tag:blogger.com,1999:blog-16750015.post1096424257608954348..comments2024-01-24T20:01:37.600-05:00Comments on slight paranoia: A Remote Vulnerability in Firefox ExtensionsChristopher Soghoianhttp://www.blogger.com/profile/08950937382104783909noreply@blogger.comBlogger19125tag:blogger.com,1999:blog-16750015.post-47156126248535580172010-05-21T02:26:57.741-04:002010-05-21T02:26:57.741-04:00While any server can serve any certificate the upd...While any server can serve any certificate the update mechanism will reject any certificate that does not correctly identify the site. For instance, this includes having a certificate chain to a trusted root CA, and none of those CAs are going to give out a certificate for a Mozilla site to anyone except Mozilla.medyumhttp://www.medyumca.comnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-69951231299904613572010-02-11T00:46:23.116-05:002010-02-11T00:46:23.116-05:00thank you very much.thank you very much.saglikportalihttp://saglikportali.netnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-85463371681471111832009-12-27T12:52:57.521-05:002009-12-27T12:52:57.521-05:00Is it possible to 'push' an extension upda...Is it possible to 'push' an extension update onto users or does the MITM have to just wait and hope they try to self-update while connected to the evil network?..ahmet marankihttp://www.ahmetmaranki.usnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-54484722436773450962009-10-06T05:23:07.965-04:002009-10-06T05:23:07.965-04:00thanksthanksişitme cihazıhttp://www.digimer.com.trnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-20535702799111823642009-09-26T08:16:11.849-04:002009-09-26T08:16:11.849-04:00i m using firefox. and i know that: we must update...i m using firefox. and i know that: we must update our addones in shortly time then update is avalaible.siemens servisihttp://www.siemens-beyazesya-servisi.comnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-66863694896365139362009-09-15T12:09:44.066-04:002009-09-15T12:09:44.066-04:00The browser will also check for updates periodical...The browser will also check for updates periodically, assuming that the browser is left open for lengthy periods of time - however, these extensions will not be installed until FF restarts.videohttp://www.kapgetir.orgnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-66683570607123664832009-08-21T05:46:49.562-04:002009-08-21T05:46:49.562-04:00Is it possible to 'push' an extension upda...Is it possible to 'push' an extension update onto users or does the MITM have to just wait and hope they try to self-update while connected to the evil network?Medyumhttp://www.medyumburak.comnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-10933017660960037542009-08-03T06:54:38.699-04:002009-08-03T06:54:38.699-04:00thank youthank youestetikhttp://www.estetikd.comnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-28158045695393143092009-07-14T06:01:20.790-04:002009-07-14T06:01:20.790-04:00While any server can serve any certificate the upd...While any server can serve any certificate the update mechanism will reject any certificate that does not correctly identify the site. For instance, this includes having a certificate chain to a trusted root CA, and none of those CAs are going to give out a certificate for a Mozilla site to anyone except Mozilla.medyumhttp://www.medyum.gen.trnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-88444756284187752012009-04-23T16:05:00.000-04:002009-04-23T16:05:00.000-04:00thanks.....thanks.....sskhttp://www.sskbank.com/noreply@blogger.comtag:blogger.com,1999:blog-16750015.post-57958194496829453092007-12-01T18:37:00.000-05:002007-12-01T18:37:00.000-05:00Hey,Anybody by any chance know what this error mea...Hey,<BR/><BR/>Anybody by any chance know what this error means when I open Firefox in OS X Leopard?<BR/><BR/>"Alert - please go to menu, tools,extensions and set valid values for email notifier, from its options"<BR/><BR/>Thanks,<BR/><BR/>MarkAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-56580254986295901242007-06-18T05:49:00.000-04:002007-06-18T05:49:00.000-04:00While any server can serve any certificate the upd...While any server can serve any certificate the update mechanism will reject any certificate that does not correctly identify the site. For instance, this includes having a certificate chain to a trusted root CA, and none of those CAs are going to give out a certificate for a Mozilla site to anyone except Mozilla.Neil Rashbrookhttps://www.blogger.com/profile/14217111205775776357noreply@blogger.comtag:blogger.com,1999:blog-16750015.post-52353887776714544062007-06-16T15:56:00.000-04:002007-06-16T15:56:00.000-04:00A DNS based man in the middle attack will not work...<I>A DNS based man in the middle attack will not work against a SSL enabled webserver. This is because SSL certificates certify an association between a specific domain name and an ip address. An attempted man in the middle attack against a SSL enabled Firefox update server will result in the browser rejecting the connection to the masquerading update server, as the ip address in the SSL certificate, and the ip address returned by the DNS server will not match.</I><BR/><BR/>Total noob here, but if the request was redirected to another server wouldn't that server be able to also provide a certificate pointing to the incorrect ip?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-8760837601258724742007-06-04T13:01:00.000-04:002007-06-04T13:01:00.000-04:00P.S. I might have found a possible solution here: ...P.S. I might have found a possible solution <A HREF="https://bugzilla.mozilla.org/show_bug.cgi?id=367210" REL="nofollow">here</A>: <BR/>Bug 367210 – when opening Firefox a pop up occurs requesting that you sign up for drivecleaner.<BR/><BR/><I>Solution: "I think this is because you allow sites to move and resize existing windows. When I uncheck this option (in<BR/>Windows this is Tools > Options > Content > Enable JavaScript > Advanced) I<BR/>don't see it anymore."</I>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-77582452973569740052007-06-04T12:53:00.000-04:002007-06-04T12:53:00.000-04:00Drivecleaner and related programs are not installe...Drivecleaner and related programs are not installed in my computer; however every now and then when I execute Firefox, the popup for drivecleaner appears. The only addons I've got are Greasemonkey, FireFTP, and Adblock Plus - none of these should be a problem. Each time this happens I check my computer to ensure nothing has been installed. I run all my antispyware programs (I've got four of them) and none detect drivecleaner or any related programs.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-8341665254471947032007-05-31T14:06:00.000-04:002007-05-31T14:06:00.000-04:00Google's extensions *internally* autoupdate (there...Google's extensions *internally* autoupdate (there's JS code in the extensions that force update checks even if Firefox's automatic extension check is disabled). However, at least for Google Browser Sync, and Google Notebook, I've found that this too can be disabled.<BR/><BR/>In about:config, search for "extensions.google". Each one should have an ".autoupdate" boolean value -- which can be set to false. Changing this setting should not prevent *manual* update checks for Google's extensions, only the Google extension internal update mechanism.Todd Vierlinghttps://www.blogger.com/profile/02534664258657022180noreply@blogger.comtag:blogger.com,1999:blog-16750015.post-21906920058055687432007-05-30T16:38:00.000-04:002007-05-30T16:38:00.000-04:00Firefox does not in fact check during startup. It ...Firefox does not in fact check during startup. It does check approximately every 24 hours by default.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-40062378934623538082007-05-30T06:23:00.000-04:002007-05-30T06:23:00.000-04:00Firefox checks for updates to each installed exten...Firefox checks for updates to each installed extension every time the browser starts up.<BR/><BR/>Thus, while it is not possible to force a user's browser to check for an update - by crashing the browser (there are quite a few proof of concept malformed websites out there that'll crash Firefox), the attacker can essentially get the user to restart Firefox, and thus download new updates.<BR/><BR/>The browser will also check for updates periodically, assuming that the browser is left open for lengthy periods of time - however, these extensions will not be installed until FF restarts.Christopher Soghoianhttps://www.blogger.com/profile/08950937382104783909noreply@blogger.comtag:blogger.com,1999:blog-16750015.post-1860485088689897252007-05-30T05:48:00.000-04:002007-05-30T05:48:00.000-04:00Is it possible to 'push' an extension update onto ...Is it possible to 'push' an extension update onto users or does the MITM have to just wait and hope they try to self-update while connected to the evil network?Anonymousnoreply@blogger.com