Jean-Marc Desperrier wrote:
Daniel Veditz wrote:
not true, there is a version of the ByteVerify Java attack that affects
Sun's JRE 1.4.2_05 and older -- and Firefox users can be infected.
Dan, what do you refer to exactly ?
Secunia refers to Trojan.ByteVerify only as the trojan that exploits
Jean-Marc Desperrier wrote:
Fabrizio Marana wrote:
It's just that in the last week I've been infected twice with the
Java/ByteVerify Trojan/virus...
No, you have not been infected. You accessed a page that contained this
IE only trojan, the trojan got stored in the disk cache, so your
Alfred Amazon wrote:
According to http://www.mozilla.org/projects/security/components/jssec.html
To ensure security, the basic assumption of the JavaScript signed
script security model is that mixed scripts on an HTML page operate as
if they were all signed by the intersection of the principals
Peter Gutmann wrote:
Having fifty different URL bars all displaying the organisation
as NO LIABILITY ACCEPTED (which Verisign were using as an OU at
one point) probably won't engender much consumer trust in this measure
It might, in fact, engender an appropriate amount of (dis)trust were
users to
Henrik Gemal wrote:
You cant call extensions from a client side javascript
Well that's not entirely true. Interpreting the term extension broadly
you can create a javascript component that adds methods and, for
example, sticks them on the window object to be called willy-nilly.
Dangerous, of
That's nothing new, unfortunately. Sites were doing that back in the
Netscape 4.x days for Java privilege request prompts. You're going to
get something that looks like [image]. It's normal, just click OK.
Gervase Markham wrote:
Here's one way to gently socially-engineer people to click Yes on
Warmbold, Bo wrote:
New to firefox but having trouble with something - Our district uses
PHP as our web development software firefox doesn't support using Ctrl-v
to paste things in. There is a fix on the website involving the user.js
file. I have done this and firefox has copied the new
Anthony G. Atkielski wrote:
Michael Lefevre writes:
If you don't trust the Flash plugin, then don't have it installed.
Firefox never asked me about Flash when I installed it, and I can't find
a plugin anywhere that I can deinstall. It just appeared.
Firefox does not install flash. If flash is not
Eugene Prokopiev wrote:
Hi,
Can I logout from page with basic authentication and enter
username/password again without restarting Mozilla? Can I do it with
JavaScript?
Since you mention Mozilla rather than Firefox, under the Tools menu
you will find a Password Manager submenu with a Log Out
remove wrote:
I am a brand new user of Mozilla Firefox. I accidentally deleted all my
passwords from Firefox,(Tools, Options, Clear all information stored
while browsing), which had been automatically transferred from
Netscape 7.1, during installation of Firefox. I still have Netscape on
my
Jean-Marc Desperrier wrote:
I'm convinced this would work better than the current site white list
mechanism.
My opinion is that white-list forces to take a bad compromise between :
- allowing a small number of list, which will result in major bandwidth
problems for those sites, and
Greg wrote:
I noticed that the following flaw in GDI+ affects many products:
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
Of course MS does not list any third party products. Anyone know
whether Mozilla (specifically FireFox) is affected, in what version
it's fixed,
Aaron Leventhal wrote:
http://www.us-cert.gov/cas/techalerts/TA04-261A.html
Is Mozilla 1.8a3 patched?
1.8a3 is (mostly) not patched: it was released (built?) on August 13 and the
earliest fix listed on the known-vulnerabilities page is August 16
You will get more help on Netscape user support newsgroups (try
snews://secnews.netscape.com), this group is for discussion of Mozilla
security issues.
Sounds like you could do that with two profiles, adding -P profilename
arguments to the command line. That trivially solves a and c, though if
Erlend Furuset Jensen wrote:
If the former, did your passwords somehow get switched from encrypted to
obscured in the password manager preferences? If they aren't encrypted
then the master password is not needed.
I've tried clearing the password list and entering the passwords from
scratch.
Erlend Furuset Jensen wrote:
I've recently discovered that Mozilla doesn't ask for my master password
when I access my saved passwords. This is a problem when I check e-mail
and browse websites that require a log-in.
Until recently, Mozilla allways asked for my master password the first
Christian Paminger wrote:
I'm using Mozilla 1.7.2 and want to use Drag and Drop in my remote
Application. I don't want to use signed code.
user_pref(signed.applets.codebase_principal_support, true);
doesn't seem to work.
What errors do you get in the javascript console? Have you tried using the
This is bug http://bugzilla.mozilla.org/show_bug.cgi?id=115174
Horrible that it hasn't been fixed yet.
-Dan Veditz
Felix Miata wrote:
In a generic sense, this has happened to me before. Today in 1.7rc2 was
different than I remember before. When trying to save the thank you for
placing your
Probably better covered in the .netlib group
Jim Mulvey wrote:
Hello,
I'm trying to get the negiotiateauth feature in the Mozilla 1.7 Beta
browser (on Red Hat 9) to authenticate to an IIS server. The Red Hat
server is using Kerberos-Workstation-1.3.3 (the latest) to
authenticate to the
Troels Jakobsen wrote:
Situation 1 is infeasible, since it requires all ordinary users to
obtain a certificate to use as signature. The procedure of obtaining
the certificate is non-trivial, costs money, and can't be automated,
since the CA (cert. authority) guarantees the identity of the
The .db files are where the Netscape program stores and manages certs
locally, it's not any kind of a standard format. The .p12 file you got is a
standard format, you just need to import the cert into Netscape. It's been
ages since I've used Netscape 4.x and I don't remember where the import
James Graham wrote:
The fundamental difference between exe files and xpinstall files is
that, from a user point of view, xpinstall is only a mechanism for
installing stuff into the browser.
Then we need to change the impression: XPInstall is a general purpose
install engine, originally
Ben Bucksch wrote:
Daniel Veditz wrote:
site level filtering ... we're still arguing
Where?
Ben and I, in person. Actually the argument's pretty much over, there's not
much point in doing the work if the default (which 99% don't change) is to
work the same way as today
Robert Mohr wrote:
mrhappy wrote:
It would be really good if there was a default setting of silent ignore for xpi's
It's not the default and never will be, but you can set
'xpinstall.enabled' to false in about:config.
It is not now the default, but never say never--we may very well be
Jean-Marc Desperrier wrote:
Daniel Veditz wrote:
(I'm serious, by the way: we're most likely turning off XPInstall by default
for most sites for Firefox 1.0)
It does make more sense to sign XP package.
Site-level restriction is a problem for load repartition (isn't mozdev
strongly
For NSS-related issues you should try the n.p.m.crypto newsgroup.
___
Mozilla-security mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-security
Heiko Adams wrote:
I (personally) think that the best protection against those things is to
_use_ your *eye's* and your *brain*. But unfortunedly it seems that too
many people don't have at least the last one :-(
AFAIK are Mozilla and FireFox displaying a warning before installation
of
David wrote:
James Graham escribió:
Obviously, it would be good if Mozilla products had some sort of
protections for users who don't appreciate the dangers of extensions
Workaround: Go to Edit...Preferences...Advanced...Software Installation
and uncheck Enable Software Installation.
Ben Bucksch wrote:
That's not fair. I wanted to issue warnings, but need the allowance of
the security group, esp. its former owner, which I practically never
got. I tried, IIRC, but ended up thinking that it's futile.
Let's forget about the AOL-burdened past. I--and the Mozilla Foundation,
Ben Bucksch wrote:
I forgot:
* There are currently 36 fixed, hidden bugs. Some of them fixed a
year ago.
I will be updating the vulnerabilities page (and unhiding bugs) for the 1.7
release, I'll make sure to check the ancient ones too.
* A query for the formerly hidden, now
Ben Bucksch wrote:
The policy isn't working.
...
[...] can we use full disclosure now?
I don't think you've demonstrated problems with the policy but rather that
we have to do a better job implementing it. A *much* better job.
* Public security bug lists [...]
per policy only
TGOS wrote:
On Tue, 05 Nov 2002 21:04:03 +0100 Boris Stanislavski [EMAIL PROTECTED]
No, they can reply to it right now and if they don't want, they only
harm the Mozilla project, as then I will not write that app or write it
for another browser instead and stop using Mozilla at all and
Jasper wrote:
I was running Netscape Communicator. No other internet
program was running at that time.
You were running at least the software that connects you to the internet.
Communicator itself does not do that and won't browse the web unless those
lower level services are running.
I
Morten Gulbrandsen wrote:
as url I try this one:
https://nettsvar.lanekassen.no/nettsvar/
as mozilla reply I get
alert
https is not a registered protocol
ok
How can I solve this problem ?
Did you install the Personal Security Manager that provides the encryption
services used to
Mitchell Stoltz wrote:
Do you like the names of the mailing lists,
[EMAIL PROTECTED] and [EMAIL PROTECTED]?
Should we use shorter names? I wanted to make it very clear what each
one is for.
The discussion group doesn't need to be as clear, the people who need to
know about it will
35 matches
Mail list logo