TGOS wrote:
You have as much info as needed. The entire NSS lib source code. Build a debug version of mozilla, and run it iun a debugger. You'll see EVERY function call, and all the data used/passed in the functions. If you really want to help, once you figure it out, write up a 1 or 2 page doc about the flow for other to use. You apperar to be the first to ask for it, but likely won't be the last. Do you have the spirit of OSS, or just want to leach off of it?On 21 Nov 2002 19:37:47 GMT [EMAIL PROTECTED] (Thomas Dodd) wrote in netscape.public.mozilla.security:You always have 2 choices here. 1) use the library, possibly statically linking it, or 2) rewrite the needed parts in you app.And I choose (2), because I can't link statically to a scripting
language that isn't even compiled. And that's why I was asking for as
much information as possible about the library Mozilla uses, because I
will have to re-write it from the scratch.
Since X has been prrted to most OSes, there aren't meant non X11 systems. I run commercial X servers in M$, andIf you want to use X11 drowing call, you need the X libs.But if I write a X11 app, it's designed right from the start to ONLY run
under X11 systems. Hence I'd never do anything that stupid if I know
right from the start code has to run on non X11 systems as well.
XFree86/cygwin is a fairly workable combination.
More to the subject, the mozilla developers, never intended the NSS code to be used on non mozilla systems. They included support for other methods to handle that, like smart cards. How long have you been involved with the mozilla project? It fells like you just found it and decided "this is what I want". Then you come along like you know all there is to know about what should be done. The project was announced widely, years ago. You should have joined then and helped shape the future development. You can still do that. Figure out the call stack. Write the code that does what you want. Post it as patches. Push for inclusion. Can it be done as an addon, like the UABar was?
Which it is! That's why I'm always strictly separating the *mandatory*Mozilla doesn't have and *OPTIONAL* GUI yet. The NSS lib and PSM code is optional though. I can remove those packages and still browse the web, ftp file, and read e-mail (just no SSL support). So write you own replacement for that code, that is cross platform, scriptable, and generaly does what you think it should.
CORE of the *optionally* GUI. If I want to support twenty of platforms,
I thought it makes sense to store WEB passwords into a WEB BROWSER,
after all that's the client that will need the passwords later on and
that's the client that can pre-fill the passwords for me (something
And mozilla does that. You are asking to do something else.
The hooks appear to be there. You just have to write the backend code to sotor the data in the way you want. There's not a lot of language neutral stuff out there. But it commiing. GTK/GNOME libs have C, C++, and Python bindings, probably more. So write a perl-NSS binding.external software will never be able to do). Hence it would be very programmer friendly if programmers can easily pull passwords out the database and move new ones into the database, no matter what language or platform they use.
It's not obfuscared. It's just part of a complicated system. Do you think that PKCS #(5. 7, 11, and 12) support is a bad thing? Do you think the ability to change the storage method is a bad thing?Mozilla stores them in the safest method it can.No. It just uses the most complicated way it can, but it's not anymore
secure than using a much simpler encryption method. Making things
complicated (obfuscating data) is not making them any more secure.
I agree here. And oncethe rest of the system is better, it will come. If you want it sooner, do it. Nobody will complain. The problem is, once you got the informatyion, instead of using it, you started critisizing the developers and the system. This is OSS, where talk is cheap, and CODE is the currency of choice.It wasn't designed to allow editing of that data.But it should, because users want to change their own data. Useres want
to move data from their profile on HD to a disk and then re-import them
from the disk after a HD crash or move them to another profile on a
different PC. Or to have two profiles and merge the passwords stored in
Likely not. And depending on you configuration, you could see the data with out the master password.Displaying that information on the screen is insecure.And this wasn't possible when I entered the password for the first time
Someone could see the screen/intercept the calls that draw the screen.
and that way added it to the database?
Sure it was. So what't the point of the statement?
In 90% of all cases we talk here about passwords that Mozilla later onThat not mozilla's fault. It warns you *BEFORE* it send data over an insecure connection, unless you tell it not to. If you are willing to send important info that way that's your problem. Personaly, I don't. SSL connections aren't hard to implement, if only for login use, so that data is not sent in the clear. Tell the webmaster to fix the site.
sends over a non-secure, non-SSL connection, so every network sniffer
would reveal them and even people not sitting in my local network would
see them by logging all IP packages on a router in between.
-Thomas
