Tell me more x
, there is a new speed test available. Give it a try, leave feedback!
dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
20852
share rss forum feed

BandHeight

join:2004-08-30

1 edit

1 recommendation

reply to Mele20

Re: Firefox 3 honors Windows Security Zones...

said by Mele20:

The important thing here is that the Attachment Manager in XP Pro SP2 doesn't work. I've read the Microsoft article and it doesn't work. I've checked group policy and under Administrative Templates: Attachment Manager it says:

But Windows does not mark the file attachments on my XP computer whether I use IE8 or Fx3.
I don't know what else to tell you or how many screen-shots have to be posted before you recognize that there must be something different about the way you have your computer set-up that is causing your particular issue. A blanket statement that it is "not working" in XP SP 2 cannot be made.

I'm not saying these apply to you, but here may be some possibilities as to the behavior you are seeing (or not seeing):

- The files are being saved to a non-NTFS partition.

- Changing any relevant OS settings may require you to close the browser and restart it for the changes to become effective (be sure all associated windows, e.g., the DL Manager Window or Add-ons window) are also closed.

- As I found after testing, and as I mentioned here in response to HA Nut's question about how the AV scanner works (emphasis added here):

said by BandHeight:

It uses the IAttachmentExecute::CheckPolicy method that has been discussed in this thread (and falls back on IOfficeAntiVirus if IAttachmentExecute::CheckPolicy isn't available ... at least I think the fallback made it into the final version). If I've followed the bug reports correctly, IOfficeAntiVirus was the early go-to method, but was swapped in favor of IAttachmentExecute::CheckPolicy for various reasons later on.

I'm sure you asked about this without realizing that the Zone policy adherence and the anti-virus scanning functionality are tied together by virtue of the OS methods they utilize.
That has a lot of implications, but what it means in practice is that if you set the FF 3.0 About:Config setting, "browser.download.manager.scanWhenDone", to false no ADS tags will be written and no download scans will occur.

I cannot speak about IE 8, and anything it does in beta stage shouldn't be extrapolated to "XP SP 2" doesn't work. This is especially true since you still haven't been able to get other browsers to behave the way we have shown you they can behave on SP 2.

said by Mele20:

the policy would still be irrelevant and not work because I routinely remove all ADS from any downloaded file BEFORE I scan with my AV and before I execute it.
This is a personal choice. I respect it.

said by Mele20:

Your on access AV will scan it so what is the point of the Access Manager and what is Mozilla's point in trying to use it? It is absurd redundancy.
I don't find it necessary, either, on my system because I do run on-access monitors. However, I do recognize that some people may not run on-access scanners for any number of reasons, so I certainly cannot agree that it is "absurd", and it is only "redundant" for some people. Lots of download managers provide this functionality, albeit not through OS methods (usually via the user hard coding AV command lines into the DL manager's options). It's there if the user wishes to use it.

said by Mele20:

We already have several questions in the Avira forum about how awful it would be if Webguard scans the file, then the Fx3 Download Manager calls Avira to scan it again ...
I am not willing to make any generalized statements, but in my brief experience with testing, (as I stated previously) Avira Free does not seem to be communicating with the OS in such a way that FF 3 or IE 7 can call it anyway. I do , however, know for a fact that the scanning feature is working in IE 7 and FF 3.0 because another malware product did work (specifiaclly, Windows Defender).


HA Nut
Premium
join:2004-05-13
USA
reply to HA Nut
Thanks to all for the information to date. I have learned a great deal. When FF 3 was said to have hundreds (or was it thousands?) of changes over FF 2, they weren't kidding!

I found it interesting that FF 3 is using the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments ScanWithAntiVirus registry entry. Also interesting is that some well known/well thought of AV makers don't support the feature (two examples... BandHeight's Avira and my NOD32.) (In my own case, I'm not too concerned about it as I know that NOD32 runs an HTTP scanner and scans all downloaded files anyway.)

It was great to finally understand why Windows Defender found the Eicar test virus (when I have downloaded it in the past on PCs with Defender on them.) Normally, Defender signaled on system changes, not on file downloads.

OZO
Premium
join:2003-01-17
kudos:2
reply to BandHeight
said by BandHeight:

I think the misunderstanding is that Zone Policy is not an option or function of the browser (not IE or FF or any other browser). It is the function of the operating system.
No, it is not. It is not a function of OS unless of cause you think that IE is part of the OS. It's function of a browser. It's IE browser, who has separated security settings for different web sites it's visiting, and it's IE, that made up 3 so called zones (trusted web sites, common Internet sites, restricted sites). Other browsers may do different determinations regarding their security settings for different web sites.

It's not a function of computer operating system to make those determinations. Computer's OS doesn't know web sites!! The fact that there are two programs (IE and WE) that have been developed by the the same manufacturer that made the OS itself doesn't make it so.

- Any execution of a file marked with an ADS Zone 3 tag will cause a prompt to be issued by the operating system, not by the specific internet browser (e.g., FF or IE) nor by a specific file browser (WE, PowerDesk, etc.).
Prompt is issued by a program manager (Windows Explorer) and not by OS. Try to execute :Zone.Identifier marked file in e.g. CMD window. And, BTW, you can easily replace WE by a different program manages (and OS is still running, of cause)...

You again misunderstand the roles of different parts of OS and OS itself. Some folks think that OS is a desktop they see and it's better when desktop icons are bigger and brighter... I hope you do not fall into that category.

Finally, why should FF 3.0 developers try to recreate the whole system over again as you seem to suggest?
Again, because it's not a function of OS to differentiate web sites(!) on different categories. And again, it's done not by the OS, but by its web browser IE (adding ADS to downloaded files) and by its program manager - WE (interpreting ADS when it's been asked to execute the file). Firefox is a different browser which brings a different perspective on security model of the Internet (which is good by itself). That's why I expect from FF its own handling of security, and not a simulation of some other programs (like IE and WE).

And finally, if FF "honors" security zones on IE, don't you think it should offer a way to configure those zones. Does it have plans to do so? I don't think so... Thus, is it the right direction to move for FF?
--
Keep it simple, it'll become complex by itself...


Ctrl Alt Del
Premium
join:2002-02-18
kudos:1
said by OZO:

No, it is not. It is not a function of OS unless of cause you think that IE is part of the OS. It's function of a browser. It's IE browser, who has separated security settings for different web sites it's visiting, and it's IE, that made up 3 so called zones (trusted web sites, common Internet sites, restricted sites). Other browsers may do different determinations regarding their security settings for different web sites.
IAttachmentExecute is exposed through the file shdocvw.dll (Source: »msdn.microsoft.com/en-us/library ··· 85).aspx )

Shdocvw.dll supplies the functionality associated with navigation, in-place linking, favorites and history management, and PICS support. This DLL also exposes interfaces to its host to allow it to be hosted separately as an ActiveX control. The Shdocvw.dll component is more frequently referred to as the WebBrowser Control. In-place linking refers to the ability to click a link in the HTML of the loaded document and to load a new HTML document in the same instance of the WebBrowser Control. If only Mshtml.dll is being hosted, a click on the link results in a new instance of the browser. (Source: »msdn.microsoft.com/en-us/library ··· 85).aspx )

However, IAttachmentExecute is not tied, in any way, to Internet Explorer. Internet Explorer makes use of IAttachmentExecute from a file that deals with HTML and hyperlinking. IExplore.exe is at the top level; it is a small application that is instantiated when Internet Explorer is loaded. This executable application uses Internet Explorer components to perform the navigation, history maintenance, favorites maintenance, HTML parsing and rendering, and so on, while it supplies the toolbar and frame for the stand-alone browser. IExplorer.exe directly hosts the Shdocvw.dll component. (Source: »msdn.microsoft.com/en-us/library ··· 85).aspx )

shdocvw.dll is a system shared component for anything that needs HTML or hyperlinking (which includes Outlook, the Help system). shdocvw.dll is not Internet Explorer. shdocvw.dll is one of many components that make up Internet Explorer. Saying that shdocvw.dll (component) is the same as Internet Explorer (application) is like saying Hydrogen (H, atom) is the same as Water (H2O, molecule). Thus, I say that IAttachmentExecute is a feature provided by the operating system in a resource that is currently used by the supplied web browser, email system, etc.

said by OZO:

Prompt is issued by a program manager (Windows Explorer) and not by OS. Try to execute :Zone.Identifier marked file in e.g. CMD window. And, BTW, you can easily replace WE by a different program manages (and OS is still running, of cause)...
That is because it is the responsibility of the launcher (Windows Explorer) to make use of IAttachmentExecute. Old code or code that ignores this feature do not explicitly make use of the Prompt method. (Source: »msdn.microsoft.com/en-us/library ··· 85).aspx )

Microsoft probably didn't want every single executable to be put through IAttachmentExecute (which would be stupid, costly, and slow), so instead of putting in deep into the OS (kernel?), it's a higher level API that should be called before the OS runs the downloaded file.
--
less talk, more music

BandHeight

join:2004-08-30

2 edits
reply to OZO
said by OZO:

No, it is not. It is not a function of OS unless of cause you think that IE is part of the OS.
No. In this case, I am trying to make a distinction between IE and the rest of the components that ship as part of Windows. Here is how I tried to delineate for purposes of this discussion (for another topic, I may not have taken this tack):

- Apps installed on Windows that may interact with the zone policy and attachment policy, i.e., Internet Explorer, FireFox, OutlookExpress, Outlook, etc.

- The rest of the system ("the OS") including the kernel, the shell, user interface, etc.

The APIs that are available to IE with regard to zone policy and attachment policy are available to all installed applications via the Windows API.

The zone policy and attachment policy require at minimum two things:

1. a mechanism to tag files with zone information per policy
2. a mechanism to interpret the zone information and respond accordingly per policy

Item 1 is most logically taken care of by the client application that first acquires the file. However, that is not limited to Internet Explorer, and any application can use the API.

Item 2 happens outside the originating application, and furthermore, does not care how the files came to be tagged. More explicitly, this function does not care whether the tags came from IE, FF, or whether they were manually tagged.

For me, that suggests a system policy not an Internet Explorer-only policy. An expectation that all files on the system respond to my security settings in the same fashion regardless of which application downloaded them is not an unreasonable expectation. I believe that is why Mozilla chose to implement its features in FF 3.0.

said by OZO:

It's not a function of computer operating system to make those determinations. Computer's OS doesn't know web sites!!
But the API provided by Windows to determine the zones and tag the files is available to any application that wishes to use them. And components of the operating system do know zones because part of the whole security process is to tag the files so the zone can be known outside the application that originally acquired the file.

said by OZO:

Prompt is issued by a program manager (Windows Explorer) and not by OS. Try to execute :Zone.Identifier marked file in e.g. CMD window. And, BTW, you can easily replace WE by a different program manages (and OS is still running, of cause)...
I agree with you that the zone stuff doesn't work from a command prompt, but that was originally pointed out to MS as a security flaw when SP 2 was first released. MS was evidently happy to have only the GUI respond to the policy. I have never argued that the implementation is absolutely secure; that is another topic.

said by OZO:

You again misunderstand the roles of different parts of OS and OS itself. Some folks think that OS is a desktop they see and it's better when desktop icons are bigger and brighter... I hope you do not fall into that category.
I'm not. I use Arch Linux as my primary system, and I am pretty careful about discussions involving various components. I don't think people generally view Windows XP components as so separable, but for this discussion (and for legal reasons - see US vs Microsoft ), Internet Explorer is just a browser, separate and apart from the rest of the OS (per my above definition).

said by OZO:

Firefox is a different browser which brings a different perspective on security model of the Internet (which is good by itself). That's why I expect from FF its own handling of security, and not a simulation of some other programs (like IE and WE).
Mozilla did have a different perspective. It ignored the security model of the platform on which it was installed up until version 3 (if it was installed on a Windows PC). The developers likely felt that IT admins were ignoring FF in favor of IE because FF heretofore ignored the policy. Is that a correct assumption? I don't know. But it seems to me that what they have decided to do is not a simulation of the policy, it is an integration into the policy using the available APIs.

Edit:
Fixed paragraph alignment, spelling

OZO
Premium
join:2003-01-17
kudos:2
reply to Ctrl Alt Del
said by Ctrl Alt Del:

shdocvw.dll is a system shared component for anything that needs HTML or hyperlinking (which includes Outlook, the Help system). shdocvw.dll is not Internet Explorer. shdocvw.dll is one of many components that make up Internet Explorer. Saying that shdocvw.dll (component) is the same as Internet Explorer (application) is like saying Hydrogen (H, atom) is the same as Water (H2O, molecule). Thus, I say that IAttachmentExecute is a feature provided by the operating system in a resource that is currently used by the supplied web browser, email system, etc.
You've made a lot of efforts explaining what shdocvw.dll is and why it's not IE, but, at the same time, why it's an important component for an HTML browser.

Let me ask you a question - why FF doesn't use that important component then?

Isn't that because the security model of IE (based on mentioned component) is flaky (as many of users see it, I'm not one of them, BTW) and over-convoluted (as I see it) to the level that the user needs something different? If the reason to develop a new browser is not an offering of a new security model, then why do that at all? If the answer is "yes, it's not what we need", then why there is an urge to repeat the same security model in the FF.3?

Some browsers (e.g. Maxthon or MyIE) do benefit from that component (shdocvw.dll). Many web site developers will then say a big thanks for not developing and testing their sites for two different rendering engines used by IE and FF. I know they certainly will appreciate *that* simplification (there are other drawbacks though)... So, why we need yet another browser (FF.3) that is based on the same security model of IE, but offering a different rendering engine (a headache for web developers and users, who suffer from various formattings of web pages in different brothers)?

P.S. Sorry, but this post looks more like a rant from my side leading away from the subject of the thread, so you may want not to answer the questions above...

--
Keep it simple, it'll become complex by itself...

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

reply to BandHeight
Again, if FF developers want to support security zones that come with IE, how will they manage those zones? Via IE?
--
Keep it simple, it'll become complex by itself...

BandHeight

join:2004-08-30
said by OZO:

Again, if FF developers want to support security zones that come with IE, how will they manage those zones? Via IE?
said by OZO with strike-through / emphasized correction by BandHeight :

Again, if FF developers want to support security zones that come with IE Windows and is made available to all applications through the Windows API, how will they manage those zones? Via IE?
I stated in my very first post (referring to the MozillaZine link that directs the user on how to change settings):

said by BandHeight:

Pointing the user to a GUI that associates the settings with an IE icon (as well as being mixed in with other policies that FF does not adhere to) so that the settings can be adjusted is very, very clumsy.
However, despite its drawbacks and upon further reflection, I think ultimately that there are so many different places to change related settings that adding to this with a separate FF interface may be more confusing than helpful in some cases. For example, a separate FF interface would give the illusion that its settings only affected FF, but integration with the system via the Windows APIs mean that changing them in FF changes them for all applications that use the API. That by the way is at the heart of the argument that this is not an IE-only policy. Changing the settings, regardless of where they are set, impact all applications that use the APIs.

Windows provides a number of generic and semi-generic places to change zone policy and related settings outside of Internet Explorer as well as directly through Internet Explorer:

- Internet Options GUI via the Control Panel
- Group Policy console
- Directly editing the registry
- Internet Options GUI via Internet Explorer menus

Using the Windows interfaces directly also reinforces that FF is integrating into the existing system rather than just recreating a different version of it.

I can definitely understand your point of view, and I believe that behind the scenes, there was an even more heated debate among the Mozilla team on how to proceed (or to even proceed at all) with this functionality.

Just as a final note (final ... hmm, I doubt it), I do think a Master ON / OFF switch in the About:Config interface that is not tied to the AV scanner or any other option would be very appropriate. Something along the lines of:

security.policy.honorWindows false

OZO
Premium
join:2003-01-17
kudos:2
What I'm trying to say is turning ON / OFF switch is just a tip of the iceberg for security zone configuration. It's considerably deeper than that. In this development if you said 'A', then you should say 'B' as well (if you know what I mean).

E.g. how FF suppose to put variety of web sites into different security zones (as a part of zones security management) or how they even define them (zones) with security settings. Where is the dialog box that will be offered to FF users to change all (and there are plenty) security settings for different zones. Saying - open IE (or use Control Panel to run "Internet Properties" dialog box, which is the same) and adjust those settings, I hope, is not an option here... And I agree with you that a separate FF interface may be more confusing than helpful in some cases..

That why I've said earlier - is it the right direction to move for FF? And I'm not positive that it is...

And finally, FF is integrating into the existing system rather than just recreating a different version of it is not what I want to happen. We already have one web browser that some claim is an integrated part of the OS. I do now want to have yet another one with the same claim. Web browser should not be an integrated part of any OS. That's my strong opinion.
--
Keep it simple, it'll become complex by itself...

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6
reply to BandHeight
I finally got it to work partially. (Not the AV scanning because Avira doesn't do that but I now see the ADS on the file).

I'm embarrassed to say that the problem was that I hardly ever open IE8 because it is soooo crippled (back button doesn't work, can't select part of auto quote here to delete, can't, can't, can't, ...about all IE8 can do unless you emulate IE7, which I don't want to do, is display a page and you can read the page but not do anything and not want to use the back button either). So, because I hardly ever open it, I was under the impression that I had changed the IE setting back to prompt. But evidently I had not as when I finally opened IE8 a few minutes ago, it wouldn't load my tabs and said I had unsafe settings and it was that one setting I had changed from prompt to disabled when I first read this thread. So, after putting it back to prompt, I tried Fx3 and downloaded an eicar zip file (with Avira Guard disabled so I could download it) and then I looked at the properties of the file and it shows an ADS tag. I ran the file so something is still not working right as I should have been stopped or warned at least right?

(Fx3 is acting nutty again and it continually loads this site and others but this site is the worst. I switched to my host computer with Fx 1.5 and this site loads just fine. IE8 is continually loading this site also on my guest machine).
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

BandHeight

join:2004-08-30

1 recommendation

reply to OZO
said by OZO:

What I'm trying to say is turning ON / OFF switch is just a tip of the iceberg for security zone configuration. It's considerably deeper than that. In this development if you said 'A', then you should say 'B' as well (if you know what I mean).
Yes. It goes much deeper than that. My proposal concentrated on the ability to cleanly and clearly provide a means to turn off the functionality. Changing the value to "true", however, does get us back to the question of, "What interface do we use to change the settings?". For better or for worse, for now it is only available through the Windows interface.

said by OZO:

And finally, FF is integrating into the existing system rather than just recreating a different version of it is not what I want to happen. We already have one web browser that some claim is an integrated part of the OS. I do now want to have yet another one with the same claim. Web browser should not be an integrated part of any OS. That's my strong opinion.
Nothing wrong with a strong opinion.

"Integration" brings some strongly negative connotations in the context of Internet Explorer. Integration that forces users into something they may not wish or that stifles fair trade and competition is the kind we don't want to see. On the other hand, integration can be good, integration has many different tiers from loose-integration to breaks-if-you-remove-it-integration, and all software that is installed on any platform has to "fit in", so to speak, on some level to even run.

A very simple and benign bit of integration, I think you will agree, is that FF 3.0 looks different in Windows versus its appearance in Linux, even going as far as foregoing the new style back-forward buttons in Linux so that it fits in better with the Linux environment (that, of course is the Mozilla teams opinion).

Let's just say that integration is an integral (pun intended) part of computing. The good news in the case under discussion here is that the integration does not approach the level of integration (the really bad kind) usually implied when discussing IE and Windows.


Ctrl Alt Del
Premium
join:2002-02-18
kudos:1
reply to OZO
said by OZO:

You've made a lot of efforts explaining what shdocvw.dll is and why it's not IE, but, at the same time, why it's an important component for an HTML browser.

Let me ask you a question - why FF doesn't use that important component then?
Because Firefox uses its own HTML rendering engine: Gecko. Firefox is an entire web browser with no dependencies on external components. If Firefox used shdocvw.exe, then it could become another browser that is basically a new shell on top of the core from IE (Maxthon, MyIE).

This Wikipedia article does a good job at describing the IE architecture: »en.wikipedia.org/wiki/Internet_E ··· itecture

Files hosted by the Internet Explorer main executable, iexplore.exe:
- WinInet.dll: handles HTTP and FTP.
- URlMon.dll: handles MIME-type stuff.
- MSHTML.dll: contains the Trident rendering engine which is responsible for displaying the pages on-screen and handling the Document Object Model of the web pages.
- ShDocVw.dll: provides the navigation, local caching and history functionalities.
- BrowseUI.dll: responsible for the browser user interface, including the browser chrome, which houses all the menus and toolbars.

ShDocVw.dll also apparently contains the API for the Attachment Manager. I guess it made the most sense to stick a feature that deals with downloaded files in a DLL that is used by IE.

said by OZO:

Some browsers (e.g. Maxthon or MyIE) do benefit from that component (shdocvw.dll). Many web site developers will then say a big thanks for not developing and testing their sites for two different rendering engines used by IE and FF. I know they certainly will appreciate *that* simplification (there are other drawbacks though)... So, why we need yet another browser (FF.3) that is based on the same security model of IE, but offering a different rendering engine (a headache for web developers and users, who suffer from various formattings of web pages in different brothers)?
Because it's good to have choice? Yes, Firefox is a different web browser with its own rendering engine. But, that's why we have web standards. Some web browsers aren't as good as others, but aside from nuances, both give you a webpage with the important stuff in the right place.
--
less talk, more music

OZO
Premium
join:2003-01-17
kudos:2
reply to HA Nut
And here is one more issue which I think is very important and unfortunately was missed in this thread - and it's portability. I need a portable web browser that I may take with me to any place (with all my configuration settings, especially security settings) and run it there. I will never achieve this with IE (without its total sandboxing, which is quite difficult to obtain in an uncontrolled environment). If FF starts to relay on uncontrolled environment, "honoring" its settings, I do not need such browser and will go with Opera or something else. Sorry...

P.S. As you probably has noticed from all my posts (not only from this thread) - my main browser is IE. I use FF as portable browser, to test compatibility issues and to visit sites that do not offer proper IE support (yes, there are some).
--
Keep it simple, it'll become complex by itself...

BandHeight

join:2004-08-30

3 edits
said by OZO:

And here is one more issue which I think is very important and unfortunately was missed in this thread - and it's portability. I need a portable web browser that I may take with me to any place (with all my configuration settings, especially security settings) and run it there. I will never achieve this with IE (without its total sandboxing, which is quite difficult to obtain in an uncontrolled environment). If FF starts to relay on uncontrolled environment, "honoring" its settings, I do not need such browser and will go with Opera or something else. Sorry...
We noticed it. But from a different angle.

What you say:
"I can't run my browser in this [potentially] unsafe environment because it will adopt that environment's settings.

What an IT admin might say:
"I don't want you to run your browser on my machine without adopting the environment's settings because your browser's settings may be unsafe. More importantly, your USB drive might be infected, blah blah..."

It's all about perspective, I suppose.

BUT ... does it matter anyway (from your perspective)? Let's see:

- FF is really only honoring policy in regard to downloads / attachments. This may not make FF 3.0 safer, but it certainly doesn't make it any less secure, especially since it heretofore ignored the policy anyway (meaning it operated in the equivalent of the zone policy's least restrictive zone).

- I don't really know how FF 3.0 would behave as a portable application. It may "know", even without modification, it's not installed on the host and therefore does not change its behavior to match the host machine's policy.

Beyond that, FF gets some modifications to it in order for it to be portable (e.g., it gets its disk cache disabled, among other things), so the same thing would apply in regard to zone policy.

To make this most effective, I still say that there should be a Master On / Off option. As it stands now, simply setting:

browser.download.manager.scanWhenDone false

is problematic:

- it turns off AV scanning, which is expected
- it impacts FF zone policy functionality, which is unexpected and even perhaps baffling unless you know that they share common APIs
- it impacts FF zone functionality, but only partially, e.g., it prevents ADS from being embedded in files, but it still honors the blocking of downloads from URLs in Zone 4 (at least per my testing).

Maybe there is already another option somewhere that does what I suggest, but I am unaware of it.

BandHeight

join:2004-08-30
reply to Mele20
said by Mele20:

I finally got it to work partially. (Not the AV scanning because Avira doesn't do that but I now see the ADS on the file).
Cool.

said by Mele20:

... and said I had unsafe settings and it was that one setting I had changed from prompt to disabled when I first read this thread. So, after putting it back to prompt ...
Hmm. Changing "Launching applications and unsafe files" to "Disabled" isn't unsafe (it's actually the "safest" setting) and shouldn't be issuing a warning in your GUI (e.g., "Your security settings put your computer at risk" should not show up). Setting "Launching applications and unsafe files" to "Enabled (not secure)", as the name may suggest, does cause the settings to be flagged as unsafe.

Anyway, yes, setting "Launching applications and unsafe files" to "Prompt (recommended)" is what you need for the test you are conducting.

said by Mele20:

... then I looked at the properties of the file and it shows an ADS tag. I ran the file so something is still not working right as I should have been stopped or warned at least right?
You should be getting the prompt after executing the file. Keep digging around. Something's still a little funky.

OZO
Premium
join:2003-01-17
kudos:2
reply to BandHeight
said by BandHeight:

What you say:
...
What an IT admin might say:
...
It's all about perspective, I suppose.
I agree. Then it comes to browsers's developers attitude (or their perspective). They may say - IT admin is right, and therefore has all the rights, including an IT admin wishes - "I want to know all your browsing history - past, present and future (saved links and autocompltetes)", "I need to know all your passwords that in case you forgot it I'll help you...", etc.

It's done in IE (and that's the reason why I'm looking for a substitute). If it's FF future policy as well, then well... It's good for a corporate environment, but certainly not for a private user.

- FF is really only honoring policy in regard to downloads / attachments. This may not make FF 3.0 safer, but it certainly doesn't make it any less secure, especially since it heretofore ignored the policy anyway (meaning it operated in the equivalent of the zone policy's least restrictive zone).
Do you really mean Trusted zone (or zone #2)? Do they save ADS with ZoneID=2 line?

Beyond that, FF gets some modifications to it in order for it to be portable (e.g., it gets its disk cache disabled, among other things), so the same thing would apply in regard to zone policy.
Now, that's finally the right direction to move . I mean to make FF portable. But then forget about zone configuration which is saved in registry.
--
Keep it simple, it'll become complex by itself...


redxii
Premium,Mod
join:2001-02-26
Sherwood, MI
reply to HA Nut
That's funny, I thought I was using Firefox, not IE.

BandHeight

join:2004-08-30
reply to OZO
said by OZO:

Then it comes to browsers's developers attitude (or their perspective).
That is most important of all. So far, I'm still okay with FF, even with the new features (or regressions, again, depending on perspective). I've worked around things I don't like and embraced the things I do like.

I have no control over developers' direction and intentions for future versions of FF. There are some things I see currently as potentially troubling indications of the direction things are heading, but I'll react when appropriate (perhaps, as you say, by switching browsers).

said by OZO:

said by BandHeight:
- FF is really only honoring policy in regard to downloads / attachments. This may not make FF 3.0 safer, but it certainly doesn't make it any less secure, especially since it heretofore ignored the policy anyway (meaning it operated in the equivalent of the zone policy's least restrictive zone).
Do you really mean Trusted zone (or zone #2)? Do they save ADS with ZoneID=2 line?
Well, by least restrictive in this context, I could have meant any of the zones that have no impact on, or relevance to, file downloads or attachments. So, looking at the table of zones:


I could have been referring to anything below Zone 3.

And as far as I can tell, Zone 3 is the only identifier tagged onto files per policy as it is the only one that may require further action (e.g., prompting upon execution) once it is downloaded (see tangential note below).

said by OZO:

said by BandHeight:
Beyond that, FF gets some modifications to it in order for it to be portable (e.g., it gets its disk cache disabled, among other things), so the same thing would apply in regard to zone policy.
Now, that's finally the right direction to move :). I mean to make FF portable. But then forget about zone configuration which is saved in registry.
http://portableapps.com/
http://www.u3.com/

Note:

Minor points of interest:

- you can turn your list of Trusted Sites into Restricted Sites by setting "Launching applications and unsafe files" to "Disable" under the Trusted Sites tab

- you can turn your list of Restricted Sites into Trusted Sites by setting "Launching applications and unsafe files" to "Enable" under the Restricted Sites tab (this will get you a warning that "Your Security Settings Put Your Computer At Risk").

SUMware
Premium
join:2002-05-21
kudos:2
reply to BandHeight
said by BandHeight:

FF 3.0 looks different in Windows versus its appearance in Linux, even going as far as foregoing the new style back-forward buttons in Linux so that it fits in better with the Linux environment (that, of course is the Mozilla teams opinion).
Mine, too. FF3 flows into Linux nicely on my shiny new openSUSE 11.0 IMO...

... and I'm so glad that, as a Linux user, I don't need to deal with any of the convoluted issues raised in this thread.

[but i don't think that the 'awesome bar' is]

BandHeight

join:2004-08-30

1 edit
said by SUMware:

... and I'm so glad that, as a Linux user, I don't need to deal with any of the convoluted issues raised in this thread.
Excatly.

said by SUMware:

[but i don't think that the 'awesome bar' is]

I don't know anybody who does (I guess maybe the mozilla team members that coded it). I'm as switched back to the old-style as can be accomplished with extensions and About:Config settings.

Edit:

I assumed you read all my posts, which is the wrong assumption, so I'll clarify here that my primary OS is Linux as well (Arch + Gnome or Openbox, though; haven't used SuSE since version 8.something and never installed OpenSuSE, so I don't know what FF 3.0 looks like in KDE if that is what you are using).

SUMware
Premium
join:2002-05-21
kudos:2

1 edit
said by BandHeight:

said by SUMware:

[but i don't think that the 'awesome bar' is]

I don't know anybody who does (I guess maybe the mozilla team members that coded it). I'm as switched back to the old-style as can be accomplished with extensions and About:Config settings.
Exactly.


sivran
Vive Vivaldi
Premium
join:2003-09-15
Irving, TX
kudos:1
said by SUMware:

said by BandHeight:

said by SUMware:

[but i don't think that the 'awesome bar' is]

I don't know anybody who does (I guess maybe the mozilla team members that coded it). I'm as switched back to the old-style as can be accomplished with extensions and About:Config settings.
Exactly.
Pssst. What is the awesome bar? I must not have noticed it when I tried FF3.
--
Think outside the fox...Seamonkey

BandHeight

join:2004-08-30
said by sivran:

Pssst. What is the awesome bar? I must not have noticed it when I tried FF3.
I'll bump the font so others can hear as well.

It's the term being applied to the location bar (I think it was referred to, perhaps unofficially, as the "almighty bar" during the beta phase ... now its just "awesome").

There have been many complaints about the location bar in FF 3.0, some involving its appearance (without mods, it takes up a lot of real estate), some involving the search algorithm (it picks up a lot more results that some people don't want included), some involving the fact that it lists all URLs and not just the ones you manually type in, etc.

See here for some ways to get it back to the old-style as much as possible (the search algorithm is not modifiable, however):

»How to get yellow address bar with SSL in firefox 3


sivran
Vive Vivaldi
Premium
join:2003-09-15
Irving, TX
kudos:1
Oh, right. That thing. For some reason, I was thinking it was an actual toolbar or something. Opera 9.5 does the same thing. I find it useful on rare occasions but annoying most of the time. I'd want a way to quickly (read: not involving about:config) turn it on and off. Maybe even have it only behave that way if I typed words, rather than an address.

Thankfully my primary browser, SeaMonkey, doesn't bug me with such things.
--
Think outside the fox...Seamonkey

OZO
Premium
join:2003-01-17
kudos:2
said by sivran:

Thankfully my primary browser, SeaMonkey, doesn't bug me with such things.
I see your point.

I do not support the use of ADS at all. I think with introducing those ADS'a in SP2 m$ has actually opened Pandora's box. ADS's may be very easily misused. I hope we realize that, for example, under the Notepad.exe name a smart guy may hide folders and folders of any files (creating actually a whole new FS). And with current state of public knowledge and tools to find and work with ADS's - it's obvious to me that it's a dangerous thing that just wait to show its ugly head...

I try to keep amount of ADS's on my NTFS at minimum level. I do not allow IE to create ADS's on my downloaded files. I know, that I've downloaded them. And I do not need any reminder about that. There are probably a few files that currently have ADS's on my HD. And I watch it carefully.

That's why I think this tendency of Mozilla to embrace this move towards spreading ADS's in not the right thing for computer security. But, of cause, they may don't care...
--
Keep it simple, it'll become complex by itself...

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:6
reply to BandHeight
said by BandHeight:

Keep digging around. Something's still a little funky.

Avira is now invoked on Vista by Fx3 Download Manager. I watched it scanning (at least Download Manager showed my AV scanning so I assume it was scanning) during a download of a Microsoft Patch a little while ago. The patch is for IE8 which I also have on a machine with XP so I just now downloaded the patch on that machine. Avira was not invoked during the download by Fx3 Download Manager. I have the same settings for Firefox and IE on both versions of Windows.

There is a thread in the Avira forum where an Avira tech posted yesterday and said that the Fx3 problem was fixed (and was online) in regards to the Download Manager. He didn't elaborate so I still am puzzled as to why the scan is invoked on Vista but not XP.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason


Herohtar

@sbcglobal.net
reply to HA Nut
You actually do not have to modify the Security Zones settings at all -- the browser.download.manager.scanWhenDone setting is responsible for adding the ADS. If you disable that, the zone information will no longer be added and you won't get the security warning.

More information can be found here: »blog.case.edu/bes7/2008/04/21/re ··· refox_30


HA Nut
Premium
join:2004-05-13
USA
reply to HA Nut
None of this discussion affects XP Home right? Since it doesn't support Group Policies?


jmorlan
Hmm... That's funny.
Premium,MVM
join:2001-02-05
Pacifica, CA
kudos:4
said by HA Nut:

None of this discussion affects XP Home right? Since it doesn't support Group Policies?
XP Home is affected. It's not Group Policies. It is about the security tab settings under "Internet Properties" accessible via Control Panel or IE. There are four zones; Internet, Local Intranet, Trusted Sites & Restricted Sites. FF3 now pays some attention to those security settings.
--
"All men are equal before fish." (Herbert Hoover)

BandHeight

join:2004-08-30
reply to Herohtar
said by Herohtar :

You actually do not have to modify the Security Zones settings at all -- the browser.download.manager.scanWhenDone setting is responsible for adding the ADS. If you disable that, the zone information will no longer be added and you won't get the security warning.

More information can be found here: »blog.case.edu/bes7/2008/04/21/re ··· refox_30
It works partially:

said by BandHeight:

To make this most effective, I still say that there should be a Master On / Off option. As it stands now, simply setting:

browser.download.manager.scanWhenDone false

is problematic:

- it turns off AV scanning, which is expected
- it impacts FF zone policy functionality, which is unexpected and even perhaps baffling unless you know that they share common APIs
- it impacts FF zone functionality, but only partially, e.g., it prevents ADS from being embedded in files, but it still honors the blocking of downloads from URLs in Zone 4 (at least per my testing).