If you get owned due to browsing the Web using an ancient version of Firefox, you won't have the "choice" of not having your credit card stolen. The "loss of choice" associated with having a nag screen is nothing compared to that.
An embedded appliance between you and the internet *can* have a valid cert signed by an existing CA. Cisco gets an intermediate cert that's valid for signing *.homerouters.cisco.com certs, and your router gets one of those. You bookmark https://1bf5a32a.homerouters.cisco.com/ while connected with a physical ethernet cable. From then on, you know you're connecting to your own router rather than someone else's, and yet you never had to deal with a certificate warning.
There might be more to it, since expiry might make this more complicated. But I'm pretty sure one of the big router vendors is starting to do something like this.
This is a common suggestion, but I don't think it would work for https. If you want to create a new protocol called "httpe" that doesn't claim to provide authentication, it might be ok, but would still have the "false sense of security" problem.
It might not be that obvious. Maybe the ownage commands are followed by a bunch of noise, so they're scrolled off of the screen immediately. Or maybe the terminal window gets closed or appears to crash.
Or it could infect your user account with malware, send copies of your files to bad guys, steal your credit card numbers, add you to a botnet...
Running as non-root only makes it easier to recover from an infection. It doesn't prevent any of the bad things that can happen to you as a result of being owned.
But I fail to see how you can leverage this to gain privs.
1. Every 100ms, put some evil UNIX commands on the clipboard, surrounded by line breaks. I'm sure you can come up with a one-liner that compromises a user's system.
2. Hope someone will paste into a Terminal window while your evil page is open.
I paste into Terminal windows all the time. For example, I might copy an error message and then grep another file for the message. If there's an evil web page open while I do that, the paste will own me.
FWIW, there's a Firefox bug that lets sites hijack your 'primary' clipboard (the one that middle mouse clicks paste). See bug 265868. So you're not safe just by avoiding Ctrl+V yet.
As long as we have C and C++, memory protection features will be compiler options. But I do like the idea of browsers enforcing that plugins use the same memory protection features as the browser itself.
This presentation was how to get around features that try to prevent exploitation of memory safety bugs in applications. The intent of these features is that even if you find a buffer overflow in Notepad, you won't be able to do anything other than make Notepad crash.
These compiler and OS features try to disrupt the exploitation of memory safety bugs in various ways. Some work by detecting memory corruption (e.g. checking "stack cookies" before returning from a function that uses a string buffer). Others work by making it hard for an attacker to place shell code at a predictable memory address (e.g. DEP or ASLR).
The presenters demonstrated clever ways to get around many of these protections, but by showing how tricky it was to do so, they actually showed how effective the protections are against applications other than web browsers. To create memory that was both under their control and marked as executable, they had to take advantage of weird behavior of.NET controls (IE-only), Flash, and Java applets. The.NET control behavior looked like a bug Microsoft could fix without breaking any controls, since it involved lying about the.NET version a control was created for. The Flash behavior (a missing compiler flag) is already being fixed. The Java issue is that all Java memory is marked as executable; I don't know how hard that would be to fix, but I imagine most Slashdot users don't have to worry about this because they have already disabled Java applets.
I don't think this is devastating even to web browsers. I work on Firefox, and I know these protections haven't made us complacent about looking for and fixing memory safety bugs. Meanwhile, not all web browser security holes are memory safety bugs, so most browsers all have automatic update systems in place to ensure users receive new versions quickly.
(I attended the Black Hat presentation but did not read the full paper.)
I believe you can create new associations as needed (whenever Firefox encounters a new MIME type or protocol). They will then be listed in Preferences > Applications.
You can get a list of CSS properties supported by a browser by looking at document.defaultView.getComputedStyle(document.documentElement, null). Call.item() on it in a loop to see all of them, or compare.getPropertyValue(...) to null to see if a browser supports a specific one.
Ahh. I think browsers tend to go for the greedy / line-by-line algorithm because it's fast and works well with incremental layout (e.g. if you receive the page from the server slowly). The speed argument may be less important since it can be argued that reading speed is more important than layout speed (cf the recent change to support kerning and ligatures). There are also internationalization issues with hyphenation. See Mozilla bug 67715.
Is entire-paragraph hyphenation always expected, or only expected for justified text?
Firefox had the progress bar working for uploads for a while, but then it broke. There is pretty much nobody working on Firefox's networking code, so minor bugs like that tend to pile up more so than in other components of Firefox:( If you know someone who enjoys working on C++ networking code, please send them our way!
How do I keep Linux from making me confirm that I want to run the script?
chmod u+x firefox, perhaps? I use Mac, so I'm not familiar with this UI. Sounds lame that the dialog doesn't give a way to make the decision permanent for the given file.
How will I replace the beta with the release version?
Firefox 3 Beta 5 came with Ubuntu 8, right? I imagine the OS software updater will do this for you within a few days; I'm pretty sure they didn't intend for Ubuntu 8 users to use Firefox 3 Beta 5 forever;) The folks in #ubuntu-mozillateam on irc.freenode.net might know more.
Can I put the RC somewhere in the path so that it will be the launcher default rather than the beta, but without deleting the beta?
I don't use Linux (yet), so I don't know how to tweak these defaults. A Google search for something like 'ubuntu default browser' might give you an answer. (I haven't really figured out how to do this on Mac either.)
Aha, now I see what you're talking about. This is sort of intentional: if the *only* button you move to the bookmarks toolbar is the Home button, it looks better as an icon with text than as a button (at least on Mac). But if you move *all* your buttons there, it's strange for the Home button to be different from the others (although it still matches the appearance of bookmarks). Interesting problem.
It looks like this has already been filed as bug 414829 and has gathered 4 votes. I'm guessing the initial change was part of the bug 404109 experiment.
Maybe the Home button should only take on the "bookmark" appearance (icon with text) if it's adjacent to some bookmarks?
Is Firefox unresponsive when this problem occurs, or does it just fail to other load pages (from the same site or from other sites) quickly? If it's unresponsive, it might make sense to blame "lack of threading", but if it's just failing to load other pages quickly, it's probably a more specific problem with the networking code or the default max-connections settings.
Slashdot Mirror
If you get owned due to browsing the Web using an ancient version of Firefox, you won't have the "choice" of not having your credit card stolen. The "loss of choice" associated with having a nag screen is nothing compared to that.
An embedded appliance between you and the internet *can* have a valid cert signed by an existing CA. Cisco gets an intermediate cert that's valid for signing *.homerouters.cisco.com certs, and your router gets one of those. You bookmark https://1bf5a32a.homerouters.cisco.com/ while connected with a physical ethernet cable. From then on, you know you're connecting to your own router rather than someone else's, and yet you never had to deal with a certificate warning.
There might be more to it, since expiry might make this more complicated. But I'm pretty sure one of the big router vendors is starting to do something like this.
How would a browser (or even a user) tell the difference between a hijack and another use of self-signed cert?
This is a common suggestion, but I don't think it would work for https. If you want to create a new protocol called "httpe" that doesn't claim to provide authentication, it might be ok, but would still have the "false sense of security" problem.
It might not be that obvious. Maybe the ownage commands are followed by a bunch of noise, so they're scrolled off of the screen immediately. Or maybe the terminal window gets closed or appears to crash.
Or it could infect your user account with malware, send copies of your files to bad guys, steal your credit card numbers, add you to a botnet...
Running as non-root only makes it easier to recover from an infection. It doesn't prevent any of the bad things that can happen to you as a result of being owned.
But I fail to see how you can leverage this to gain privs.
1. Every 100ms, put some evil UNIX commands on the clipboard, surrounded by line breaks. I'm sure you can come up with a one-liner that compromises a user's system.
2. Hope someone will paste into a Terminal window while your evil page is open.
I paste into Terminal windows all the time. For example, I might copy an error message and then grep another file for the message. If there's an evil web page open while I do that, the paste will own me.
FWIW, there's a Firefox bug that lets sites hijack your 'primary' clipboard (the one that middle mouse clicks paste). See bug 265868. So you're not safe just by avoiding Ctrl+V yet.
Michael Scott, is that you?
As long as we have C and C++, memory protection features will be compiler options. But I do like the idea of browsers enforcing that plugins use the same memory protection features as the browser itself.
This presentation was how to get around features that try to prevent exploitation of memory safety bugs in applications. The intent of these features is that even if you find a buffer overflow in Notepad, you won't be able to do anything other than make Notepad crash.
These compiler and OS features try to disrupt the exploitation of memory safety bugs in various ways. Some work by detecting memory corruption (e.g. checking "stack cookies" before returning from a function that uses a string buffer). Others work by making it hard for an attacker to place shell code at a predictable memory address (e.g. DEP or ASLR).
The presenters demonstrated clever ways to get around many of these protections, but by showing how tricky it was to do so, they actually showed how effective the protections are against applications other than web browsers. To create memory that was both under their control and marked as executable, they had to take advantage of weird behavior of .NET controls (IE-only), Flash, and Java applets. The .NET control behavior looked like a bug Microsoft could fix without breaking any controls, since it involved lying about the .NET version a control was created for. The Flash behavior (a missing compiler flag) is already being fixed. The Java issue is that all Java memory is marked as executable; I don't know how hard that would be to fix, but I imagine most Slashdot users don't have to worry about this because they have already disabled Java applets.
I don't think this is devastating even to web browsers. I work on Firefox, and I know these protections haven't made us complacent about looking for and fixing memory safety bugs. Meanwhile, not all web browser security holes are memory safety bugs, so most browsers all have automatic update systems in place to ensure users receive new versions quickly.
(I attended the Black Hat presentation but did not read the full paper.)
Hopefully the Mozilla team will reconsider their position to make their software more open-source friendly.
The problem isn't Mozilla being "not open-source friendly". The problem is the other software you refer to not being Web-security friendly.
I believe you can create new associations as needed (whenever Firefox encounters a new MIME type or protocol). They will then be listed in Preferences > Applications.
You can get a list of CSS properties supported by a browser by looking at document.defaultView.getComputedStyle(document.documentElement, null). Call .item() on it in a loop to see all of them, or compare .getPropertyValue(...) to null to see if a browser supports a specific one.
That's a post on Rob Sayre's blog, which happens to be hosted on blog.mozilla.com. That doesn't make it the official Mozilla word on the acid 3 test.
Yes, they still result in undefined behavior, per spec.
If it requires Java, it's not a web app.
Ahh. I think browsers tend to go for the greedy / line-by-line algorithm because it's fast and works well with incremental layout (e.g. if you receive the page from the server slowly). The speed argument may be less important since it can be argued that reading speed is more important than layout speed (cf the recent change to support kerning and ligatures). There are also internationalization issues with hyphenation. See Mozilla bug 67715.
Is entire-paragraph hyphenation always expected, or only expected for justified text?
Firefox had the progress bar working for uploads for a while, but then it broke. There is pretty much nobody working on Firefox's networking code, so minor bugs like that tend to pile up more so than in other components of Firefox :( If you know someone who enjoys working on C++ networking code, please send them our way!
What is an "h&j algorithm"?
Firefox 3 does support mixed SVG and XHTML. I think the other non-IE browsers do as well.
Crazy Browser is not a minimalist browser. It is an IE wrapper.
How do I keep Linux from making me confirm that I want to run the script?
;) The folks in #ubuntu-mozillateam on irc.freenode.net might know more.
chmod u+x firefox, perhaps? I use Mac, so I'm not familiar with this UI. Sounds lame that the dialog doesn't give a way to make the decision permanent for the given file.
How will I replace the beta with the release version?
Firefox 3 Beta 5 came with Ubuntu 8, right? I imagine the OS software updater will do this for you within a few days; I'm pretty sure they didn't intend for Ubuntu 8 users to use Firefox 3 Beta 5 forever
Can I put the RC somewhere in the path so that it will be the launcher default rather than the beta, but without deleting the beta?
I don't use Linux (yet), so I don't know how to tweak these defaults. A Google search for something like 'ubuntu default browser' might give you an answer. (I haven't really figured out how to do this on Mac either.)
Aha, now I see what you're talking about. This is sort of intentional: if the *only* button you move to the bookmarks toolbar is the Home button, it looks better as an icon with text than as a button (at least on Mac). But if you move *all* your buttons there, it's strange for the Home button to be different from the others (although it still matches the appearance of bookmarks). Interesting problem.
It looks like this has already been filed as bug 414829 and has gathered 4 votes. I'm guessing the initial change was part of the bug 404109 experiment.
Maybe the Home button should only take on the "bookmark" appearance (icon with text) if it's adjacent to some bookmarks?
Is Firefox unresponsive when this problem occurs, or does it just fail to other load pages (from the same site or from other sites) quickly? If it's unresponsive, it might make sense to blame "lack of threading", but if it's just failing to load other pages quickly, it's probably a more specific problem with the networking code or the default max-connections settings.