Re: Getting people to click "Yes"

2005-03-16 Thread Daniel Veditz
That's nothing new, unfortunately. Sites were doing that back in the Netscape 4.x days for Java privilege request prompts. "You're going to get something that looks like [image]. It's normal, just click OK". Gervase Markham wrote: Here's one way to gently socially-engineer people to click "Yes"

Re: authenticationManager.clearAll()

2005-03-16 Thread Daniel Veditz
Henrik Gemal wrote: You cant call extensions from a client side javascript Well that's not entirely true. Interpreting the term "extension" broadly you can create a javascript component that adds methods and, for example, sticks them on the window object to be called willy-nilly. Dangerous, of c

Re: Some Non-Critical Secunia Advisories

2005-03-16 Thread CBFalconer
Ron Hunter wrote: > Allen Farley wrote: >> Nate wrote: >> ... snip ... >>> >>> ...and it occurs to me yet once again, that one big reason for the >>> proliferation of spam, spyware, viruses and on and on ad nauseum is >>> that the bad guys hardly ever suffer any punishment. It's like >>> burglars b

Re: about bug 286107 : Remember visited SSL details and warn when changes, like SSH

2005-03-16 Thread Ian G
Ram A M wrote: I think there is value in the concept but it has a major failing from a usability perspective that falls out of data center operational practices. How many webservers do you think a big bank has? Some folks use SSL accelerators in front of their web-server or app-server farm, some fo

Re: about bug 286107 : Remember visited SSL details and warn when changes, like SSH

2005-03-16 Thread Ram A M
I think there is value in the concept but it has a major failing from a usability perspective that falls out of data center operational practices. How many webservers do you think a big bank has? Some folks use SSL accelerators in front of their web-server or app-server farm, some folks have multip

Getting people to click "Yes"

2005-03-16 Thread Gervase Markham
Here's one way to gently socially-engineer people to click "Yes" on a security permissions dialog: http://www.errorguard.com/search-ie.html "Ignore the rest - it's the Yes button that's important"... Gerv ___ Mozilla-security mailing list Mozilla-securi

Re: Goals, Worldviews, Policies

2005-03-16 Thread J. Greenlees
Ian G wrote: Nelson just posted a bug comment, but I think the response and discussion of the points he raised are too broad for that bug, so I'll move them here, if nobody minds. I have two points to make here - the reality of the CA "trust" decision, and the goal. [EMAIL PROTECTED] wrote: https:/

Re: Some Non-Critical Secunia Advisories

2005-03-16 Thread Ron Hunter
Allen Farley wrote: Nate wrote: On Tue, 15 Mar 2005 10:51:26 -0500, Allen Farley <[EMAIL PROTECTED]> wrote: From the article: The weakness has been confirmed in version 1.0.1. Other versions may also be affected. I also tested the sample code with FF 1.0.1, and they are right. It's not unusual

Goals, Worldviews, Policies

2005-03-16 Thread Ian G
Nelson just posted a bug comment, but I think the response and discussion of the points he raised are too broad for that bug, so I'll move them here, if nobody minds. I have two points to make here - the reality of the CA "trust" decision, and the goal. [EMAIL PROTECTED] wrote: https://bugzilla.moz

Re: Some Non-Critical Secunia Advisories

2005-03-16 Thread Allen Farley
Nate wrote: On Tue, 15 Mar 2005 10:51:26 -0500, Allen Farley <[EMAIL PROTECTED]> wrote: From the article: The weakness has been confirmed in version 1.0.1. Other versions may also be affected. I also tested the sample code with FF 1.0.1, and they are right. It's not unusual for me to save a zip

Re: Strawman proposal for SSL UI changes

2005-03-16 Thread Frank Hecker
Peter Gutmann wrote: "Location bar is something more noticeable than yellow". Have you ever looked at the pastelly-white vs. pale-yellow location bar on a laptop LCD screen in bright room light or outdoors? The two are virtually indistinguishable. I've seen older laptops with either poor-to-begi

Re: Strawman proposal for SSL UI changes

2005-03-16 Thread J. Wren Hunt
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 HJ wrote: |> 2) Some important sites are not using SSL for their login pages - Yahoo |> apparently being one. | | | I have a Yahoo e-mail account, and that uses SSL for logins. | Are you talking about the free Yahoo webmail or paid Yahoo e-mail a

Re: javascript host information - how to protect one's privacy?

2005-03-16 Thread Christopher Jahn
»Q« <[EMAIL PROTECTED]> wrote in news:[EMAIL PROTECTED]: > Christopher Jahn <[EMAIL PROTECTED]> wrote in > : > >> CarlosRivera <[EMAIL PROTECTED]> wrote in >> news:[EMAIL PROTECTED]: >> >>> I have heard that web sites are using screen size (width, height) >>> and depth to

Re: authenticationManager.clearAll()

2005-03-16 Thread Henrik Gemal
You cant call extensions from a client side javascript Bob Chauvin ( Paix dehors ) wrote: Found posts from previous questions that answered my question. I wonder if I can call an extension from javascript? Such as... http://extensionroom.mozdev.org/more-info/clearhttpauth -- Henrik Gemal Mozilla E