Firefox 0.9.3 coming...

chengkhoon · Post by **chengkhoon** » August 1st, 2004, 10:42 pm

The branch is created.. probably another security fix release...

Go go firefox!

logan · Post by **logan** » August 1st, 2004, 10:44 pm

Not probably, it is for security bits and likely only security bits.

In the works: Mozilla 1.4.3, 1.7.2, and Firefox 0.9.3 (?).

So far, the following have been fixed:
http://bugzilla.mozilla.org/show_bug.cgi?id=249004
http://bugzilla.mozilla.org/show_bug.cgi?id=253121
http://bugzilla.mozilla.org/show_bug.cgi?id=250906

A recent issue was brought up with mastercard and a few other sites, but that's marked as WONTFIX:
http://bugzilla.mozilla.org/show_bug.cgi?id=252185

And the more recent (not really) xul "phishing" bit, which has no resolution:
http://bugzilla.mozilla.org/show_bug.cgi?id=22183

I don't know how long they want to wait for the releases of the aforementioned versions...

--edit--

Looks like there's more than just the security updates, check keywords for:
<a href="http://bugzilla.mozilla.org/buglist.cgi?product=Browser&keywords_type=allwords&keywords=fixed1.7.3&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&resolution=FIXED">fixed1.7.3</a> (23 bugs so far)
<a href="http://bugzilla.mozilla.org/buglist.cgi?product=Browser&keywords_type=allwords&keywords=fixed1.4.3&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&resolution=FIXED">fixed1.4.3</a> (17)

I've not seen any Firefox 0.9.3 keywords attached to these bugs.

Knightley · Post by **Knightley** » August 1st, 2004, 10:45 pm

I'm annoyed. Why can't they just get it right? Grr. Now I have to download the new version. It gets annoying.

lynchknot · Post by **lynchknot** » August 1st, 2004, 10:46 pm

You should entitle this tread, "Firefox 0.9.3 is not out yet" - lol

Catfish_Man · Post by **Catfish_Man** » August 1st, 2004, 10:49 pm

Knightley wrote:I'm annoyed. Why can't they just get it right? Grr. Now I have to download the new version. It gets annoying.

No one ever gets software right. It's probably not possible, except in cases like the various Hello World programs, or maybe a simple command line calculator.

<edit>
Security is especially hard. I've heard of someone cracking a password via the following method:

A password field is displayed, and when a button is pressed the password is sent to the computer to be checked if it's correct. The computer checks each letter, and stops if that letter doesn't match the correct password. If all of them are correct, then the password is correct. Simple enough, right?

The hacker measured the amount of time it took the computer to decide each password he tested (via an automated method) was wrong. If it was wrong in the first letter, it would be almost instant since it only checked one letter. If it was wrong in the last letter, it would take a tiny bit longer. By using this method, he could work out the letters of the password one by one.

Obviously it could be fixed by having the computer check all the letters of the password, even if an early one was wrong. The tricky part is thinking of this before it's exploited.

Is this an urban myth? Probably (I have no idea). Does it demonstrate how difficult thinking about security in software is? I think so.
</edit>

logan · Post by **logan** » August 1st, 2004, 10:50 pm

Knightley wrote:I'm annoyed. Why can't they just get it right? Grr. Now I have to download the new version. It gets annoying.

Get what right? How do you expect them to forsee these problems? Deal with it.

Knightley · Post by **Knightley** » August 1st, 2004, 10:53 pm

Logan, you don't have to be rude. I was just asking a question, heaven forbid if anyone asked questions.

xN8x · Post by **xN8x** » August 1st, 2004, 10:55 pm

IE's track record for "getting it right" is marvelous *sarcasm* lol

Knightley · Post by **Knightley** » August 1st, 2004, 10:56 pm

At least they don't release a new version every month!

Catfish_Man · Post by **Catfish_Man** » August 1st, 2004, 10:59 pm

Knightley wrote:At least they don't release a new version every month!

I've seen several new IE "versions" (aka security patches) in one week before. Perhaps a patching system could cut the download size for updates down... (of course, some of the IE patches are bigger than Firefox, but that's not necessarily something wrong with the patching system)

steeler_fan · Post by **steeler_fan** » August 1st, 2004, 11:00 pm

Whats the branch name?

Ah, found it. FIREFOX_0_9_3_BRANCH.

Checkins

Better link, Checkins to 1.7.2 branch. This one shows the bug numbers, rather than just "merging changes".

rfrangioni77 · Post by **rfrangioni77** » August 2nd, 2004, 12:14 am

Knightley wrote:At least they don't release a new version every month!

No, you're right...they release new versions every four years or so.

Robert S. · Post by **Robert S.** » August 2nd, 2004, 12:20 am

They've released new versions? Oh that's right... the numbers changed.

gengish · Post by **gengish** » August 2nd, 2004, 2:00 am

Catfish_Man wrote:Is this an urban myth?

I guess so. I've never heard of a "time based" password cracking method. I mean, it would be a brute-force attack anyway, which means that you have to try each combination of letters, numbers and symbols until you pick the right one; the longer the password, the longer it takes to discover it.

DaCypher · Post by **DaCypher** » August 2nd, 2004, 2:27 am

Catfish_Man wrote:
Knightley wrote:I'm annoyed. Why can't they just get it right? Grr. Now I have to download the new version. It gets annoying.

No one ever gets software right. It's probably not possible, except in cases like the various Hello World programs, or maybe a simple command line calculator.

<edit>
Security is especially hard. I've heard of someone cracking a password via the following method:

A password field is displayed, and when a button is pressed the password is sent to the computer to be checked if it's correct. The computer checks each letter, and stops if that letter doesn't match the correct password. If all of them are correct, then the password is correct. Simple enough, right?

The hacker measured the amount of time it took the computer to decide each password he tested (via an automated method) was wrong. If it was wrong in the first letter, it would be almost instant since it only checked one letter. If it was wrong in the last letter, it would take a tiny bit longer. By using this method, he could work out the letters of the password one by one.

Obviously it could be fixed by having the computer check all the letters of the password, even if an early one was wrong. The tricky part is thinking of this before it's exploited.

Is this an urban myth? Probably (I have no idea). Does it demonstrate how difficult thinking about security in software is? I think so.
</edit>

I have never heard of a password authentication method that worked as you described. First off, given the network latencies there would be absolutely no way of someone being able to differentiate the time it took to compare 5 characters or 6 (this is such a speedy operation, you would have trouble timing this on the local machine). Second, just about any semi-intelligent site will use some form of encryption for their passwords. Just about every encryption algorithm that I know of uses the entire string to create the hashed value so that the encrypted version of "password" looks nothing like "passwor" (and therefore cannot do a single character comparison as described above).