with those but it's hardly surprising that many feature requests will tend to get ignored. A product cannot be all things to all people and remain useful.

In fact, I can't remember the last time a bug that was filed by a non-developer got resolved.

Presumably you can look this information up. Bear in mind that the VAST majority of non-developers do not and never will file bug reports. And just because someone does file a bug report does not make their opinion magically more important. Listening to customers involves far more than just watching the bug report list.

Re:Feature requests are not (necessarily) bugs

> In fact, I can't remember the last time a bug that was filed by a non-developer got resolved.

Presumably you can look this information up. Bear in mind that the VAST majority of non-developers do not and never will file bug reports.

Mozilla operates on a policy that you can't commit unless you have a bug number in the commit message. As such, developers have to open a bug for almost every commit they make. This will inflate any such number and pretty much makes it meaningless.

IMPERSONATING me AGAIN? apk

MacOS model's not done: Stop IMPERSONATING me lying & proof portfilter err's can't happen in my work https://news.slashdot.org/comm...

U IMITATING me means ya WISH ya were me! Imitation IS the sincerest form of FLATTERY you know...

* HILARIOUS you ADMIT you have a registered 'luser' account & yet you STALK me by UNIDENTIFIABLE anonymous too https://hardware.slashdot.org/... - YOU have ISSUES, lunatic!

APK

P.S.=> Hopefully, this 'sinks in' to your DULL BRAIN @ last, finally (for the 200th time now)... apk