J. Greenlees wrote:
> the issuing of certs needs to be re-examined, and some sort of viable
> system worked out to protect end users from fraudulent use.
> far beyond the scope of any one development team, though maybe getting
> security teams from most development groups to work together on a san
Ian G wrote:
Ka-Ping Yee wrote:
It's an assumption of Gervase's current anti-phishing proposal that
everything starts with SSL. Indeed, sites really should have no
business slinging around passwords and credit card numbers in
cleartext -- it's pretty irresponsible. Here are a few thoughts
on how
Ian G wrote:
> This is what we are getting at. Real people have
> real risks. Geeks fantasize about being the target
> of NSA surveillance, but that's not the Mozilla
> target audience.
The biggest issue I have with some of the suggestions for improvement is
are they really an improvement worth
Anthony G. Atkielski wrote:
Ian G writes:
But, in practice, it would be more secure these days
to show the password in the clear all the time, as
there is nobody peeking over the shoulder most of
the time in today's computing ...
Because today, they can be sitting in a van outside, monitori
Ian G writes:
> But, in practice, it would be more secure these days
> to show the password in the clear all the time, as
> there is nobody peeking over the shoulder most of
> the time in today's computing ...
Because today, they can be sitting in a van outside, monitoring the RF
emanations of th
HJ wrote:
I have a working concept that might be used for VanillaZilla, but I
don't know if this is what you need/like:
Here's a screenshot of MultiZilla's BIM (Browser Info Message)
displayed when a new SSL protected site, without SSL Hash key, has
been detected:
http://multizilla.mozdev.org/s
Ka-Ping Yee wrote:
On Wed, 23 Feb 2005, Ian G wrote:
Ka-Ping Yee wrote:
2. Currently, typing in password fields shows a bunch of stars to
give the impression that what you type is secret. Well, if we
are really serious about the necessity of SSL for keeping passwords
secret, then wh
On Wed, 23 Feb 2005, Ian G wrote:
> Ka-Ping Yee wrote:
> >2. Currently, typing in password fields shows a bunch of stars to
> >give the impression that what you type is secret. Well, if we
> >are really serious about the necessity of SSL for keeping passwords
> >secret, then why shoul
Ka-Ping Yee wrote:
It's an assumption of Gervase's current anti-phishing proposal that
everything starts with SSL. Indeed, sites really should have no
business slinging around passwords and credit card numbers in
cleartext -- it's pretty irresponsible. Here are a few thoughts
on how we might enco
Gervase Markham writes:
> It's also our responsibility - in that, if there's a hole in the Java
> plugin, depending on the severity we might decide to have Firefox refuse
> to run with vulnerable versions.
It should be possible to configure Firefox either way; nothing should be
wired in.
> But f
HJ wrote:
HJ wrote:
J. Greenlees wrote:
HJ wrote:
Duane wrote:
HJ wrote:
Having troubles reading the text, try this one:
http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bimsheet.jpg
any thoughts on the problem of sites using multiple private
keys/certificates over multip
It's an assumption of Gervase's current anti-phishing proposal that
everything starts with SSL. Indeed, sites really should have no
business slinging around passwords and credit card numbers in
cleartext -- it's pretty irresponsible. Here are a few thoughts
on how we might encourage the use of SS
CarlosRivera writes:
> If the data in one process can't access the data in another process,
> then that provides more protection.
The utility of that from a security standpoint depends entirely on what
type of access is allowed or disallowed, and how the processes are used,
and who owns them, an
hi Ping,
I have a different perspective on the Shmoo thing, below.
Ka-Ping Yee wrote:
When i asked "what happened", i meant that i'd like to know the story
of how IDN support got added to Firefox in the first place. (Sorry i
wasn't so clear.) Were security folks aware that it was being added?
Did
I had a look at Gervase's recent suggestion of a general approach
to the phishing problem for Firefox [1]. I definitely like the
philosophy proposed there:
It's my view that users should have to do the minimum work
possible to protect themselves.
[...]
Anything we can do to reduce
HJ wrote:
J. Greenlees wrote:
HJ wrote:
Duane wrote:
HJ wrote:
Having troubles reading the text, try this one:
http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bimsheet.jpg
any thoughts on the problem of sites using multiple private
keys/certificates over multiple domains f
J. Greenlees wrote:
HJ wrote:
Duane wrote:
HJ wrote:
Having troubles reading the text, try this one:
http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bimsheet.jpg
any thoughts on the problem of sites using multiple private
keys/certificates over multiple domains for the sam
Jean-Marc Desperrier wrote:
> Yee, what you see as a list is primarily a newsgroup
> 'netscape.public.mozilla.security' on which it's easy to get all the old
> messages, and it would be very useful that you read all those related to
> this problem.
Thank you. Yes, i understand that the mozilla-se
HJ wrote:
Duane wrote:
HJ wrote:
Having troubles reading the text, try this one:
http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bimsheet.jpg
any thoughts on the problem of sites using multiple private
keys/certificates over multiple domains for the same hostname?
Each
HJ wrote:
> Each certificate/security change will trigger a new BIM(Sheet) so that
> should not be a problem, but I don't have an example to verify this, do
> you have one for me?
I'm theorising about the possibility of it, for example large
installations using clusters while it possibly isn't go
Duane wrote:
HJ wrote:
Having troubles reading the text, try this one:
http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bimsheet.jpg
any thoughts on the problem of sites using multiple private
keys/certificates over multiple domains for the same hostname?
Each certificate/s
HJ wrote:
> Having troubles reading the text, try this one:
> http://multizilla.mozdev.org/screenshots/features/spoofing/new-ssl-site-bimsheet.jpg
any thoughts on the problem of sites using multiple private
keys/certificates over multiple domains for the same hostname?
--
Best regards,
Duane
Note that MultiZilla's BIM Sheets are displayed just like
View/Toolbars/Customize in Mozilla Firefox, sort of a drop down window.
Also note that this is my own 'work in progress concept' from the days
before (January 15th to be exact) Gerv Blogged about something like this :-)
/HJ
_
Nelson B wrote:
HJ wrote:
Do you visit SSL protected sites with International Domain Name?
If that's a Yes, can you please add/e-mail the URL?
Darn, I just need one for testing :-(
Does https://www.xn--theshmogroup-bgk.com/ satisfy your need?
No, but thanks anyway.
I have a working concept that might be used for VanillaZilla, but I
don't know if this is what you need/like:
Here's a screenshot of MultiZilla's BIM (Browser Info Message) displayed
when a new SSL protected site, without SSL Hash key, has been detected:
http://multizilla.mozdev.org/screenshots/
Ka-Ping Yee wrote:
I came to this list after hearing about the widely publicized IDN
spoofing attack on Firefox. [...]
So, what happened?
Yee, what you see as a list is primarily a newsgroup
'netscape.public.mozilla.security' on which it's easy to get all the old
messages, and it would be very us
That is fairly similar. My suggestion is more in one's face (good or
bad). One doesn't accidentally travel to that site without adding it to
one's personal white list.
Gervase Markham wrote:
CarlosRivera wrote:
Everybody's 20 sites is easy to deal with. Its just like cookie
dialog, add it, r
If the data in one process can't access the data in another process,
then that provides more protection.
I know that linux has some interesting ways to create a process, I am
specifically talking about not sharing the data. The more classic
process creation that one normally expects.
Anthony
28 matches
Mail list logo