MozillaZine

Firefox 0.9.3 coming...

Discussion of general topics about Mozilla Firefox
chengkhoon
 
Posts: 67
Joined: August 9th, 2003, 8:40 am
Location: Malaysia

Post Posted August 1st, 2004, 10:42 pm

The branch is created.. probably another security fix release...

Go go firefox!

logan

User avatar
 
Posts: 3453
Joined: May 22nd, 2003, 3:51 pm
Location: NGC 2403

Post Posted August 1st, 2004, 10:44 pm

Not probably, it is for security bits and likely only security bits.

In the works: Mozilla 1.4.3, 1.7.2, and Firefox 0.9.3 (?).

So far, the following have been fixed:
http://bugzilla.mozilla.org/show_bug.cgi?id=249004
http://bugzilla.mozilla.org/show_bug.cgi?id=253121
http://bugzilla.mozilla.org/show_bug.cgi?id=250906

A recent issue was brought up with mastercard and a few other sites, but that's marked as WONTFIX:
http://bugzilla.mozilla.org/show_bug.cgi?id=252185

And the more recent (not really) xul "phishing" bit, which has no resolution:
http://bugzilla.mozilla.org/show_bug.cgi?id=22183

I don't know how long they want to wait for the releases of the aforementioned versions...

--edit--

Looks like there's more than just the security updates, check keywords for:
<a href="http://bugzilla.mozilla.org/buglist.cgi?product=Browser&keywords_type=allwords&keywords=fixed1.7.3&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&resolution=FIXED">fixed1.7.3</a> (23 bugs so far)
<a href="http://bugzilla.mozilla.org/buglist.cgi?product=Browser&keywords_type=allwords&keywords=fixed1.4.3&bug_status=RESOLVED&bug_status=VERIFIED&bug_status=CLOSED&resolution=FIXED">fixed1.4.3</a> (17)

I've not seen any Firefox 0.9.3 keywords attached to these bugs.
Last edited by logan on August 2nd, 2004, 8:07 am, edited 4 times in total.

Knightley
 
Posts: 5
Joined: August 1st, 2004, 10:42 pm

Post Posted August 1st, 2004, 10:45 pm

I'm annoyed. Why can't they just get it right? Grr. Now I have to download the new version. It gets annoying.

lynchknot
 
Posts: 6253
Joined: November 4th, 2002, 7:36 pm

Post Posted August 1st, 2004, 10:46 pm

You should entitle this tread, "Firefox 0.9.3 is not out yet" - lol

Catfish_Man
 
Posts: 230
Joined: August 25th, 2003, 7:13 pm

Post Posted August 1st, 2004, 10:49 pm

Knightley wrote:I'm annoyed. Why can't they just get it right? Grr. Now I have to download the new version. It gets annoying.


No one ever gets software right. It's probably not possible, except in cases like the various Hello World programs, or maybe a simple command line calculator.

<edit>
Security is especially hard. I've heard of someone cracking a password via the following method:

A password field is displayed, and when a button is pressed the password is sent to the computer to be checked if it's correct. The computer checks each letter, and stops if that letter doesn't match the correct password. If all of them are correct, then the password is correct. Simple enough, right?

The hacker measured the amount of time it took the computer to decide each password he tested (via an automated method) was wrong. If it was wrong in the first letter, it would be almost instant since it only checked one letter. If it was wrong in the last letter, it would take a tiny bit longer. By using this method, he could work out the letters of the password one by one.

Obviously it could be fixed by having the computer check all the letters of the password, even if an early one was wrong. The tricky part is thinking of this before it's exploited.

Is this an urban myth? Probably (I have no idea). Does it demonstrate how difficult thinking about security in software is? I think so.
</edit>
Last edited by Catfish_Man on August 1st, 2004, 10:54 pm, edited 1 time in total.

logan

User avatar
 
Posts: 3453
Joined: May 22nd, 2003, 3:51 pm
Location: NGC 2403

Post Posted August 1st, 2004, 10:50 pm

Knightley wrote:I'm annoyed. Why can't they just get it right? Grr. Now I have to download the new version. It gets annoying.

Get what right? How do you expect them to forsee these problems? Deal with it.

Knightley
 
Posts: 5
Joined: August 1st, 2004, 10:42 pm

Post Posted August 1st, 2004, 10:53 pm

Logan, you don't have to be rude. I was just asking a question, heaven forbid if anyone asked questions.

xN8x

User avatar
 
Posts: 311
Joined: July 12th, 2004, 9:41 pm
Location: Wisconsin

Post Posted August 1st, 2004, 10:55 pm

IE's track record for "getting it right" is marvelous *sarcasm* lol
Last edited by xN8x on August 1st, 2004, 10:59 pm, edited 2 times in total.

Knightley
 
Posts: 5
Joined: August 1st, 2004, 10:42 pm

Post Posted August 1st, 2004, 10:56 pm

At least they don't release a new version every month!

Catfish_Man
 
Posts: 230
Joined: August 25th, 2003, 7:13 pm

Post Posted August 1st, 2004, 10:59 pm

Knightley wrote:At least they don't release a new version every month!


I've seen several new IE "versions" (aka security patches) in one week before. Perhaps a patching system could cut the download size for updates down... (of course, some of the IE patches are bigger than Firefox, but that's not necessarily something wrong with the patching system)

steeler_fan

User avatar
 
Posts: 1189
Joined: June 15th, 2003, 11:00 am
Location: Pixburgh

Post Posted August 1st, 2004, 11:00 pm

Whats the branch name?

Ah, found it. FIREFOX_0_9_3_BRANCH.

Checkins

Better link, Checkins to 1.7.2 branch. This one shows the bug numbers, rather than just "merging changes".
Neil

rfrangioni77

User avatar
 
Posts: 1510
Joined: January 5th, 2004, 1:48 am
Location: Bumdumbourge, near Totalslava

Post Posted August 2nd, 2004, 12:14 am

Knightley wrote:At least they don't release a new version every month!


No, you're right...they release new versions every four years or so.

Robert S.

User avatar
 
Posts: 4399
Joined: April 24th, 2004, 3:04 am
Location: Bay Area, CA

Post Posted August 2nd, 2004, 12:20 am

They've released new versions? Oh that's right... the numbers changed.

gengish

User avatar
 
Posts: 145
Joined: July 14th, 2004, 2:27 pm

Post Posted August 2nd, 2004, 2:00 am

Catfish_Man wrote:Is this an urban myth?


I guess so. I've never heard of a "time based" password cracking method. I mean, it would be a brute-force attack anyway, which means that you have to try each combination of letters, numbers and symbols until you pick the right one; the longer the password, the longer it takes to discover it.

DaCypher
 
Posts: 195
Joined: January 11th, 2004, 10:21 pm

Post Posted August 2nd, 2004, 2:27 am

Catfish_Man wrote:
Knightley wrote:I'm annoyed. Why can't they just get it right? Grr. Now I have to download the new version. It gets annoying.


No one ever gets software right. It's probably not possible, except in cases like the various Hello World programs, or maybe a simple command line calculator.

<edit>
Security is especially hard. I've heard of someone cracking a password via the following method:

A password field is displayed, and when a button is pressed the password is sent to the computer to be checked if it's correct. The computer checks each letter, and stops if that letter doesn't match the correct password. If all of them are correct, then the password is correct. Simple enough, right?

The hacker measured the amount of time it took the computer to decide each password he tested (via an automated method) was wrong. If it was wrong in the first letter, it would be almost instant since it only checked one letter. If it was wrong in the last letter, it would take a tiny bit longer. By using this method, he could work out the letters of the password one by one.

Obviously it could be fixed by having the computer check all the letters of the password, even if an early one was wrong. The tricky part is thinking of this before it's exploited.

Is this an urban myth? Probably (I have no idea). Does it demonstrate how difficult thinking about security in software is? I think so.
</edit>

I have never heard of a password authentication method that worked as you described. First off, given the network latencies there would be absolutely no way of someone being able to differentiate the time it took to compare 5 characters or 6 (this is such a speedy operation, you would have trouble timing this on the local machine). Second, just about any semi-intelligent site will use some form of encryption for their passwords. Just about every encryption algorithm that I know of uses the entire string to create the hashed value so that the encrypted version of "password" looks nothing like "passwor" (and therefore cannot do a single character comparison as described above).

Return to Firefox General


Who is online

Users browsing this forum: No registered users and 1 guest