@the-edmeister: Thanks for the URL.
Security through obscurity, really? It is my opinion that hard or soft disabling this addon gives a false sense of security, while selectively enabling it so you can work on known sites for which you are the developer poses a minimal risk.
Citing the same document:
Disclosure of security vulnerabilities
"The security module owner, peers, and other members of the Mozilla security bug group will not be asked to sign formal nondisclosure agreements or other legal paperwork. However we do expect members of the group"
I am not part of that group. I am neither legally nor ethically nor morally bound to remain silent. The "super-secret" information is readily available on the internet within a matter of seconds.
"Please try not to keep bugs in the security-sensitive category for an unreasonably long amount of time."
3 years is unreasonably long in my opinion.
"Please try to be understanding and accommodating if a Mozilla distributor has a legitimate need to keep a bug in the security-sensitive category for some reasonable additional time period, e.g., to get a new release distributed to users."
Security through obscurity is not a legitimate need. 3 years is not a reasonable amount of time. There seems to be no plan on behalf of Oracle to address this, or it would have done so YEARS ago. As a result, a release does not seem likely in the foreseeable future.
"Changing this policy
This policy is not set in stone. It is our hope that any disputes that arise over membership, disclosure, or any other issue addressed by this policy can be resolved by consensus among the Mozilla security module owner, the module owner’s peers, and other security bug group members through discussions on the private security bug group mailing list."
On this issue, they can go on pretending they have the absolute control over information. It is pure denial.
This vulnerability has nothing to do with Mozilla. It can be exploited in dozens or hundreds of other ways. It is based on an inherent weakness of insecure networking protocols and laziness or ignorance of developers and international, billion dollar corporations that develop core software used to run billions of systems. Hiding the details of this one bug report is inconsequential, as a few seconds of searching gets you all the gory details.
Someone can use this exploit technique on you even if the JDK plugin is disabled. Even if you do not have JDK installed. Even if you do not use Mozilla Firefox. Maybe this policy is more appropriate to bugs that affect ONLY Mozilla software, but NOT for general industry problems. Oh well, this entire issue is just silly now. There's nothing more to say on this thread.
... View more
After a little searching, I found this posting, which seems to be the first encounter of this bug, and resolution?
There's a specific tool to "easily" allow someone to do these things to you, from other computers on your LAN. It is unclear to me if they need Administrator rights to run this tool, or if they must be on a specific proximity to your computer i.e. your LAN or intranet or even the ISP? The most vulnerable, I think, would be corporate users (anyone with a large network, regardless if a university, non-profit, small business, or enterprise level, etc).
What is clear from this tool's README file is that the vulnerability is not limited to Firefox or Oracle's JDK. In fact, almost every commonly installed application is vulnerable. Some of the more familiar names on the list include:
So the problem is much bigger than Firefox or Java JDK. It is in fact a common failure of developers to design a secure update process. As such, I think blocking JDK in Firefox is pretty pointless. It's like using a fire extinguisher on a cigarette in the middle of a forest fire, for fear of preventing a forest fire. Just because Firefox blocked this, there's probably still a dozen or more ways for this to occur on your computer.
It's a problem developers worldwide are too lazy or stupid to address. However, saying NO to developers in a high visibility app like Firefox is definitely a powerful way to raise awareness, and force another highly visible developer's hand (Oracle) to implement update verification mechanisms.
It's too bad that Mozilla simultaneously decided to unilaterally block the application and try to hide the bug. Like an ostrich burying its head in the sand. They missed the opportunity to raise awareness of a critical issue that is larger than either Firefox or Oracle combined. It's a software design practice that needs to be updated. That can only occur by raising awareness. What is even more unforgivable, is Oracle, even after being aware for almost 3 years now, has still failed to implement and push to release (not beta), a fix.
Hopefully this post is clear, removes confusion of the issue, and is not censored by Mozilla.
... View more
That is merely copy and pasted from the URL mentioned above.
On that page is a link to see a copy of the request to block filed in Bugzilla. However, the bug is forbidden to view by the general public, so there is no real explanation with proof available to anyone.
I think that only adds to the confusion. If there is a huge vulnerability, I think it should be demonstrated, explained clearly to the users (who in this case are likely developers who could understand such things), and they should decide for themselves if it's a use-case they need to be concerned with.
If they use this feature only on a local area network, or only on the intranet, to run a business, then automatically disrupting functionality by default may cause more problems than a use case which they will not likely encounter. Then perhaps the filtering of the vulnerability from external sources would simply be an exercise for their security administrators.
... View more
Thanks SilentMobius for an answer that works! One note: you can go to Tools -> Page Info -> Permissions, you do not need to click a lock on a secure site, and then More Information. That just brings up the Page Info box on the Security tab. Hopefully Mozilla FF won't decide to remove "bad" things from that permission list entirely, to prevent enabling.
... View more
I have used Waterfox under Windows 7 for about the past 4 months with no problems. I have not detected any virus or malware of any kind. I believe it is a good-faith project that does what it says, nothing more.
The speed seems to be somewhat better. One of the main advantages is that if I have a few hundred tabs open (which I do more often than you'd imagine), the 64-bit browser can allocate the RAM, whereas the 32-bit browser can not. In this condition, the 64-bit build suffers much less system slowdown (for a while), but eventually both will begin to bog down the system when a few dozen tabs are open and the browser is left running for a month or more. Occasional app restarts are still necessary due to severe memory leaks (regardless of build).
I notice absolutely no problems with any of my addons or plugins, which probably represents everything the average user could ever want.
There's little or no excuse to spread fear, uncertainty or doubt about using 64-bit Firefox, either compatibility or performance wise. If your plugins or addons are not listed, try it and see. They may work, have bugs, or not work, only one way to find out if it's right for you.
If you want to see performance differences objectively, without any political bias, do your own tests, with a stop watch, or with software profilers that can give microsecond or nanosecond accuracy of the time it takes to perform certain functions like page renders. I would assume differences of about 5% or less would be fairly negligible.
Adobe Flash (64-bit),
Adobe Shockwave Flash (64-bit),
Java JDK and JRE (64-bit),
VLC Web plugin
Add-on Compatibility Reporter,
eQuake Alert (menu bug, always transparent, happens in 32-bit Firefox also),
Form History Control,
Jökulsárlón Download Manager,
Live HTTP Headers,
Preserve Download Modification Timestamp,
Tab Mix Plus,
UPromise Turbo Saver,
User Agent Switcher
There is a problem with "HP Smart Web Printing" addon, where by default it appears to be disabled with no option to enable it. It's a somewhat useless addon that is installed with the print driver without a choice. I can print just fine without the addon, even without the HP driver, as Windows 7 has a driver for my printer. But the HP driver does give a few extra controls at the OS level.
Edit 1: Lists of items, one per line, were collapsed to a paragraph, so I added commas.
... View more