Firefox doesn't let web sites access your clipboard directly. Flash does. The Flash guys consider it a feature, while the Firefox guys consider it a security hole in Flash (or at least I do).
Does it count as MITM if the DNS hijacker does connect to the real site behind the scenes? If a shady wireless network operator connects to the real site behind the scenes?
Interesting argument about preferring to trust individuals rather than companies. I think most people have reason to encrypt communications with companies (e.g. online purchases) more often than they have reason to encrypt communications with other individuals, but I understand your position.
It's a lot easier for me to say "I own www.squarefree.com and my web site uses a DV cert" than it is for me to give you my server's certificate. The CAs trusted by Firefox are required to at least check for ownership of the domain. If you're paranoid enough to prefer to verify your friend's cert yourself, you're already putting a lot of effort into checking the cert, and Firefox's extra clicks (in the case that the cert you're verifying isn't also a DV cert trusted by Firefox) shouldn't be making your life much harder.
Firefox 2's software update feature will remain intact. Like Windows 98, it will usually get an answer of "no updates", perhaps with a "perhaps you'd like to update to Firefox 3?" message every 3 months or so. The only thing that's been turned off is updates to the phishing blacklist, and a stale blacklist isn't useful.
NoScript does have an anti-clickjacking feature, so I bet that's what you're seeing.
You're absolutely correct that encryption does not equal identification. I'm surprised you bring that up, since that's at the core of most arguments for Firefox's new certificate handling. I guess people who believe "https:" means "please give me encryption" prefer the lightest warnings for self-signed certs, while people who believe "https:" means "please give me encryption and authentication" expect at least DV certs. I'm in the latter camp, since I believe encryption without authentication isn't very helpful in a world full of MITM attackers.
Firefox 2 is software. The phishing blacklist is a service. Only the latter is being disabled, and there is no way to have an equivalent feature without a service.
Firefox 3.1 has a slew of new options to tweak the address bar autocomplete behavior, mostly in about:config. Now is the time to try it out and file bugs if the tweaks don't meet your needs, because Firefox 2 isn't going to be a viable option for much longer.
I'm pretty sure it uses some kind of lightweight in-band authentication instead of SSL. But even if it used SSL, pings to a dead server would still needlessly waste bandwidth and expose SSL-handling code to potentially malicious data.
I agree that "herd mentality" is not the same as censorship. But the point of the article is that "herd mentality" has many of the same effects as censorship, and therefore we should fight it for the same reasons we fight censorship.
Microsoft is currently blaming plugins (Flash, Java, QuickTime, etc) for security problems. These typically come with your computer, and if you uninstall them, some sites stop working. On Windows, each one uses a different automatic update mechanism, each of which is confusing and/or evil in its own way, resulting in the majority of users having outdated plugins.
Firefox fans on Slashdot have blamed extensions (Adblock, Forecastfox, etc.) for memory leaks. Plenty of people use Firefox without extensions. Most extensions do not interact with data from web pages, so while they can cause memory leaks, they rarely cause security holes. When an extension does have a security hole, Blake Kaplan improves APIs to make similar holes less likely in the future.
I work for Mozilla, and I agree with Microsoft that plugin security holes are a major problem.
It does, per spec. If the video element has a "controls" attribute, or scripting is disabled, the browser provides controls. Otherwise, the page is free to provide its own controls, and has all the necessary APIs to make a reasonable set of controls.
It will totally screw up the layout of any page linking to it if they haven't entered an explicit size for the tag.
That only really works against pages that use the HTML TABLE element for layout. Paragraph wrapping is normally not affected by the width of the page (e.g. due to a single long word or image elsewhere on the page), but tables cause it to be affected. To be fair, most forums use table layouts.
Hulu and Youtube use Adobe Flash, not Adobe Shockwave. Shockwave is pretty rare on the Web nowadays, and has been nearly abandoned by Adobe (there was no Intel Mac version for the first few years of Intel Macs).
Knowing this won't change your experience that Chrome and Youtube don't play well together, of course;)
"A malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as 'delete all items', 'click to add Bob as a friend', etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it."
Disabling JavaScript won't prevent the attack. It will break some mitigations, though!
If the license is permissive (like the MIT license), Opera and IE can incorporate the new code just as easily as open-source browsers can. If the license if open-source but not especially permissive (like the GPL), Opera and IE can't use it, but neither can many other open-source projects.
As it happens, V8 is BSD, Tracemonkey is LGPL+MPL+GPL, and SquirrelFish is LGPL+BSD. I believe BSD and MPL are both permissive enough for use in Opera and IE.
I agree that it shouldn't be necessary to make users wait during updates. The Google Toolbar for IE manages it somehow;) See bugzilla.mozilla.org bug 307181.
Maybe Mozilla QA hasn't been able to find a regression window for your bug because they can't reproduce the bug themselves? You should be able to do it with nightlies from around that time (between Firefox 3 Beta 5 and Firefox 3 RC1?), which are still available.
Firefox 2 is going to stop getting security updates soon. It's already way behind on security fixes. You should file bug reports or do whatever is necessary to ensure that you will be able to use Firefox 3 (or Firefox 3.1) by December.
Slashdot Mirror
Firefox doesn't let web sites access your clipboard directly. Flash does. The Flash guys consider it a feature, while the Firefox guys consider it a security hole in Flash (or at least I do).
I bet the site is using Flash.
Does it count as MITM if the DNS hijacker does connect to the real site behind the scenes? If a shady wireless network operator connects to the real site behind the scenes?
Interesting argument about preferring to trust individuals rather than companies. I think most people have reason to encrypt communications with companies (e.g. online purchases) more often than they have reason to encrypt communications with other individuals, but I understand your position.
It's a lot easier for me to say "I own www.squarefree.com and my web site uses a DV cert" than it is for me to give you my server's certificate. The CAs trusted by Firefox are required to at least check for ownership of the domain. If you're paranoid enough to prefer to verify your friend's cert yourself, you're already putting a lot of effort into checking the cert, and Firefox's extra clicks (in the case that the cert you're verifying isn't also a DV cert trusted by Firefox) shouldn't be making your life much harder.
Firefox 2's software update feature will remain intact. Like Windows 98, it will usually get an answer of "no updates", perhaps with a "perhaps you'd like to update to Firefox 3?" message every 3 months or so. The only thing that's been turned off is updates to the phishing blacklist, and a stale blacklist isn't useful.
NoScript does have an anti-clickjacking feature, so I bet that's what you're seeing.
You're absolutely correct that encryption does not equal identification. I'm surprised you bring that up, since that's at the core of most arguments for Firefox's new certificate handling. I guess people who believe "https:" means "please give me encryption" prefer the lightest warnings for self-signed certs, while people who believe "https:" means "please give me encryption and authentication" expect at least DV certs. I'm in the latter camp, since I believe encryption without authentication isn't very helpful in a world full of MITM attackers.
Firefox 2 is software. The phishing blacklist is a service. Only the latter is being disabled, and there is no way to have an equivalent feature without a service.
There is no anti-clickjacking code in Firefox 3.0. What are you talking about?
(Self-signed certs, on the other hand... I think Firefox 3's handling is a huge improvement, but I understand why some people disagree.)
Firefox 3.1 has a slew of new options to tweak the address bar autocomplete behavior, mostly in about:config. Now is the time to try it out and file bugs if the tweaks don't meet your needs, because Firefox 2 isn't going to be a viable option for much longer.
I'm pretty sure it uses some kind of lightweight in-band authentication instead of SSL. But even if it used SSL, pings to a dead server would still needlessly waste bandwidth and expose SSL-handling code to potentially malicious data.
Did Windows 98 have any security features that involved constantly grabbing data from Microsoft servers? Because that's what we're talking about here.
(Windows 98 stopped getting security patches in 2006, just like Firefox 2 is about to stop getting security patches.)
I agree that "herd mentality" is not the same as censorship. But the point of the article is that "herd mentality" has many of the same effects as censorship, and therefore we should fight it for the same reasons we fight censorship.
Microsoft is currently blaming plugins (Flash, Java, QuickTime, etc) for security problems. These typically come with your computer, and if you uninstall them, some sites stop working. On Windows, each one uses a different automatic update mechanism, each of which is confusing and/or evil in its own way, resulting in the majority of users having outdated plugins.
Firefox fans on Slashdot have blamed extensions (Adblock, Forecastfox, etc.) for memory leaks. Plenty of people use Firefox without extensions. Most extensions do not interact with data from web pages, so while they can cause memory leaks, they rarely cause security holes. When an extension does have a security hole, Blake Kaplan improves APIs to make similar holes less likely in the future.
I work for Mozilla, and I agree with Microsoft that plugin security holes are a major problem.
Yes, people generally do take good care of their iPhones. That's why Winnetka residents were outraged when an iPhone was left in a hot car for three hours.
It does, per spec. If the video element has a "controls" attribute, or scripting is disabled, the browser provides controls. Otherwise, the page is free to provide its own controls, and has all the necessary APIs to make a reasonable set of controls.
It will totally screw up the layout of any page linking to it if they haven't entered an explicit size for the tag.
That only really works against pages that use the HTML TABLE element for layout. Paragraph wrapping is normally not affected by the width of the page (e.g. due to a single long word or image elsewhere on the page), but tables cause it to be affected. To be fair, most forums use table layouts.
Shockwave is older than Flash.
I'm curious what you like better about Chrome's address bar suggestions. I use Mac, so I haven't really been able to play with Chrome.
Hulu and Youtube use Adobe Flash, not Adobe Shockwave. Shockwave is pretty rare on the Web nowadays, and has been nearly abandoned by Adobe (there was no Intel Mac version for the first few years of Intel Macs).
Knowing this won't change your experience that Chrome and Youtube don't play well together, of course ;)
FWIW, this isn't exactly a new idea. roc and I discussed it back in 2002.
I'm glad it's getting attention now, though. Any fix is likely to require changes to specs.
The zdnet article is pretty vague, but I think it refers to the problem detailed in this message from Michal Zalewski:
"A malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as 'delete all items', 'click to add Bob as a friend', etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it."
Disabling JavaScript won't prevent the attack. It will break some mitigations, though!
Slashdot + GMail plus a compile or two
I hope you're not using your web browser to compile C++ applications ;)
If the license is permissive (like the MIT license), Opera and IE can incorporate the new code just as easily as open-source browsers can. If the license if open-source but not especially permissive (like the GPL), Opera and IE can't use it, but neither can many other open-source projects.
As it happens, V8 is BSD, Tracemonkey is LGPL+MPL+GPL, and SquirrelFish is LGPL+BSD. I believe BSD and MPL are both permissive enough for use in Opera and IE.
That's not a sign that the benchmarks are useless. That's a sign that V8 has improved since the version that shipped with Chrome.
I agree that it shouldn't be necessary to make users wait during updates. The Google Toolbar for IE manages it somehow ;) See bugzilla.mozilla.org bug 307181.
Maybe Mozilla QA hasn't been able to find a regression window for your bug because they can't reproduce the bug themselves? You should be able to do it with nightlies from around that time (between Firefox 3 Beta 5 and Firefox 3 RC1?), which are still available.
Firefox 2 is going to stop getting security updates soon. It's already way behind on security fixes. You should file bug reports or do whatever is necessary to ensure that you will be able to use Firefox 3 (or Firefox 3.1) by December.