hen the http
content tries to reference file:// content, which fails.
--
/Nelson Bolyard
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
On 2010-03-02 10:06 PST, davidwboswell wrote:
> I maintain a list of applications that use Mozilla technologies in
> their projects and wanted to add more examples of projects that use
> NSS.
>
> http://www.mozilla.org/projects/mozilla-based.html
There are lots of applications that use NSS but u
On 2010-03-03 10:58 PST, Shailendra Jain wrote:
> Is this source of information about Linux planning to integrate NSS as
> main security features available some where in the web or in Linux doc?
RedHat is doing this for RedHat Linux. I'm sure you will find info on
RedHat's web site. I don't kno
On 2009-12-20 19:16 PST, Simon723 wrote:
> I have a web application running on Tomcat5 (installed on a RHLE OS). I
> have installed a Network Solutions issued SSL cert in my keystore. While
> my application can be accessed fine with IE, Safari, and FF2. FF3 will
> keep reporting "ssl_error_inter
Daniel Veditz wrote:
> On 10/13/09 10:12 AM, Eddy Nigg wrote:
>> #B is important because we are already month after the alleged bug
>> happened, plenty of time to get the act together. I think this warrants
>> some actions, a review and renewed confirmation of compliance might be a
>> good thing
On 2009-08-08 19:20 PDT, Justin Mattock wrote:
> Im having a heck of a time trying to fix this:
> (I open firefox, goto hulu watch a movie about thirty seconds
> in firefox exits and this appears)
flashblock is your friend
___
dev-security mailing list
On 2009-08-10 15:32 PDT, Sid Stamm wrote:
> http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsCertOverrideService.cpp#259
>
> This is a bit of NSS that reads the cert_override.txt file
It's not NSS. If it was NSS, you would see /nss/ in the path name above.
It's PSM, and
On 2009-08-07 16:26 PDT, Nelson Bolyard wrote:
> On 2009-08-07 11:29 PDT, Aditya Ivaturi wrote:
>> If my question doesn't belong in this group, please let me know which
>> one I should post in, thanks.
>>
>> We use Selenium for web testing automation. And one of
On 2009-08-07 11:29 PDT, Aditya Ivaturi wrote:
> If my question doesn't belong in this group, please let me know which
> one I should post in, thanks.
>
> We use Selenium for web testing automation. And one of the biggest
> problems we face with Selenium is handling of self signed certificates
> (
On 2009-07-06 02:17 PDT, Jean-Marc Desperrier wrote:
> Nelson Bolyard wrote:
>> By default, it is still the old single-process cert8 and key3 DBs,
>> as before.
>>
>> However, FF 3.5 has the code to support shared-access cert9 and key4 DBs,
>> based on sqlite3. Yo
On 2009-07-03 01:43 PDT, Andrei Korostelev wrote:
> Does Firefox 3.5 already support multi-process shared secrurity
> database or it is still single-process?
By default, it is still the old single-process cert8 and key3 DBs,
as before.
However, FF 3.5 has the code to support shared-access cert9
Alexander Zazhigin wrote, On 2009-05-16 13:01:
> Hi,
>
> I have application build on xulrunner. While first run xulrunner creates
> certificate database in the profile. I need my own certificate
> preinstalled there (my certificate purpose is for xulrunner addons
> trust). Can I modify xulrunne
Jean-Marc Desperrier wrote, On 2009-02-20 07:55:
> Eddy Nigg wrote:
>> On 02/19/2009 03:30 PM, Jean-Marc Desperrier:
>>> Moxie Marlinspike in Black Hat has just demonstrated a very serious i18n
>>> attack using a *.ijjk.cn certificate.
>>> http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/
Jean-Daniel wrote to mozilla.dev.security on 2009-01-20 10:42 PST:
> Hello, I'm trying to generate a keypair using nss, but I encounter some
> issue. My key generation can take up to 30 seconds on a recent machine
> (Core 2 Duo 2.2 Ghz) (most generation take less the 10 seconds, and
> sometimes le
Alexander Konovalenko wrote, On 2009-01-04 14:18:
> I noticed that some addons.mozilla.org extensions were updated over
> plain HTTP, not over HTTPS. My Firefox 3.0 had found a new version of
> the NoScript extension and fetched it from some https:// URI on
> addons.mozilla.org. But that URI redire
Roy Donaldson wrote, On 2008-12-19 12:27 PST:
> I'm trying to create a FIPS 140-2 compliant SSL connection using the Sun
> JSSE (SunPKCS11) and NSS.
I suppose you mean a FIPS compliant TLS connection. TLS is SSL version 3.1
(or newer). FIPS 140 compliance requires the use of TLS.
Crypto quest
Roy Donaldson wrote, On 2008-12-11 11:00:
> I'm sure the answer is somewhere out there, but I can't seem to find it no
> matter where I look.
>
> Are there binary distributions of NSS (specifically, the slightly older
> versions that are FIPS 140-2 certified) for download, or do I need to
> compil
Note: cross posted to mozilla.dev.tech.nspr.
Follow up messages are directed there.
lixiangfeng wrote, On 2008-09-26 01:39:
> Hi,I write a program use mozilla nss .
>
> My process will scan some variable for a expected value.when the variable
> equals some value,my process will dosomething.So,I
Stefanos Harhalakis wrote, On 2008-09-19 22:50:
> I believe that kmail's approach works better (?) in this case w.r.t. the
> end-user. It doesn't alter its behaviour at run-time but it has a 'check what
> server supports' button. This way, the auto-detection is performed once
> (during configur
Ben Bucksch wrote, On 2008-09-17 13:55:
> Thunderbird currently has the SSL options: "Never" (plain), "TLS, if
> available", "TLS" (always), and "SSL" (always), for incoming IMAP/POP3
> and outgoing SMTP servers (with slightly different UI wording). TLS is
> basically SSL version 3.
Damn! Thos
bezuglyi wrote, On 2008-09-03 02:32 PDT:
> I want to add my own cipher algorithm to NSS library, like gost engine
> in openssl, is it possible?
> If yes can anyone explain the procedure
You'll find more people who can help with this in the dev-tech-crypto
mailing list, which is also the mozilla.
Jonas Sicking wrote, On 2008-08-13 10:32:
> Nelson Bolyard wrote:
>> Jonas Sicking wrote, On 2008-08-11 20:33:
>>
>>> I would strongly recommend against using signed files at all. It's
>>> something that we want to get rid of since the security model is so po
Jonas Sicking wrote, On 2008-08-11 20:33:
> I would strongly recommend against using signed files at all. It's
> something that we want to get rid of since the security model is so poor.
Jonas, please enlighten us with an explanation of that claim.
___
Several thoughts about the paypal spoof site that uses a redirector from
the real paypal site.
1. I didn't ever see any EV or even non-EV SSL UI chrome indicators at
the same time as the spoof site was displayed, so I don't see this as
a failure of UI for SSL or EV. But I was using FF3 with a ver
Rick Andrews wrote on 2008-03-04 16:36 PST:
> Where can I find a list of features included in FF3? Does it include
> support for SHA-256 and ECC?
The cryptographic algorithms and TLS cipher suites supported in FF3
will be the same as in present versions of FF2, with the following
additional cipher
Boris Zbarsky wrote, On 2008-02-26 21:32 PST:
> Vladi Rocha wrote:
>> Hi developers. I am trying to avoid the popup when you
>> remove a token PKCS11 while an operation was in
>> progress.
>
> You probably want mozilla.dev.tech.crypto for this question...
Unfortunately, this is a PSM question, no
Gervase Markham wrote, On 2008-02-09 02:35:
> Eddy Nigg (StartCom Ltd.) wrote:
>> Since sometimes there are some licensing concerns with the certdata.txt
>> file, I wanted to know exactly what one is allowed to do. If for example
>> by merely extracting the CA certificates with a tool like
>> ht
Peter, The NSS crowd hangs out in mozilla.dev.tech.crypto. I'm cross
posting this there. Please follow up there.
[EMAIL PROTECTED] wrote, On 2007-12-10 17:18:
> I am having problems using signtool with any version of NSS from 3.11
> onwards and I wanted to make sure I wasn't missing anything obv
Stefanos,
If you'[re really worried about students being MITM attacked, then you
might ask why the University has so many https sites using invalid certs
which necessitate the users getting this dialog in the first place.
Don't worry, in FF3, this dialog will go away completely.
Atha wrote:
> Hello to community
> We have an open PKI that uses IE + smartcards. Now we want to offer to
> our users the same functionality with Mozilla/Firefox. Does someone have
> any ideas how to start? and if so is their any code examples for key
> generation in smartcard?
> I know about pkcs
Gervase Markham wrote:
> Eddy Nigg (StartCom Ltd.) wrote:
>> The fact that connections to expired certificates are allowed by most if
>> not all browser vendors contributes to this problem, if this certificate
>> is removed from the CRL...than it's just an expired certificate which
>> was once vali
Throughout the lifetime of mozilla browsers, there have been innumerable web
sites that worked with IE but not mozilla, because those web sites' content
depended on IE behavior, and were not testing with any browser other than IE.
Countless users have whined to mozilla with messages saying (in eff
Eddy Nigg (StartCom Ltd.) wrote:
> Nelson Bolyard wrote:
>> Yes, there is a standard for certs that allows (but does not require)
>> "relying parties" to go search on the internet for missing
>> intermediate CA certs.
> Do you have the quote from the correspo
Melelina wrote:
> The cert is issued to www.microsoft.ipsos.com by Verisign.
Or it appears to be.
> I want to use Fx at Microsoft sites and I am very tired of Fx problems with
> Microsoft certs
But you haven't yet shown any evidence of FF having a problem with a
Microsoft site. The site you
Alaric, You didn't start a new thread. Your message was still a reply
to another message and so is reckoned to be part of that other thread.
As for your claims, this is getting silly.
In your lab setup, you are the rightful owner of the servers, and you
are the attacker. If you, as the rightfu
Gervase Markham wrote:
> Nelson Bolyard wrote:
>> Is FlySSL acting as a "Registration Authority" (RA) for Geotrust/Comodo?
>
> I don't think so; but how would I tell? Is the only way to tell by
> asking Geotrust and Comodo?
That probably the best way.
> Or
Alaric Dailey wrote:
> Boris Zbarsky wrote:
>> Alaric Dailey wrote:
>>> Sure even if we don't steal the cert, most users don't read error
>>> boxes so you could redirect them and use a fake cert.
That's an application program UI design flaw, and is not in any way
a flaw in SSL. SSL detects the er
Eddy Nigg (StartCom Ltd.) wrote:
> Perhaps this is somewhat premature, but I nevertheless would like to
> suggest a path for implementation and practical steps for implementation
> of the multi-level proposal we put forward. Actually what I want to
> know, how this could and would be implemented an
Gervase Markham wrote:
> Duane wrote:
>> Shouldn't Geotrust/Comodo's CPS cover all these kinds of questions? If
>> not they are in breach and they should have direct obligations to
>> Mozilla etc...
>
> Geotrust's documents are here:
> http://www.geotrust.com/resources/repository/legal.asp
>
> I
Alaric Dailey wrote:
> Gervase Markham wrote:
>> Alaric Dailey wrote:
>>> Actually many of them were, they were simply ignored by CAs and
>>> developers that were more interested in making money selling snake
>>> oil than doing things right. For example SSL for identification is
>>> worthless with
Alaric Dailey wrote:
> SSL for identification is worthless without DNS being secured, and
> no-one on any list wants to talk about that.
There's the first error. The security of SSL does *NOT* depend on DNS.
Never has. SSL detects DNS errors rather than being vulnerable to them.
>>> Be
Eddy Nigg (StartCom Ltd.) wrote:
> Johnathan Nightingale <[EMAIL PROTECTED]> wrote:
>> Imagine that we found a way to clearly present to the user:
>>
>> + Your connection is encrypted
>> + The site's identity has been verified
>> + You've been here many times before
>> + This site is trusted by (yo
[EMAIL PROTECTED] wrote:
> There's been some criticism here regarding standards that impose high
> requirements for financial viability of a CA as well as costly audit
> regimes.
>
> But those requirements do play a role. Witness the ongoing meltdown
> of the ICANN registrar registerfly.com, whic
Eddy Nigg (StartCom Ltd.) wrote:
> Nelson Bolyard wrote:
>> So, as I read it, geotrust is not saying that they didn't verify the
>> information about the name and address of registerfly in any way.
>> They're saying that registerfly could have provided additional
&g
Gervase Markham wrote:
> - Mozilla writes loads of code to detect each different type of CA
> certificate and make sure that NSS knows what level it corresponds to
> (or are we doing that bit by asking the CAs to include new OIDs?)
You wrote that in the present tense (or is it present progressive
Gervase Markham wrote:
> Ben Bucksch wrote:
>> Actually, not even that is necessary. Classes each have their own root
>> cert, so we can simply match root certs to level in our software,
>> using a list that is just as hardcoded as our root certs, and matches
>> the assigned levels.
>
> That assum
[EMAIL PROTECTED] wrote:
> They are a Geotrust reseller, but also have issued hundreds of ssl
> from their own FlySSL CA: http://www.registerfly.com/ssl/
>
> They have no CPS or other documentation posted - just the statement
> "The following information has been self-reported by the entity to
>
Mitchi wrote:
> When a signed script is trying to obtain extended privileges, mozilla
> prompts a window asking to permit or deny them.
> It happens the same with every script (even not trusted ones) when you
> turn on signed.applets.codebase_principal_support.
>
> On the prompt window there's a c
48 matches
Mail list logo
