gmane.comp.mozilla.security

Get the finished message of TLS handshake

Christian Koßmann — 2013-05-14T09:12:55

Hey,

I try to implement a prototype implementation of tls-unique (RFC 5929) in Firefox for a German research group. Therefore I need the finished message of the TLS handshake. After hours of research I found out that this is "most likely" not possible to get the finished message in a Firefox extension. But what about XPCOM components? Is it possible to create an XPCOM component that propagates such implementation details or do I really have to modify the source code of nss? Or is there any other way that I have overlooked?

I looking forward to your answer,
Christian Koßmann

It's time to remove plugin support from Firefox mobile

David Keeler — 2013-05-10T17:54:38

[bcc'd to many lists for wide visibility - discussion should probably be
on mobile.firefox.dev
(https://mail.mozilla.org/listinfo/mobile-firefox-dev )]

TL;DR: Now is a good time to remove plugin support from Firefox for Android.

Consider:
* We do not support plugins for Firefox OS and do not plan to
* The only plugin that most users care about is Flash. Adobe stopped
development for Flash on Android in November of 2011, which is a year
and a half ago[1].
* Popular sites that use plugins have native apps. This includes
YouTube, Netflix, Hulu, and so on. Other sites can follow suit or use
modern web technologies like HTML5. Addons are also an option.
* Plugins are a security hazard
* Plugins drain battery life and make Firefox seem slow

Let's be bold, let's protect our users, and let's move the web forward.

[1] http://blogs.adobe.com/conversations/2011/11/flash-focus.html

OCSP Stapling w/ Delegated Signers

Tom Ritter — 2013-04-27T17:37:42

I have what may be a well tread topic in the nuances of OCSP Stapling
- but after having it posed to me I realized I did not know the
answer.  Thus, I ask publicly in the hope that there is a simple
answer I can point to in the future.

If a CA uses a delegated signer for OCSP, and a website delivers an
OCSP Staple... How does the user (talking only to the website) get

 - The Delegated Signing Cert (which is presumably an Intermediate off
a Trust Root)
 - The revocation information for *that* Intermediate cert

thanks,
tom

Safebrowsing

fr0sty — 2013-04-22T15:53:32

Hi,
I have a few questions about the safebrowsing feature in Firefox.
Answering any of these questions would be extremely helpful.

    1. How does one clear the safebrowsing data?
    2. Does Firefox stop fetching safebrowsing data if the browser is
    inactive? The spec says the list is updated every 30 minutes, but
    doesn't say anything about user activity.
    3. The data itself is authenticated, but it is also served over HTTP,
    and the protocol supports requesting specific lists and segments. This
    might introduce the ability of websites to repeatedly block list
    segments in an attempt to create a "supercookie" in the client. This
    "supercookie" looks like it can persist for up to 6 hours (based on
    the retry behavior in
    https://wiki.mozilla.org/Phishing_Protection:_Design_Documentation#Client_Backoff
    <http://www.google.com/url?q=https%3A%2F%2Fwiki.mozilla.org%2FPhishing_Protection%3A_Design_Documentation%23Client_Backoff&sa=D&sntz=1&usg=AFQjCNER-Z-tD46-m2VihudZ4bBeqS9fpA>).

Orangfuzz – an experimental user interaction fuzzer for Firefox OS

Gary Kwong — 2013-04-17T20:27:30

(followups to: mozilla.dev.b2g please)

I recently released an experimental user interaction (touch) fuzzer for 
Firefox OS, known as orangfuzz[1]. It is based on the Orangutan 
framework[2] by wlach.

More details can be found in a Mozilla Security blogpost[3].

Currently it only works with a Unagi B2G test device - I tested on a 
Geeksphone Keon but the Orangutan framework wasn't working as expected 
there yet.

Some possible ideas/ways to move forward:

* Decide on a common prepopulate state - currently orangfuzz always 
starts off on the homescreen, but ideally should be started from a 
fixed  state of Firefox with a fixed number of apps in a common position 
  (e.g. from reset) b2gpopulate[4] might help with this.
* Run the generated scripts with the long-running harness script[5] on 
pandaboards running B2G and orangutan, possibly via mozpool.
* Find ways to detect crashes - should we monitor 
"/data/b2g/mozilla/Crash\ Reports" for new crashes?
* Find a way to detect assertions - monitor logcat?
* Impr

Firefox behavior with CDPs and AIAs

2013-04-11T19:25:17

I know that FF allows you to choose a CRL and it will check status against that CRL when it finds a cert issued by the CRL issuer. Does anyone know if FF uses the CDP in the cert or the cert's issuer name as a key to find the CRL?

The reason I ask is in regards to partitioned CRLs, where a CA could, for example, have one CRL for odd serial numbers and one for even. The CA would put the appropriate CDP in each cert, but would that confuse FF?

Same question about OCSP responses and AIA.

Does anyone know the answers for IE?

Building NSS failed on both Ubuntu 12.04 and Linux Mint 14

Brian Huang — 2013-04-06T16:18:43

I followed this instruction: https://developer.mozilla.org/en-US/docs/NSS/Building, trying to build NSS on both Ubuntu 12.04 and Linux Mint 14. All builds failed with the error:
secasn1.h:17:21: fatal error： plarena.h：no such file or directory

I tried to find the file:
$ find ../../../ -name plarena.h
../../../mozilla/nsprpub/lib/ds/plarena.h
../../../mozilla/dist/Linux3.2_x86_64_glibc_PTH_64_OPT.OBJ/include/plarena.h

What's wrong?

_______________________________________________
dev-security mailing list
dev-security< at >lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

Content Type Dependencies

2013-04-06T00:26:32

Hi,

a comment in nsIContentPolicy.idl says

  /* When adding new content types, please update nsContentBlocker,
   * NS_CP_ContentTypeName, contentScurityPolicy.js, all nsIContentPolicy
   * implementations, and other things that are not listed here that are
   * related to nsIContentPolicy. */

My first thought was that it should be enough to look for all files that #include nsIContentPolicy.h und rebuild the specific subtrees, but when I looked a second time at the comment I realized that this can't be everything.

What do I have to do after adding a new content type? I'd need a complete list of all the files I have to update and I'd need to know if there're any other changes I have to make inside other files.

Regards,
Jeremy

Calling function from nsIContentSecurityPolicy.idl

2013-04-06T01:52:55

Hi,

I've declared a new function in nsIContentSecurityPolicy.idl:

  AString getMyString();


I call this function from nsScriptLoader::ProcessScriptElement:

  nsresult myRV = NS_OK;
  nsCOMPtr<nsIContentSecurityPolicy> myCSP;
  myRV = mDocument->NodePrincipal()->GetCsp(getter_AddRefs(myCSP));
  NS_ENSURE_SUCCESS(myRV, false);

  if (myCSP) {
    nsAutoString myString = myCSP->GetMyString();


When I try to compile this I get an error c2660 function does not take 0 arguments. This seems weird to me as my declaration doesn't expect an argument?

Regards,
Jeremy

Confusion about abstract strings

2013-04-04T17:10:11

Hello,

I'm a bit confused when it comes to abstract string classes, i.e. nsAString. The Mozilla internal string guide speaks of them as "historic", so I wondered that they are still expected as input value in nsDOMTokenList::Contains

In nsScriptLoader::ProcessScriptElement I want to do the following:

  nsCOMPtr<nsIContentSecurityPolicy> csp;

  nsAString& str1 = NS_LITERAL_STRING("string1");
  nsAString& str2 = csp->getMyStringValue();

  str1.Append(str2);

  // call Contains(str1) now, to check if the string "string1string2"
  // is a value of an element attribut

Explanation:

  - getMyStringValue() is supposed to be a JavaScript function written
    in contentSecurityPolicy.js and delivers a value from CSPRep, very
    smililar to what getAllowsEval does with _allowEval. The returned value
    is always a mixed string consisting of upper and lower case letters and
    numbers, e.g. "Abc123"

  - after the Append operation str1 should contain "string1string2"

Question 1: My above handling of this issu

Case sensitivity in FF

2013-04-04T15:25:39

Hi together,

this is just a minor question concerning case sensitivity. In nsScriptLoader.cpp I found the two function calls
 
  rv = csp->GetAllowsInlineScript(...); and csp->LogViolationDetails(...)

If I got this right, they refer to 

  logViolationDetails: function(...) and getAllowsInlineScript: function(...)

in contentSecurityPolicy.js

I wonder, why it is allowed here to write the function names differently. The functions in the js file start with lower case, while the cpp functions are uppercase.

Regards
Jeremy

Advanced Image Gallery DW Extension

Robert — 2013-04-01T12:17:27

Advanced Image Gallery DW Extension
    
 http://t.co/VFQOrtEVtr Prehistoric Slots 
 http://t.co/OfJtJ22YiH WTM Software Distribution 
 http://t.co/wQHdtCHzXV New Years Klondike Solitaire 
 http://t.co/jiFANvyS12 Carl's Classics 
 http://t.co/4WC8bX2J2P
Advanced Image Gallery DW Extension

Best way to read attributes in nsScriptLoader?

2013-03-27T12:00:44

Hi together,

I'm experimenting with the script-nonce idea to push CSP forward. While acquainting myself with the code and testing different approaches, I stumbled upon the question, if I could use the well known class attribute inside a <script> tag.

Here is what I'm trying to do:
In nsScriptLoader::ProcessRequest I wish to gain access to the values of the class attribute of the current script tag and analyse them. What would be the best/easiest way to do this?


Here is what I've thought on this:
- nsScriptLoader::ProcessRequest is called with the parameter aRequest, for which several methods, like GetScriptType are called inside the function. I understand, that aRequest stands for the <script> tag that is currently processed.

- aRequest is a pointer of the type nsScriptLoadRequest. So I looked up nsScriptLoadRequest, but none of the methods defined there enables me to read the class attribute.

- So I guessed I'd have to use a more general class and looked further for functions with promising names and

Warnings about non-default certs in Private Browsing Mode?

Gervase Markham — 2013-03-27T09:29:58

I wanted to raise a suggestion from John Nagle to the status of a new
thread. John suggested that, in Private Browsing Mode only, Firefox
should inform the user if they make a secure connection using a
certificate which is not one of the default set in NSS's root store.

The logic is that if a user is using PBM, they are unlikely to be
browsing their own intranet, or other location where the certificate
chains up to a manually-installed cert. Therefore, if one is being used,
they are likely to be being MITMed. They may have consented to this,
e.g. at a workplace - hence the suggestion that this is a prominent user
interface indicator, e.g. a non-dismissable infobar, rather than a
blocking page or red scary warning.

Do people think this makes any sense?

Gerv

shouldLoad( ) and shouldProcess( )

2013-03-18T16:14:50

Hello together,

I know that I can block external sources like images, scripts, styles etc. by checking their origin in shouldLoad() of nsIContentPolicy.

However, inline scripts are not "loaded" so this method doesn't apply. My questions are:

1.) Do I have to use shouldProcess() to check inline scripts?

2.) For what types is shouldProcess() used after all? Same as shouldLoad()? While shouldLoad() is quite clear I didn't fully understand the meaning of shouldProcess().


The intention behind these questions is that I want to send an identifier for some inline script tag via a new CSP rule, check if an existing inline script tag owns this identifier and allow its execution only in this case.

Best Regards,
Jeremy

Way of CSP code in FF

2013-03-16T12:53:26

Hello,

after reading through many lines of code to understand CSP implementation in FF I'm still a bit confused.

How exactly is the code flow when one opens a web site in FF that uses a CSP policy? I mean, I've checked files like contentSecurityPolicy.js, CSPUtils.jsm, nsIContentPolicy.h and several more, but I still don't get it right.

Do you know of any helpful documentation, scheme, comment or whatsoever that helps understanding better, how FF
- recognizes a CSP policy
- checks the policy values
- uses functionality to block certain elements (in detail)
- handles inline scripts?

I've read all the "theoretical" papers on W3C, Mozilla, etc. I could get my hands on, but in fact I've found very little that describes the FF implementation of CSP more detailled.

Any idea friends?

Best Regards,
Jeremy

NSS adds duplicate nick name for different certs

2013-02-21T14:32:42

Hello,

I am using NSS 3.12.6. I am trying to add different certs (with slightly) different nickname in my db using certutil. However I found, that certutil adds them with the same nick name. I have about 130 certificates in database and it is happening on at least 5 different certificates. What I am doing wrong?

certutil -d <PATH TO DB> -A -i 1-OCIO_0x46EACCEC.cer -n '1-OCIO_0x46EACCEC' -t "c,c,c"
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
-bash-3.2$ certutil -L -d <PATH TO DB> | grep -i OCIO
1-OCIO_0x46EACCEC                                            c,c,c
-bash-3.2$ certutil -d <PATH TO DB> -A -i 1-OCIO_0x4A61D147.cer -n '1-OCIO_0x4A61D147' -t "c,c,c"
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
-bash-3.2$ certutil -L -d <PATH TO DB> | grep -i OCIO
1-OCIO_0x46EACCEC                                            c,c,c
1-OCIO_0x46EACCEC                                            c,c,c

CSP and inline-scripting

2013-02-19T17:19:28

Hello,

I'm not sure, if this is the right place to ask. Please tell, if I should ask in another group.

I've started working on a modification of Content Security Policy. I've tried shouldLoad() in nsIContentPolicy to block script elements, that is TYPE_SCRIPT = 2. However, it seems that this method is only able to recognize external scripts loaded via <script src="...">. All inline scripts on a page are ignored.

My questions: Am I right about this? If yes, is there any other possibility to catch inline scripts?

Thanks for your comments.
Jeremy

Announcing Version 2.1 of Mozilla's CA Certificate Policy

Kathleen Wilson — 2013-02-16T01:00:46

Announcement:
https://blog.mozilla.org/security/2013/02/15/announcing-version-2-1-of-mozilla-ca-certificate-policy/

Mozilla CA Certificate Policy Version 2.1:
http://www.mozilla.org/projects/security/certs/policy/

About the new version:
https://wiki.mozilla.org/CA:CertificatePolicyV2.1

Discussions about this will be in the mozilla.dev.security.policy forum.

Kathleen

x-posting from dev-tech-crypto: web crypto APIs and resources

David Dahl — 2013-02-13T20:59:31

Hello Security Enthusiasts:

I just started a conversation on Web Crypto APIs (low-level, high-level) and the resources to implement in Gecko.

https://groups.google.com/forum/?fromgroups=#!topic/mozilla.dev.tech.crypto/rQeNHJsYKoM

Cheers,

David

Live InfoSec Hangouts with DEFCON, Toorcamp speakers etc

Henry Dalziel — 2013-02-12T23:18:18

Hi All - some security basics and live web shows in February you might be
interested in (live and recorded on same URL)

Live streaming: http://goo.gl/ZBhc4

How To Use Nmap
From SQL Injection to MIPS Overflows
Blind XSS
NFC/ RFID Hacking the Easy Way
Intro to Network Traffic Analysis
Sploitego
Network Anti-Reconnaissance
Off-Grid Communications with Android
Passive Bluetooth Monitoring in Scapy

All start times are at 12 EST.

Thanks Henry