NoScript can be configured as a blacklist. Just enable "Allow Scripts Globally" and it will permit any site that hasn't been explicitly blocked in the blacklist.
Well, the video is of a simulation, but further comments by readers do strengthen that hypothesis (pics and navteq post). I suppose the spiral would be the spinning rocket spewing fuel and the blue would be exhaust from the initial launch glowing like a man-made aurora borealis?
From. "TFA" (and gosh you and mr anonymous coward enjoy using "FAIL" don't you)
==== Not that the picture is all rosy even when client certificates are not involved. Consider the attacker sending an HTTP request of his choosing, ending with the unterminated line "X-Swallow-This: ". That header will then swallow the real request sent by the real user, and will cause any headers from the real user (including, say, authentication cookies) to be appended to the evil request. ====
If he is in the middle, he just has to force you to access a client certificate portion of the bank's website. He can do this by inserting a fetch for that data into some other request that you perform. And you don't even necessarily have to be doing any unencrypted browsing at the same time, due to the 2nd portion of the attack, seems he can insert unencrypted headers which could do a redirect.
And of course if you *did* do any unencrypted browsing in another window, a JS payload could be used at that point to do the load of the client cert protect portion at his convenience.
I had no certainty. I was simply taking the 3.0+ in the summary at face value. However: http://extendedsubset.com/Renegotiating_TLS.pdf Says: "including SSL v3 and previous" So, I suppose that was simply inaccurate and I should have read thoroughly.
Now on to second part of your comment. If any part of the banking website supports client certificates, for any reason, it seems a renegotiation can be trivially triggered by the attacker.
Anyway, the portion: "Not that the picture is all rosy even when client certificates are not involved. Consider the attacker sending an HTTP request of his choosing, ending with the unterminated line "X-Swallow-This: ". That header will then swallow the real request sent by the real user, and will cause any headers from the real user (including, say, authentication cookies) to be appended to the evil request."
Is a pretty severe attack as well and I don't see any safety from that one.
Not sure what this "most sites" is - all the banking sites I've checked so far. (i.e. sites where SSL actually matters) worked fine w/ SSLv2 turned on and SSLv3 turned off.
So far the sites that force SSLv3 are far less crucial to me, like addons.mozilla.org.
The systemic problems in SSLv2 seem less-bad than this flaw in SSLv3. I will take the truncation of encrypted messages or attempt to downgrade the protocol (which as noted Firefox restricts anyway so it won't have much effect) any day over a replay attack.
The removal of the renegotiation and fixing of the protocol are excellent in medium-to-long-term. But as a user, right now, I'm using banks that *will* have that feature.
Reverting to SSLv2 is the only viable option apart from doing all my finances in person.
I'm interested in seeing what your non-terrible advice is.
Go to about:config security.enable_ssl2 - set to true security.enable_ssl3 - set to false
Some websites, such as addons.mozilla.org require SSLv3 - you might want to create a separate profile or temporarily enable SSLv3 on those sites.
I tested a few bank websites and paypal. All accept SSLv2 Also, Firefox disables 40/64 bit and similarly weak protocols, so the SSLv2 protocol downgrade is not really as much of a problem as the SSLv3 replay attack.
Same as bugzilla does. Just use a timestamp or counter on the records so you can tell when an edit occurred while you were editing Then you can review the edit. If you want, you can use XHR (maybe with a slow load response for performance depending on the number of users) to notify that an edit happened.
Seems some use for it could be made in the future. Scrap, airtight or easily-sealable containers, storage bits for a manned mars mission, surely something that doesn't require high reliability could be thought of.
And they could try boosting it cheaply using LAO or ProSEDS. Might be a nice experiment.
Every time some study is trotted out showing dogs easily defeat cats at intelligence tests, whether it is problem solving, vocabulary or hell, obedience, some cat lover trots out. "It isn't that my cat is stupid, it is just that it is too smart to do what it is told"
That same logic can be applied to a pet goldfish (which is actually reasonably trainable, maybe a bit less than a cat) or a pet rock.
And of course oddly enough, despite the fact that cats like treats just fine and will try and convince us to part with them they are far too "intelligent/aloof/insert-excuse-here" to do so when taking part in a test.
Look. There's nothing wrong with loving stupid animals. Trying to justify their stupidity by anthropomorphism is a little silly though.
Sweet. Now we just need it to draw on your eyeball. And not blind you. " Down inside the computer are three lasers - a red one, a green one, and a blue one. They are powerful enough to make a bright light but not powerful enough to burn through the back of your eyeball and broil your brain, fry your frontals, lase your lobes. As everyone learned in elementary school, these three colors of light can be combined, with different intensities, to produce any color that Hiro's eye is capable of seeing.
In this way, a narrow beam of any color can be shot out of the innards of the computer, up through that fisheye lens, in any direction. Through the use of electronic mirrors inside the computer, this beam is made to sweep back and forth across the lenses of Hiro's goggles, in much the same way as the electron beam in a television paints the inner surface of the eponymous Tube. The resulting image hangs in space in front of Hiro's view of Reality."
I discovered after some experimenting that adding the terms *after* the grid was created seemed to work better. For example first typing "firefox" Then google chrome
Using their suggestion list seemed to help too.
Anyway, my eventual grid gave, for Operating System (using their autosuggest for OS): Mozilla Firefox: Mac Google Chrome: [no value] Microsoft Internet Explorer: [no value] Safari: [no value] Konqueror: Linux
They did a bit better w/ publisher, abysmally w/ system requirements - sooo, yeah. Still not quite up to magical knowledge extraction.
Slashdot Mirror
"Professional typists could have typed his example text in, what, a little over a minute?"
Well. I had to go back and correct myself at least once, but I was maxing out at about my top speed trying his text.
1222 characters in 2:35 ~ 95wpm personally.
Sounds like you're suggesting a professional could manage 244wpm.
I'm a bit skeptical.
NoScript can be configured as a blacklist. Just enable "Allow Scripts Globally" and it will permit any site that hasn't been explicitly blocked in the blacklist.
Well, the video is of a simulation, but further comments by readers do strengthen that hypothesis (pics and navteq post).
I suppose the spiral would be the spinning rocket spewing fuel and the blue would be exhaust from the initial launch glowing like a man-made aurora borealis?
http://translate.google.com/translate?js=y&prev=_t&hl=en&ie=UTF-8&layout=1&eotf=1&u=http%3A%2F%2Fwww.abcnyheter.no%2Fnode%2F101011&sl=no&tl=en
This newspaper has an EISCAT theory.
Maybe it was a combination of a rocket test w/ ionospheric heating.
Just a slightly different way of looking at it.
$ gksudo ls
(prompts)
$ gksudo ls
(if you have sudo set to a timer, no prompt)
So gksudo does come up in response to a failed attempt to escalate privileges. Otherwise it doesn't.
It is the wrapper that permits this.
From. "TFA"
(and gosh you and mr anonymous coward enjoy using "FAIL" don't you)
====
Not that the picture is all rosy even when client certificates are not involved. Consider the attacker sending an HTTP request of his choosing, ending with the unterminated line "X-Swallow-This: ". That header will then swallow the real request sent by the real user, and will cause any headers from the real user (including, say, authentication cookies) to be appended to the evil request.
====
Well, as I see it...
If he is in the middle, he just has to force you to access a client certificate portion of the bank's website.
He can do this by inserting a fetch for that data into some other request that you perform.
And you don't even necessarily have to be doing any unencrypted browsing at the same time, due to the 2nd portion of the attack, seems he can insert unencrypted headers which could do a redirect.
And of course if you *did* do any unencrypted browsing in another window, a JS payload could be used at that point to do the load of the client cert protect portion at his convenience.
According to TFA, I see no reason to believe your advice is in the least bit correct.
The injection is still bad even w/o the replay attack.
My actual reading of the PDF suggests this is a TLS protocol problem only.
Thus TLS1.0+ and SSLv3+
So. Unless you can tell me SSLv2 is vulnerable, using it still seems best choice.
Reading up on it, it does seem to be TLS only which would suggest SSLv3+/TLS1.0+ only.
In the absence of any evidence to the contrary, SSLv2 is still the best solution, and I don't find your advice in the least bit comforting.
I had no certainty. I was simply taking the 3.0+ in the summary at face value.
However:
http://extendedsubset.com/Renegotiating_TLS.pdf
Says:
"including SSL v3 and previous"
So, I suppose that was simply inaccurate and I should have read thoroughly.
Now on to second part of your comment. If any part of the banking website supports client certificates, for any reason, it seems a renegotiation can be trivially triggered by the attacker.
Anyway, the portion:
"Not that the picture is all rosy even when client certificates are not involved. Consider the attacker sending an HTTP request of his choosing, ending with the unterminated line "X-Swallow-This: ". That header will then swallow the real request sent by the real user, and will cause any headers from the real user (including, say, authentication cookies) to be appended to the evil request."
Is a pretty severe attack as well and I don't see any safety from that one.
Not sure what this "most sites" is - all the banking sites I've checked so far.
(i.e. sites where SSL actually matters) worked fine w/ SSLv2 turned on and SSLv3 turned off.
So far the sites that force SSLv3 are far less crucial to me, like addons.mozilla.org.
The systemic problems in SSLv2 seem less-bad than this flaw in SSLv3.
I will take the truncation of encrypted messages or attempt to downgrade the protocol (which as noted Firefox restricts anyway so it won't have much effect) any day over a replay attack.
The removal of the renegotiation and fixing of the protocol are excellent in medium-to-long-term.
But as a user, right now, I'm using banks that *will* have that feature.
Reverting to SSLv2 is the only viable option apart from doing all my finances in person.
I'm interested in seeing what your non-terrible advice is.
Also. Toggling these flags does not require restarting Firefox.
Go to about:config
security.enable_ssl2 - set to true
security.enable_ssl3 - set to false
Some websites, such as addons.mozilla.org require SSLv3 - you might want to create a separate profile or temporarily enable SSLv3 on those sites.
I tested a few bank websites and paypal. All accept SSLv2
Also, Firefox disables 40/64 bit and similarly weak protocols, so the SSLv2 protocol downgrade is not really as much of a problem as the SSLv3 replay attack.
Same as bugzilla does. Just use a timestamp or counter on the records so you can tell when an edit occurred while you were editing
Then you can review the edit.
If you want, you can use XHR (maybe with a slow load response for performance depending on the number of users) to notify that an edit happened.
Seems some use for it could be made in the future. Scrap, airtight or easily-sealable containers, storage bits for a manned mars mission, surely something that doesn't require high reliability could be thought of.
And they could try boosting it cheaply using LAO or ProSEDS.
Might be a nice experiment.
Unless things have changed recently, you are using 32 bit flash.
But yes, it should work quite well.
I have no idea what optimisations Adobe has made in the native 64 bit linux plugin.
He's probably referring to:
https://bugzilla.mozilla.org/show_bug.cgi?id=469439
There was a simple workaround (LD_PRELOAD) but it has been since fixed.
That's 'cause a dog isn't that good at balancing on a toilet seat.
You can train a dog to use a lower area just fine though.
And there exist toilets with ramps specifically for dogs to make up for physical limitations.
Every time some study is trotted out showing dogs easily defeat cats at intelligence tests, whether it is problem solving, vocabulary or hell, obedience, some cat lover trots out.
"It isn't that my cat is stupid, it is just that it is too smart to do what it is told"
That same logic can be applied to a pet goldfish (which is actually reasonably trainable, maybe a bit less than a cat) or a pet rock.
And of course oddly enough, despite the fact that cats like treats just fine and will try and convince us to part with them they are far too "intelligent/aloof/insert-excuse-here" to do so when taking part in a test.
Look. There's nothing wrong with loving stupid animals. Trying to justify their stupidity by anthropomorphism is a little silly though.
You can.
Not sure since when.
At least GIMP 2.5/2.6.
Sweet. Now we just need it to draw on your eyeball.
And not blind you.
" Down inside the computer are three lasers - a red one, a green one, and
a blue one. They are powerful enough to make a bright light but not powerful
enough to burn through the back of your eyeball and broil your brain, fry
your frontals, lase your lobes. As everyone learned in elementary school,
these three colors of light can be combined, with different intensities, to
produce any color that Hiro's eye is capable of seeing.
In this way, a narrow beam of any color can be shot out of the innards
of the computer, up through that fisheye lens, in any direction. Through the
use of electronic mirrors inside the computer, this beam is made to sweep
back and forth across the lenses of Hiro's goggles, in much the same way as
the electron beam in a television paints the inner surface of the eponymous
Tube. The resulting image hangs in space in front of Hiro's view of Reality."
http://google.com/squared/search?q=pandas%2Cbears
seems to have determined that they are of the family ursidae and class mammalia w/ reasonable consensus.
Heh. I tried:
firefox, safari, internet explorer
And it returned "Opera"
Just firefox, safari failed oddly
I discovered after some experimenting that adding the terms *after* the grid was created seemed to work better.
For example first typing "firefox"
Then google chrome
Using their suggestion list seemed to help too.
Anyway, my eventual grid gave, for Operating System (using their autosuggest for OS):
Mozilla Firefox: Mac Google Chrome: [no value] Microsoft Internet Explorer: [no value] Safari: [no value] Konqueror: Linux
They did a bit better w/ publisher, abysmally w/ system requirements - sooo, yeah. Still not quite up to magical knowledge extraction.