Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-30 Thread Ray_Net 

Robert Kaiser wrote:

Ray_Net schrieb:

How to kill Java on my machine (win7) and/or when using IE(or SM)


On SM it should be as easy as going into the Add-ons Manager, select
Plugins, and deactivate it from there. No idea about Windows/IE as I
keep my hands off proprietary software as much as I can.


Thanks, i have verified - it's disabled.
And, i have found for IE9 -> 
http://windows7themes.net/how-to-disable-java-in-ie9.html

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-30 Thread NoOp 
On 09/30/2011 07:17 AM, Robert Kaiser wrote:
> NoOp schrieb:
>> I'm not sure I fully understand (or probably ever will)...
>> 
>> {(CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0
>> (facilitated by websockets -76)]
>> doesn't seem to indicate java, but instead nss as being the issue. So,
>> "to be clear": is it a java or nss issue?
> 
> Java uses its own TLS stack, which is vulnerable as described in the bug 
> on plugins (https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c90 
> mentions that this has been split off into 
> https://bugzilla.mozilla.org/show_bug.cgi?id=688008), and Java allows 
> sockets to any site, which can trigger the attack, and Oracle has not 
> yet made any comments that they even intend to work on the problem.
> 
> The NSS stack is vulnerable in theory, but under our control, so we can 
> fix it, and will do so. To trigger the attack, HTTPS connection need to 
> be made in a certain way, though, and we have no code in Firefox or 
> SeaMonkey right now that does that. Websockets protocol -76 was a way to 
> trigger that, but we have not been implementing this protocol version 
> since Firefox 5 and SeaMonkey 2.2, we are now implementing a newer 
> protocol version of Websockets which cannot trigger that attack.
> 
> So, NSS is basically vulnerable, but we don't have any code that opens 
> network connections in a way that would actually allow the attack. We 
> still will fix NSS in future versions so that any change in how we're 
> doing connections will also not expose us to the attack. (Note that 
> Chrome is using NSS as well, and they're in the same situation as us 
> here and will ship probably exactly the same fix in the future.)
> 
> We can't fix Java, and Java applets are exploitable as things stand, so 
> our only possibility is to reduce/block usage of the vulnerable 
> versions, which are all we know about right now, and Oracle has not made 
> any commitment to fixing the problem in future versions.
> 
> I hope that explains the problem enough.
> 
> Robert Kaiser
> 
> 

It does indeed. Thanks for the details Robert.


___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-30 Thread Robert Kaiser 

NoOp schrieb:

I'm not sure I fully understand (or probably ever will)...

{(CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0
(facilitated by websockets -76)]
doesn't seem to indicate java, but instead nss as being the issue. So,
"to be clear": is it a java or nss issue?


Java uses its own TLS stack, which is vulnerable as described in the bug 
on plugins (https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c90 
mentions that this has been split off into 
https://bugzilla.mozilla.org/show_bug.cgi?id=688008), and Java allows 
sockets to any site, which can trigger the attack, and Oracle has not 
yet made any comments that they even intend to work on the problem.


The NSS stack is vulnerable in theory, but under our control, so we can 
fix it, and will do so. To trigger the attack, HTTPS connection need to 
be made in a certain way, though, and we have no code in Firefox or 
SeaMonkey right now that does that. Websockets protocol -76 was a way to 
trigger that, but we have not been implementing this protocol version 
since Firefox 5 and SeaMonkey 2.2, we are now implementing a newer 
protocol version of Websockets which cannot trigger that attack.


So, NSS is basically vulnerable, but we don't have any code that opens 
network connections in a way that would actually allow the attack. We 
still will fix NSS in future versions so that any change in how we're 
doing connections will also not expose us to the attack. (Note that 
Chrome is using NSS as well, and they're in the same situation as us 
here and will ship probably exactly the same fix in the future.)


We can't fix Java, and Java applets are exploitable as things stand, so 
our only possibility is to reduce/block usage of the vulnerable 
versions, which are all we know about right now, and Oracle has not made 
any commitment to fixing the problem in future versions.


I hope that explains the problem enough.

Robert Kaiser


--
Note that any statements of mine - no matter how passionate - are never 
meant to be offensive but very often as food for thought or possible 
arguments that we as a community should think about. And most of the 
time, I even appreciate irony and fun! :)

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-30 Thread Robert Kaiser 

Ray_Net schrieb:

How to kill Java on my machine (win7) and/or when using IE(or SM)


On SM it should be as easy as going into the Add-ons Manager, select 
Plugins, and deactivate it from there. No idea about Windows/IE as I 
keep my hands off proprietary software as much as I can.


Robert Kaiser


--
Note that any statements of mine - no matter how passionate - are never 
meant to be offensive but very often as food for thought or possible 
arguments that we as a community should think about. And most of the 
time, I even appreciate irony and fun! :)

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-30 Thread Ray_Net 

Robert Kaiser wrote:

NoOp schrieb:

Blocking all versions of Java on all versions of Firefox + SeaMonkey?


Yes.


Seriously?


Yes, as it's a security hazard and we don't know of any plans of Oracle
to fix it.


Are you referring to this:
https://bugzilla.mozilla.org/show_bug.cgi?id=689661
[Block Java Plugin due to security vulnerabilities (BEAST TLS and bug in
same-origin-policy)]


Yes.


Doing that kills sites that use java. Example:
http://myspeed.visualware.com/index.php


Yes.


Users can easily turn on/off java using prefbar.


Doesn't apply to the majority of users that don't even know what prefbar
is. Users will be able to turn it on again if they must, but it's a
security risk.



I agree with you, java is a bad open door for nasty things.
Nobody need unexpected program to run on their computer.

How to kill Java on my machine (win7) and/or when using IE(or SM)

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-30 Thread Ray_Net 
THAT'S NOT an answer - PLEASE REFRAIN TO INSIST - YOU DID NOT FOLLOW THE 
ETIQUETTE WHEN NOT ANSWERING.


NoOp wrote:

On 09/29/2011 05:27 PM, d...@kd4e.com wrote:

In addition to HTML 5 supposedly displacing some of the needs for Java,
wasn't there a project of some sort that provided for an open-source
substitute for Java ... or was that just a silly dream?



I think that you've been reminded of this before, but if not I'll repeat:

http://www.mozilla.org/about/forums/etiquette.html

Top-posting vs bottom-posting.

 Some people like to put reply after the quoted text, some like it
the other way around, and still some prefer interspersed style. Debates
about which posting style is better have led to many flame wars in the
forums. To keep forum discussion friendly, please do interspersion with
trimming (see above for trimming rules). For a simple reply, this is
equivalent bottom-posting. So, remove extraneous material, and place
your comments in logical order, after the text you are commenting upon.
The only exceptions are the accessibility forums, which are top-posting.

...

Please refrain from 'Top-posting'. Thanks.


___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-30 Thread Lucas Levrel 

Le 29 septembre 2011, d...@kd4e.com a écrit :


In addition to HTML 5 supposedly displacing some of the needs for Java,
wasn't there a project of some sort that provided for an open-source
substitute for Java ... or was that just a silly dream?


There exists IcedTea (at least on Linux, which you are using). Not as good 
as the original, though (some applets won't work).


--
LL
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-29 Thread NoOp 
On 09/29/2011 05:27 PM, d...@kd4e.com wrote:
> In addition to HTML 5 supposedly displacing some of the needs for Java,
> wasn't there a project of some sort that provided for an open-source
> substitute for Java ... or was that just a silly dream?
> 

I think that you've been reminded of this before, but if not I'll repeat:

http://www.mozilla.org/about/forums/etiquette.html

Top-posting vs bottom-posting.

Some people like to put reply after the quoted text, some like it
the other way around, and still some prefer interspersed style. Debates
about which posting style is better have led to many flame wars in the
forums. To keep forum discussion friendly, please do interspersion with
trimming (see above for trimming rules). For a simple reply, this is
equivalent bottom-posting. So, remove extraneous material, and place
your comments in logical order, after the text you are commenting upon.
The only exceptions are the accessibility forums, which are top-posting.

...

Please refrain from 'Top-posting'. Thanks.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-29 Thread NoOp 
On 09/29/2011 05:12 PM, Robert Kaiser wrote:
> NoOp schrieb:
>> Thanks for the clarification. Java goes off until either Mozilla and/or
>> Oracle fix _their_ issues.
> 
> To be clear, those issues are completely on Oracle's side, the Mozilla 
> code doesn't have an issue wrt Java, and the other major plugins are 
> safe as well as we found out. The Java plugin itself is the thing that 
> has the security issue, and a published one at that.
> 
> Robert Kaiser
> 
> 

I'm not sure I fully understand (or probably ever will)...

{(CVE-2011-3389) Rizzo/Duong chosen plaintext attack on SSL/TLS 1.0
(facilitated by websockets -76)]
doesn't seem to indicate java, but instead nss as being the issue. So,
"to be clear": is it a java or nss issue?



___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-29 Thread d...@kd4e.com 

In addition to HTML 5 supposedly displacing some of the needs for Java,
wasn't there a project of some sort that provided for an open-source
substitute for Java ... or was that just a silly dream?


Thanks for the clarification. Java goes off until either Mozilla and/or
Oracle fix _their_ issues.


To be clear, those issues are completely on Oracle's side, the Mozilla
code doesn't have an issue wrt Java, and the other major plugins are
safe as well as we found out. The Java plugin itself is the thing that
has the security issue, and a published one at that.

Robert Kaiser


--

Thanks! & 73, KD4E
David Colburn http://kd4e.com
Have an http://ultrafidian.com day
I don't google I SEARCH! http://yippy.com
Shop Freedom-Friendly http://kd4e.com/of.html
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-29 Thread Robert Kaiser 

NoOp schrieb:

Thanks for the clarification. Java goes off until either Mozilla and/or
Oracle fix _their_ issues.


To be clear, those issues are completely on Oracle's side, the Mozilla 
code doesn't have an issue wrt Java, and the other major plugins are 
safe as well as we found out. The Java plugin itself is the thing that 
has the security issue, and a published one at that.


Robert Kaiser


--
Note that any statements of mine - no matter how passionate - are never 
meant to be offensive but very often as food for thought or possible 
arguments that we as a community should think about. And most of the 
time, I even appreciate irony and fun! :)

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-29 Thread NoOp 
On 09/29/2011 03:50 PM, Robert Kaiser wrote:
> NoOp schrieb:
>> Blocking all versions of Java on all versions of Firefox + SeaMonkey?
> 
> Yes.
> 
>> Seriously?
> 
> Yes, as it's a security hazard and we don't know of any plans of Oracle 
> to fix it.
> 
>> Are you referring to this:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=689661
>> [Block Java Plugin due to security vulnerabilities (BEAST TLS and bug in
>> same-origin-policy)]
> 
> Yes.
> 
>> Doing that kills sites that use java. Example:
>> http://myspeed.visualware.com/index.php
> 
> Yes.
> 
>> Users can easily turn on/off java using prefbar.
> 
> Doesn't apply to the majority of users that don't even know what prefbar 
> is. Users will be able to turn it on again if they must, but it's a 
> security risk.
...

Thanks for the clarification. Java goes off until either Mozilla and/or
Oracle fix _their_ issues. Might be a good idea to post a separate
thread/subject on this list informing users on how to easily disable
Java via other means outside of prefbar.

Tools|Add-ons Manager|Plugins|Java(TM)  Plug-in|Disable doesn't
seem to work on 2.4.1 (linux). Nor via about:config:
security.enable_java;false
I can *only* disable (checking via http://java.com) via prefbar.
I'll test in a 'test' profile to see if the results are different.

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-29 Thread Robert Kaiser 

NoOp schrieb:

Blocking all versions of Java on all versions of Firefox + SeaMonkey?


Yes.


Seriously?


Yes, as it's a security hazard and we don't know of any plans of Oracle 
to fix it.



Are you referring to this:
https://bugzilla.mozilla.org/show_bug.cgi?id=689661
[Block Java Plugin due to security vulnerabilities (BEAST TLS and bug in
same-origin-policy)]


Yes.


Doing that kills sites that use java. Example:
http://myspeed.visualware.com/index.php


Yes.


Users can easily turn on/off java using prefbar.


Doesn't apply to the majority of users that don't even know what prefbar 
is. Users will be able to turn it on again if they must, but it's a 
security risk.



Robert Kaiser

--
Note that any statements of mine - no matter how passionate - are never 
meant to be offensive but very often as food for thought or possible 
arguments that we as a community should think about. And most of the 
time, I even appreciate irony and fun! :)

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-29 Thread NoOp 
On 09/29/2011 07:44 AM, Robert Kaiser wrote:
> Paul B. Gallagher schrieb:
>> HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES
> 
> That doesn't sounds correct. Firefox itself is not affected at all when 
> WebSockets are turned off. And WebSockets are not used by millions of 
> sites. It looks like the Java plugins is affected though and we are 
> discussing blocking all versions of Java on all versions of Firefox.
> 
> The same should be true 1:1 for SeaMonkey.
> 
> Robert Kaiser
> 

Blocking all versions of Java on all versions of Firefox + SeaMonkey?
Seriously?

Are you referring to this:
https://bugzilla.mozilla.org/show_bug.cgi?id=689661
[Block Java Plugin due to security vulnerabilities (BEAST TLS and bug in
same-origin-policy)]

Doing that kills sites that use java. Example:
http://myspeed.visualware.com/index.php

Users can easily turn on/off java using prefbar.

Related (from that bug report):




Seems like dejavu:

[Mozilla blocks Firefox Java plugin]
"Discussions on Bugzilla show this is unrelated to a flaw in Java Web
Start affecting multiple browsers and patched by Oracle via an
out-of-sequence (emergency) update last week."

[Mozilla Block Java Deployment Toolkit]
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-29 Thread Robert Kaiser 

Paul B. Gallagher schrieb:

HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES


That doesn't sounds correct. Firefox itself is not affected at all when 
WebSockets are turned off. And WebSockets are not used by millions of 
sites. It looks like the Java plugins is affected though and we are 
discussing blocking all versions of Java on all versions of Firefox.


The same should be true 1:1 for SeaMonkey.

Robert Kaiser

--
Note that any statements of mine - no matter how passionate - are never 
meant to be offensive but very often as food for thought or possible 
arguments that we as a community should think about. And most of the 
time, I even appreciate irony and fun! :)

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-28 Thread sean nathan bean 

Paul B. Gallagher sent me the following::

HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES
==
Beware of BEAST decrypting secret PayPal cookies

By Dan Goodin in San Francisco
Posted in ID, 19th September 2011 21:10 GMT

Researchers have discovered a serious weakness in virtually all websites
protected by the secure sockets layer protocol that allows attackers to
silently decrypt data that's passing between a webserver and an end-user
browser.

The vulnerability resides in versions 1.0 and earlier of TLS, or
transport layer security, the successor to the secure sockets layer
technology that serves as the internet's foundation of trust. Although
versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost
entirely unsupported in browsers and websites alike, making encrypted
transactions on PayPal, GMail, and just about every other website
vulnerable to eavesdropping by hackers who are able to control the
connection between the end user and the website he's visiting.

At the Ekoparty security conference in Buenos Aires later this week,
researchers Thai Duong and Juliano Rizzo plan to demonstrate
proof-of-concept code called BEAST, which is short for Browser Exploit
Against SSL/TLS. The stealthy piece of JavaScript works with a network
sniffer to decrypt encrypted cookies a targeted website uses to grant
access to restricted user accounts. The exploit works even against sites
that use HSTS, or HTTP Strict Transport Security, which prevents certain
pages from loading unless they're protected by SSL.

The demo will decrypt an authentication cookie used to access a PayPal
account, Duong said. Two days after this article was first published,
Google released a developer version of its Chrome browser designed to
thwart the attack.

...

Full article (Mozilla stuff on p. 2):




interesting...  even more interesting that i've received 2 phishing 
e'mails today... am hoping sp...@paypal.com is still the correct 
unhacked place to forward them...


sean



___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-23 Thread NoOp 
On 09/23/2011 11:00 AM, NoOp wrote:
> On 09/23/2011 04:19 AM, Justin Wood (Callek) wrote:
>> On 9/23/2011 5:36 AM, Paul B. Gallagher wrote:
>> ...
>>> Full article (Mozilla stuff on p. 2):
>>> 
>>>
>> 
>> ALSO
>> http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091611
>> 
>> Lastly,
>> It is unclear at this point if the attack can be replicated in Firefox 
>> [Gecko] 7, which has the newer WebSocket protocol. We're working to get 
>> an answer from the bug reporters.
>> 
>> For further discussion on this threat, I suggest m.d.platform rather 
>> than the SeaMonkey list, since its not just a SeaMonkey Issue...
> 
> http://www.mozilla.org/about/forums/
> 
> I'm curious why you recommend:
> mozilla.dev.platform
> For people working on Mozilla-the-platform.
> 
>  rather than:
> 
> mozilla.dev.tech.crypto
> For discussions about cryptography, and cryptographic issues surrounding
> the Mozilla source code. See the PKI project for more info. (Moderated.)
> 
>   or
> 
> mozilla.dev.security
> Security issues such as specific security problems or ideas for making
> the code as a whole more secure can be discussed here. Cryptography,
> however, is not within this group's charter. (Moderated.)
> 
> Note: not disputing your recommendation; just trying to understand why
> when the others (security & crypto) seem closer to the issue.

And I reckon that the post from Nelson Bolyard on bug
pretty much settles that question:

https://bugzilla.mozilla.org/show_bug.cgi?id=480514
[Implement TLS 1.2 (RFC 5246)]

Nelson Bolyard (seldom reads bugmail) 2011-09-23 13:28:47 PDT

Read comment 32 before posting any new comment.

Bugzilla bugs are not a discussion forum.  This is NOT the place for
everyone to pile on with "I think this is important, too" comments.  The
place for those comments is the mozilla.dev.tech.crypto newsgroup.


Also referenced:
https://bugzilla.mozilla.org/show_bug.cgi?id=565047
[(RFC4346) Implement TLS 1.1 (RFC 4346)]

Followup set to: mozilla.support.seamonkey as this is where this thread
originated. However I suppose any additional technical posts regarding
SeaMonkey (meaning other than general media notice/info), per Nelson's
comments should actually be in mozilla.dev.tech.crypto.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-23 Thread NoOp 
On 09/23/2011 04:19 AM, Justin Wood (Callek) wrote:
> On 9/23/2011 5:36 AM, Paul B. Gallagher wrote:
> ...
>> Full article (Mozilla stuff on p. 2):
>> 
>>
> 
> ALSO
> http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091611
> 
> Lastly,
> It is unclear at this point if the attack can be replicated in Firefox 
> [Gecko] 7, which has the newer WebSocket protocol. We're working to get 
> an answer from the bug reporters.
> 
> For further discussion on this threat, I suggest m.d.platform rather 
> than the SeaMonkey list, since its not just a SeaMonkey Issue...

http://www.mozilla.org/about/forums/

I'm curious why you recommend:
mozilla.dev.platform
For people working on Mozilla-the-platform.

 rather than:

mozilla.dev.tech.crypto
For discussions about cryptography, and cryptographic issues surrounding
the Mozilla source code. See the PKI project for more info. (Moderated.)

  or

mozilla.dev.security
Security issues such as specific security problems or ideas for making
the code as a whole more secure can be discussed here. Cryptography,
however, is not within this group's charter. (Moderated.)

Note: not disputing your recommendation; just trying to understand why
when the others (security & crypto) seem closer to the issue.
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-23 Thread Jay Garcia 
On 23.09.2011 04:36, Paul B. Gallagher wrote:

 --- Original Message ---

> HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES
> ==
> Beware of BEAST decrypting secret PayPal cookies
> 
> By Dan Goodin in San Francisco
> Posted in ID, 19th September 2011 21:10 GMT
> 
> Researchers have discovered a serious weakness in virtually all websites
> protected by the secure sockets layer protocol that allows attackers to
> silently decrypt data that's passing between a webserver and an end-user
> browser.
> 
> The vulnerability resides in versions 1.0 and earlier of TLS, or
> transport layer security, the successor to the secure sockets layer
> technology that serves as the internet's foundation of trust. Although
> versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost
> entirely unsupported in browsers and websites alike, making encrypted
> transactions on PayPal, GMail, and just about every other website
> vulnerable to eavesdropping by hackers who are able to control the
> connection between the end user and the website he's visiting.
> 
> At the Ekoparty security conference in Buenos Aires later this week,
> researchers Thai Duong and Juliano Rizzo plan to demonstrate
> proof-of-concept code called BEAST, which is short for Browser Exploit
> Against SSL/TLS. The stealthy piece of JavaScript works with a network
> sniffer to decrypt encrypted cookies a targeted website uses to grant
> access to restricted user accounts. The exploit works even against sites
> that use HSTS, or HTTP Strict Transport Security, which prevents certain
> pages from loading unless they're protected by SSL.
> 
> The demo will decrypt an authentication cookie used to access a PayPal
> account, Duong said. Two days after this article was first published,
> Google released a developer version of its Chrome browser designed to
> thwart the attack.
> 
> ...
> 
> Full article (Mozilla stuff on p. 2):
> 
> 

See bug https://bugzilla.mozilla.org/show_bug.cgi?id=480514

And an article from the ISC: http://www.dshield.org/diary.html?storyid=11629



-- 
*Jay Garcia - Netscape Champion*
www.ufaq.org
Netscape - Firefox - SeaMonkey - Thunderbird
___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

Re: SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-23 Thread Justin Wood (Callek) 

On 9/23/2011 5:36 AM, Paul B. Gallagher wrote:
...

Full article (Mozilla stuff on p. 2):




ALSO
http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091611

Lastly,
It is unclear at this point if the attack can be replicated in Firefox 
[Gecko] 7, which has the newer WebSocket protocol. We're working to get 
an answer from the bug reporters.


For further discussion on this threat, I suggest m.d.platform rather 
than the SeaMonkey list, since its not just a SeaMonkey Issue...

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey

SSL Exploit: Mozilla family no better than the rest of the pack

2011-09-23 Thread Paul B. Gallagher 

HACKERS BREAK SSL ENCRYPTION USED BY MILLIONS OF SITES
==
Beware of BEAST decrypting secret PayPal cookies

By Dan Goodin in San Francisco
Posted in ID, 19th September 2011 21:10 GMT

Researchers have discovered a serious weakness in virtually all websites 
protected by the secure sockets layer protocol that allows attackers to 
silently decrypt data that's passing between a webserver and an end-user 
browser.


The vulnerability resides in versions 1.0 and earlier of TLS, or 
transport layer security, the successor to the secure sockets layer 
technology that serves as the internet's foundation of trust. Although 
versions 1.1 and 1.2 of TLS aren't susceptible, they remain almost 
entirely unsupported in browsers and websites alike, making encrypted 
transactions on PayPal, GMail, and just about every other website 
vulnerable to eavesdropping by hackers who are able to control the 
connection between the end user and the website he's visiting.


At the Ekoparty security conference in Buenos Aires later this week, 
researchers Thai Duong and Juliano Rizzo plan to demonstrate 
proof-of-concept code called BEAST, which is short for Browser Exploit 
Against SSL/TLS. The stealthy piece of JavaScript works with a network 
sniffer to decrypt encrypted cookies a targeted website uses to grant 
access to restricted user accounts. The exploit works even against sites 
that use HSTS, or HTTP Strict Transport Security, which prevents certain 
pages from loading unless they're protected by SSL.


The demo will decrypt an authentication cookie used to access a PayPal 
account, Duong said. Two days after this article was first published, 
Google released a developer version of its Chrome browser designed to 
thwart the attack.


...

Full article (Mozilla stuff on p. 2):


--
War doesn't determine who's right, just who's left.
--
Paul B. Gallagher

___
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey