Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to BandHeight
Re: Firefox 3 honors Windows Security Zones...
said by BandHeight  :Well, the download / execute policy setting, though identified by MS as an IE setting in some of the GUIs where the policy can be changed, is actually a policy of the OS that was intended to be followed by other clients (email apps, browsers, etc.) that run on the system. Yes, Mozilla could have opted to not use that particular interface, but they seem to have their sights on business / office environments where admins expect the policy to be respected by installed software. I have no real problem with them respecting the settings, but they did not really provide an elegant solution for the user to ignore the policy when desired. Pointing the user to a GUI that associates the settings with an IE icon (as well as being mixed in with other policies that FF does not adhere to) so that the settings can be adjusted is very, very clumsy. Well, what will likely happen (per the usual progression) is that we'll be using FF 5 and you will, by then, have switched to FF 3. Why not just give your heart to it now instead of playing so hard to get all the time.  That article doesn't seem very relevant. It is talking about email attachments. Besides, IE has always been very unsafe as far as downloads go as you can RUN the download. In Fx you are REQUIRED to save to disk which is much safer. So, I don't see where Microsoft can get off telling Fx users how to handle downloads. That's just crap.
As for me embracing Fx3 "now"...damn good thing I have 1.5 on the host machine. Fx3 on my XP Pro SP2 virtual machine appears completely borked (although who knows it might work tomorrow). It can't load any pages...it tries and never finishes loading any site. Who knows what I did of the myriad of pref changes, etc. that borked it. I am just stunned at how much has to be changed in Fx3 to make it usable. I thought Fx2 had to have too many changes but it pales next to Fx3 and all the changes that must be made. Fx 1.5 is almost pefect right out of the box. I haven't booted my Vista virtual machine today so I don't know if Fx3 is ok on it or not. I booted up the virtual machine that has Fx2 and it loads pages just fine so it not some problem with VMWare rather something I did must have really messed Fx3 up and I've changed so much I'll probably never be able to figure out what is the culprit.
1.5 is worked so hard by me and I usually have 50 or more tabs open, have over 150 saved tab sessions, been using the same profile for a long time and yet it just keeps going and TBE Tree view works perfectly on it. The new TBE (that is split now into several extensions) on 3 has some problems and isn't like the old TBE. 1.5 uses Spellbound. That awful crap spell checker in 3 drives me nuts. I have it unchecked in options yet it still insists on checking the spelling. I hate it. I want Spellbound. I only see a need to upgrade some machine of mine to 3 because I am afraid my banks will stop supporting 1.5. They don't work with Opera and I hate to have to use IE6.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
vicks
@anonymouse.org
| said by Mele20 : IE has always been very unsafe as far as downloads go as you can RUN the download. Since Windows XP SP2, when you run a file downloaded via IE6, the user receives a warning about it...
... Mozilla added this warning just a few days ago with Firefox 3 release. Mozilla is in late!!!! |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| said by vicks :... Mozilla added this warning just a few days ago with Firefox 3 release. Mozilla is in late!!!! are you sure? FF 3.0 first version you are using?
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to vicks
Yeah...that is Fx3 going backwards. In earlier versions you could not run it rather your ONLY choice was to download to disk in the obvious hope that the user would then scan it with their AV before running it. I suppose Fx3 changed it because the user's AV will be forced to scan it by Fx after downloading and before running. Of course, the user will just turn that off in preferences ...just as they ran it after downloading to disk in earlier versions without having their AV scan it.
You can lead a horse to water but you can't force it to drink. Same with people. I don't think any of this "forcing" should be happening. None of these things should be by default. (I recall all the brouhaha surrounding the decision some time ago to force download to disk and I was against it. I think folks should be able to choose to poison themselves if they want). There should be lots of options and then users should choose the ones they want because they are going to do that anyway. You cannot force security on users. That doesn't work. All you do is end up creating "hackers" or you lose market share as most people resent being forced to do something they don't like.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
vicks
@anonymouse.org
| reply to Cudni
said by Cudni :are you sure? yes I'm sure. All downloads in Firefox 2 are NOT marked with an alternated data stream (Windows Security Zones), so when the user clicks on an exe saved by Firefox 2, no warning is received. This feature is just added only with Firefox 3.0. IE6 has this feature since WinXP SP2 Mozilla is in late!!!!!!!!!!!!!!!!!!!!!!! |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | it is good to be sure, what happens when you click to download .exe in FF 2 ?
Cudni |
|
vicks
@anonymouse.org
| said by Cudni :it is good to be sure, what happens when you click to download .exe in FF 2 ? You didn't understand what is Windows Security Zone.
Try these steps:
1. download an exe with Firefox 2
2. save to disk
3. run it
result: when you run it, no warning is shown because the file has not marked by an alternate data stream
Since XP SP2, Internet Explorer 6 marks all downloaded files by an alternate data stream which tells it comes from Internet zone and so Windows shows this warning:
 |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to Mele20
said by Mele20 :That article doesn't seem very relevant. It is talking about email attachments. Besides, IE has always been very unsafe as far as downloads go as you can RUN the download. In Fx you are REQUIRED to save to disk which is much safer. So, I don't see where Microsoft can get off telling Fx users how to handle downloads. That's just crap. Do you think I just made that up? That I dug through the MSDN and picked that article at random?
It is exactly relevant because that is the interface at the core of the issue being discussed.
MS did not tell FF users how to handle downloads. They provided a programming interface that the Mozilla team chose to use.
Please see this bug report where the idea to use IAttachmentExecute was initially introduced for FF 3, specifically Firefox 3 beta4 (see especially comments 8-15):
»https://bugzilla.mozilla.org/show_bug.cgi?id=408153
Also, for Cudni and the rest following the discussion about where this behavior originally appeared in Windows products and to get a glimpse at (some) of the original thinking on possibly using the IAE interface in FF (goes back to 2004):
»https://bugzilla.mozilla.org/show_bug.cgi?id=236771
said by Mele20 :As for me embracing Fx3 "now"...damn good thing I have 1.5 on the host machine. Fx3 on my XP Pro SP2 virtual machine appears completely borked ... Of course it is. I wouldn't have expected you to describe a successful user-experience.
But those of us who have it running perfectly on multiple OSes (even without the unbelievable amount of changes you claim must be made for it to be "usable"), we will just continue on. |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| reply to vicks
said by vicks :You didn't understand what is Windows Security Zone. Try these steps: 1. download an exe with Firefox 2 2. save to disk 3. run it result: when you run it, no warning is shown because the file has not marked by an alternate data stream I understood perfectly which is the part you missed
Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006 - 2008 |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to vicks
said by vicks :said by Cudni :it is good to be sure, what happens when you click to download .exe in FF 2 ? You didn't understand what is Windows Security Zone. Try these steps: 1. download an exe with Firefox 2 2. save to disk 3. run it result: when you run it, no warning is shown because the file has not marked by an alternate data stream Since XP SP2, Internet Explorer 6 marks all downloaded files by an alternate data stream which tells it comes from Internet zone and so Windows shows this warning: What about those of us who have a Shell extension that removes ALL Alternate Data Streams? I would never allow any ADS on any file. I immediately right click check any file I download for ADS and the extension removes the ADS. Viruses and other crap can hide in ADS. Why would Microsoft be so stupid as to use a known hiding place for malware to mark a file? UGH. (I don't know if the Shell extension works on Vista. I think I will try and see. I have downloaded almost nothing to Vista. I just grab from the network what I need).
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
1 edit | reply to BandHeight
Thank you for the link to the bug report. That was very interesting reading.
I still don't get it because there are no ADS on downloads from Fx3. I just downloaded Eicar, both the .exe and one of the zips, and saved them to my downloaded programs folder. Then I right click scanned them for ADS and they have none. I ran them both and Fx didn't popup any warning. I have no AV installed at the moment on this XP Pro guest machine so I was able to download the .exe one which ordinarily my AV would stop me before the download started. So, where are these ADS tags from Fx? They are not on any downloads. This Streams Shell Extension finds other ADS so I have no reason to think that Fx has somehow managed to hide the ADS from this extension. (I have not yet tried to install the extension on Vista. It may not work there). I suppose I can grab one of my myriad of programs (off my host...easy to do with XP...Vista is one huge headache for grabbing files on the network) that find ADS and run one of them in case Streams Shell Extension is somehow missing these. Ieven changed the settings in IE8 to allow unsafe downloads an Fx3 doesn't object to my running eicar.com or opening the eicar zip files. So, evidently, this feature is not working in Fx3.
Oh, btw, Fx3 works fine today on my guest XP machine. I'm on it now. It loaded all tabs very rapidly and blazes at Mozillazine forums. It loaded a preview of a post there so fast I was amazed and also posted it and then took me to the post incredibly fast. So, I have no idea what was wrong yesterday. I shut that machine down last night and booted it up again a little while ago. Maybe Windows needed restarting for some unclear reason. I'm going to use this machine now for awhile and see if, after a few hours, it happens again or not.
edit: I shut down IE with the risky setting still in place. Just now, I started IE8 again and got a gigantic warning telling me not to surf the internet with such a risky setting. So, why is Fx not reacting to that change? I don't think it is working on Fx unless Eicar files are exempted from the ADS?
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31 | Did that user.js spelling setting work for you? |
|
Mele20
Premium
join:2001-06-05
Hilo, HI | I haven't done it. I want the spell checker to stay turned off until I want it. I don't want to do without a spell checker entirely. So, I've been undecided about what to do. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| I took the time just now to install Avira free on Fx3 on my virtual XP machine. I left the dangerous download setting for IE. I changed the setting for browser.download.manager.scanWhenDone back to true. Avira wouldn't let me play with Eicar at all..not even the zip ones. So, I instead downloaded a couple of applications and Fx never tried to start my AV, never tried to stop me from downloading because I have those unsafe settings for IE, never warned me about anything to do with the downloads. I checked them for ADS and there is no ADS tagging. I even tried opening the file directly from the download manager (instead of going to the containing folder as I ordinarily would so I could scan it) and Fx let it open directly and this was while IE has the bad settings enabled.
So, these features are not working for me at all.
Oh, so far Fx3 on the XP virtual machine is working fine...I still have no idea what was the matter last night.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
BandHeight
join:2004-08-30
Portland, TX
1 edit | 
FF-Streams.png | 
IE7-DLDenied.png | 
FF-DLDenied.png |
said by Mele20 :So, these features are not working for me at all. Test 1
- OS: Win XP SP3
- Storage Filesystem: NTFS
- Policy Set To Medium (3)
I downloaded the FF 3 installation file from Mozilla using four different applications:
- IE7 SP3 - File saved as: Firefox Setup 3.0-DLIE.exe
- FF 3.0 - File saved as: Firefox Setup 3.0-DLFF.exe
- Opera 9.5 - File saved as: Firefox Setup 3.0-DLOP.exe
- GetRight 5.2d - File saved as: Firefox Setup 3.0-DLGR.exe
Results (image posted: FF-Streams.png)
- IE7 - Added ADS; execution prompts user
- FF 3.0 - Added ADS; execution prompts user
- Opera 9.5 - Did not add ADS; execution proceeds without prompt
- GetRight 5.2d - Did not add ADS; execution proceeds without prompt
Test 2
- OS: Win XP SP3
- Storage Filesystem: NTFS
- General Policy Set To Medium (3) But FF Download Site Added To Restricted Zone (High - Zone 4)
I downloaded the FF 3 installation file from Mozilla using two different applications:
- IE7 SP3 - File saved as: N/A
- FF 3.0 - File saved as: Firefox Setup 3.0-DLFF-Restricted.exe
Results (images posted - IE7-DLDenied.png and FF-DLDenied.png):
- IE7 SP3 - Clicking the download link immediately alerts user with messsage box, "Your current security settings do not allow this file to be downloaded".
- FF 3.0 - Clicking the download link presents "Save As ..." dialog and then launches the FF DL Manager after clicking "Save". However, the FF DL Manager halts the download, and the DL Manager listing shows the file name with the following message: "This download has been blocked by your Security Zone Policy -- mozilla.org".
By the way, the file and partial file are left on the file system; file size of each is zero bytes (that probably needs to be cleaned up automatically?). |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| I don't understand your point. YOU had to add the ADS to get Fx to react. Soo....?
Plus, I thought Fx reacted if you had INsecure settings on IE not secure settings. Why would Fx stop you if the IE settings are secure? It should stop you only if the IE settings are insecure.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Ctrl Alt Del
Premium
join:2002-02-18
| said by Mele20 :I don't understand your point. YOU had to add the ADS to get Fx to react. Soo....? Plus, I thought Fx reacted if you had INsecure settings on IE not secure settings. Why would Fx stop you if the IE settings are secure? It should stop you only if the IE settings are insecure. Firefox 3.0 for Windows now uses the same feature that Internet Explorer uses when you download a file from the internet. Firefox tags a downloaded file which then tells Windows to show the prompt. He did not add any ADS, that was Firefox that added the ADS.
--
less talk, more music |
|
BandHeight
join:2004-08-30
Portland, TX
4 edits | reply to Mele20
Prompt Recieved Upon Execution of Zone 3 Tagged File DL'd with IE 7 | 
Prompt Recieved Upon Execution of Zone 3 Tagged File DL'd with FF 3.0 |
said by BandHeight :Results (image posted: FF-Streams.png) - IE7 - Added ADS; execution prompts user - FF 3.0 - Added ADS; execution prompts user - Opera 9.5 - Did not add ADS; execution proceeds without prompt - GetRight 5.2d - Did not add ADS; execution proceeds without prompt said by Mele20 :I don't understand your point. YOU had to add the ADS to get Fx to react. Soo....? I know that might have been a little confusing, but c'mon ... why would I have even wasted my time with the previous post if I could only achieve those results by manually adding the ADS? Of course I didn't manually add the ADS ... the applications did (or didn't) as the case may have been. For example, when I downloaded the file with FF 3.0, the tags were automatically added based on my Policy because FF 3.0 recognizes and respects the Policy I have set (it uses the aforementioned IAttachmentExecute::CheckPolicy Method to do so) whereas Opera, for example, is Policy agnostic (thus, it does not add the Zone ADS tag).
said by Mele20 :Plus, I thought Fx reacted if you had INsecure settings on IE not secure settings. Why would Fx stop you if the IE settings are secure? It should stop you only if the IE settings are insecure. None of the applications that recognize Policy react opposite your set Policy. They honor / respect your Policy. If you want to be insecure, the applications respect that. If you want to be secure, they respect that, too. It is your choice which Policy you set (Zone 1, 2, 3 or 4) for specific activities ... so why would FF 3.0 try to do the opposite of what your Policy dictated it to do?
If you have a Policy for high security, it prompts the user or blocks the activity completely (Zone 3 or Zone 4, respectively). If the user chooses a less secure Policy (Zone 1 or 2), the prompting and blocking do not occur at all or are lessened.
I think you are fundamentally misunderstanding this topic.
EDIT:
By the way, once the downloaded file is tagged with a Zone 3 ADS per policy, FF is out of the picture. The prompt that a user gets when the file is executed is then received from the OS and it looks just like the prompt that a Zone 3 file downloaded by IE would look (see images in this post).
Of course, this does not apply for Zone 4 because no file is actually downloaded, so no ADS can be added and the file-blocked message comes immediately from the browser itself (thus the 2 different screen-shots in my previous post). |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Ctrl Alt Del
Auto quote isn't working.
I understand what Bandheight said. My reply is that it is not true that Fx3 is placing ADS on downloads. It is not doing for me. Therefore, this feature does not work. Bandheight has Service Pack 3 for XP. I have SP2. Maybe Service Pack 3 is required for this to work? If so, that is another good reason to not install SP3...getting too bossy.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
BandHeight
join:2004-08-30
Portland, TX
2 edits | 
FF 3.0 Adds Zone Tags In Win XP SP 2 Just Like In SP 3 |
said by Mele20 :Auto quote isn't working. I just auto-quoted. It never ceases to amaze me how many things don't work for you.
said by Mele20 :I understand what Bandheight said. No comment.
said by Mele20 :My reply is that it is not true that Fx3 is placing ADS on downloads. Really?
said by Mele20 :It is not doing for me. Of course not.
Please understand saying that something is not true (which makes me what by extension?) just because it doesn't work for you is insulting to say the least. I did not fabricate the FF 3 functionality (nor did anyone else in this thread for that matter), and I did not fabricate the test results and screen-shots I posted here.
Edit:
And because I can (but shouldn't have), I tested Win XP SP2, and of course as I expected, the ADS tags were added by FF 3.0 just as they were in Win XP SP3. See image above. For the record, my SP 3 tests were on XP Pro (which I failed to mention), so the tests thus far seem to validate the same functionality in SP 2 and SP3 and Pro and Home versions. This is not surprising. |
|
