how-to block ads
|
|
Share Topic
 |
 |
|
|
|
OZOPremium
join:2003-01-17
kudos:2 | reply to BandHeight
Re: Firefox 3 honors Windows Security Zones... said by BandHeight:I think the misunderstanding is that Zone Policy is not an option or function of the browser (not IE or FF or any other browser). It is the function of the operating system. No, it is not. It is not a function of OS unless of cause you think that IE is part of the OS. It's function of a browser. It's IE browser, who has separated security settings for different web sites it's visiting, and it's IE, that made up 3 so called zones (trusted web sites, common Internet sites, restricted sites). Other browsers may do different determinations regarding their security settings for different web sites.
It's not a function of computer operating system to make those determinations. Computer's OS doesn't know web sites!! The fact that there are two programs (IE and WE) that have been developed by the the same manufacturer that made the OS itself doesn't make it so.
- Any execution of a file marked with an ADS Zone 3 tag will cause a prompt to be issued by the operating system, not by the specific internet browser (e.g., FF or IE) nor by a specific file browser (WE, PowerDesk, etc.).
Prompt is issued by a program manager (Windows Explorer) and not by OS. Try to execute :Zone.Identifier marked file in e.g. CMD window. And, BTW, you can easily replace WE by a different program manages (and OS is still running, of cause)...
You again misunderstand the roles of different parts of OS and OS itself. Some folks think that OS is a desktop they see and it's better when desktop icons are bigger and brighter... I hope you do not fall into that category.
Finally, why should FF 3.0 developers try to recreate the whole system over again as you seem to suggest?
Again, because it's not a function of OS to differentiate web sites(!) on different categories. And again, it's done not by the OS, but by its web browser IE (adding ADS to downloaded files) and by its program manager - WE (interpreting ADS when it's been asked to execute the file). Firefox is a different browser which brings a different perspective on security model of the Internet (which is good by itself). That's why I expect from FF its own handling of security, and not a simulation of some other programs (like IE and WE).
And finally, if FF "honors" security zones on IE, don't you think it should offer a way to configure those zones. Does it have plans to do so? I don't think so... Thus, is it the right direction to move for FF?
--
Keep it simple, it'll become complex by itself... | |
| said by OZO:No, it is not. It is not a function of OS unless of cause you think that IE is part of the OS. It's function of a browser. It's IE browser, who has separated security settings for different web sites it's visiting, and it's IE, that made up 3 so called zones (trusted web sites, common Internet sites, restricted sites). Other browsers may do different determinations regarding their security settings for different web sites. IAttachmentExecute is exposed through the file shdocvw.dll (Source: »msdn.microsoft.com/en-us/library···85).aspx )
Shdocvw.dll supplies the functionality associated with navigation, in-place linking, favorites and history management, and PICS support. This DLL also exposes interfaces to its host to allow it to be hosted separately as an ActiveX control. The Shdocvw.dll component is more frequently referred to as the WebBrowser Control. In-place linking refers to the ability to click a link in the HTML of the loaded document and to load a new HTML document in the same instance of the WebBrowser Control. If only Mshtml.dll is being hosted, a click on the link results in a new instance of the browser. (Source: »msdn.microsoft.com/en-us/library···85).aspx )
However, IAttachmentExecute is not tied, in any way, to Internet Explorer. Internet Explorer makes use of IAttachmentExecute from a file that deals with HTML and hyperlinking. IExplore.exe is at the top level; it is a small application that is instantiated when Internet Explorer is loaded. This executable application uses Internet Explorer components to perform the navigation, history maintenance, favorites maintenance, HTML parsing and rendering, and so on, while it supplies the toolbar and frame for the stand-alone browser. IExplorer.exe directly hosts the Shdocvw.dll component. (Source: »msdn.microsoft.com/en-us/library···85).aspx )
shdocvw.dll is a system shared component for anything that needs HTML or hyperlinking (which includes Outlook, the Help system). shdocvw.dll is not Internet Explorer. shdocvw.dll is one of many components that make up Internet Explorer. Saying that shdocvw.dll (component) is the same as Internet Explorer (application) is like saying Hydrogen (H, atom) is the same as Water (H2O, molecule). Thus, I say that IAttachmentExecute is a feature provided by the operating system in a resource that is currently used by the supplied web browser, email system, etc.
said by OZO:Prompt is issued by a program manager (Windows Explorer) and not by OS. Try to execute :Zone.Identifier marked file in e.g. CMD window. And, BTW, you can easily replace WE by a different program manages (and OS is still running, of cause)... That is because it is the responsibility of the launcher (Windows Explorer) to make use of IAttachmentExecute. Old code or code that ignores this feature do not explicitly make use of the Prompt method. (Source: »msdn.microsoft.com/en-us/library···85).aspx )
Microsoft probably didn't want every single executable to be put through IAttachmentExecute (which would be stupid, costly, and slow), so instead of putting in deep into the OS (kernel?), it's a higher level API that should be called before the OS runs the downloaded file.
--
less talk, more music | |
2 edits | reply to OZO
said by OZO:No, it is not. It is not a function of OS unless of cause you think that IE is part of the OS. No. In this case, I am trying to make a distinction between IE and the rest of the components that ship as part of Windows. Here is how I tried to delineate for purposes of this discussion (for another topic, I may not have taken this tack):
- Apps installed on Windows that may interact with the zone policy and attachment policy, i.e., Internet Explorer, FireFox, OutlookExpress, Outlook, etc.
- The rest of the system ("the OS") including the kernel, the shell, user interface, etc.
The APIs that are available to IE with regard to zone policy and attachment policy are available to all installed applications via the Windows API.
The zone policy and attachment policy require at minimum two things:
1. a mechanism to tag files with zone information per policy
2. a mechanism to interpret the zone information and respond accordingly per policy
Item 1 is most logically taken care of by the client application that first acquires the file. However, that is not limited to Internet Explorer, and any application can use the API.
Item 2 happens outside the originating application, and furthermore, does not care how the files came to be tagged. More explicitly, this function does not care whether the tags came from IE, FF, or whether they were manually tagged.
For me, that suggests a system policy not an Internet Explorer-only policy. An expectation that all files on the system respond to my security settings in the same fashion regardless of which application downloaded them is not an unreasonable expectation. I believe that is why Mozilla chose to implement its features in FF 3.0.
said by OZO:It's not a function of computer operating system to make those determinations. Computer's OS doesn't know web sites!! But the API provided by Windows to determine the zones and tag the files is available to any application that wishes to use them. And components of the operating system do know zones because part of the whole security process is to tag the files so the zone can be known outside the application that originally acquired the file.
said by OZO:Prompt is issued by a program manager (Windows Explorer) and not by OS. Try to execute :Zone.Identifier marked file in e.g. CMD window. And, BTW, you can easily replace WE by a different program manages (and OS is still running, of cause)... I agree with you that the zone stuff doesn't work from a command prompt, but that was originally pointed out to MS as a security flaw when SP 2 was first released. MS was evidently happy to have only the GUI respond to the policy. I have never argued that the implementation is absolutely secure; that is another topic.
said by OZO:You again misunderstand the roles of different parts of OS and OS itself. Some folks think that OS is a desktop they see and it's better when desktop icons are bigger and brighter... I hope you do not fall into that category. I'm not. I use Arch Linux as my primary system, and I am pretty careful about discussions involving various components. I don't think people generally view Windows XP components as so separable, but for this discussion (and for legal reasons - see US vs Microsoft  ), Internet Explorer is just a browser, separate and apart from the rest of the OS (per my above definition).
said by OZO:Firefox is a different browser which brings a different perspective on security model of the Internet (which is good by itself). That's why I expect from FF its own handling of security, and not a simulation of some other programs (like IE and WE). Mozilla did have a different perspective. It ignored the security model of the platform on which it was installed up until version 3 (if it was installed on a Windows PC). The developers likely felt that IT admins were ignoring FF in favor of IE because FF heretofore ignored the policy. Is that a correct assumption? I don't know. But it seems to me that what they have decided to do is not a simulation of the policy, it is an integration into the policy using the available APIs.
Edit:
Fixed paragraph alignment, spelling | | |
|
OZOPremium
join:2003-01-17
kudos:2 | reply to Ctrl Alt Del
said by Ctrl Alt Del:shdocvw.dll is a system shared component for anything that needs HTML or hyperlinking (which includes Outlook, the Help system). shdocvw.dll is not Internet Explorer. shdocvw.dll is one of many components that make up Internet Explorer. Saying that shdocvw.dll (component) is the same as Internet Explorer (application) is like saying Hydrogen (H, atom) is the same as Water (H2O, molecule). Thus, I say that IAttachmentExecute is a feature provided by the operating system in a resource that is currently used by the supplied web browser, email system, etc. You've made a lot of efforts explaining what shdocvw.dll is and why it's not IE, but, at the same time, why it's an important component for an HTML browser.
Let me ask you a question - why FF doesn't use that important component then?
Isn't that because the security model of IE (based on mentioned component) is flaky (as many of users see it, I'm not one of them, BTW) and over-convoluted (as I see it) to the level that the user needs something different? If the reason to develop a new browser is not an offering of a new security model, then why do that at all? If the answer is "yes, it's not what we need", then why there is an urge to repeat the same security model in the FF.3?
Some browsers (e.g. Maxthon or MyIE) do benefit from that component (shdocvw.dll). Many web site developers will then say a big thanks for not developing and testing their sites for two different rendering engines used by IE and FF. I know they certainly will appreciate *that* simplification (there are other drawbacks though)... So, why we need yet another browser (FF.3) that is based on the same security model of IE, but offering a different rendering engine (a headache for web developers and users, who suffer from various formattings of web pages in different brothers)?
P.S. Sorry, but this post looks more like a rant from my side leading away from the subject of the thread, so you may want not to answer the questions above...
--
Keep it simple, it'll become complex by itself... | |
OZOPremium
join:2003-01-17
kudos:2 | reply to BandHeight
Again, if FF developers want to support security zones that come with IE, how will they manage those zones? Via IE?
--
Keep it simple, it'll become complex by itself... | |
| said by OZO:Again, if FF developers want to support security zones that come with IE, how will they manage those zones? Via IE? said by OZO with strike-through / emphasized correction by BandHeight :
Again, if FF developers want to support security zones that come with IE Windows and is made available to all applications through the Windows API, how will they manage those zones? Via IE?
I stated in my very first post (referring to the MozillaZine link that directs the user on how to change settings):
said by BandHeight:Pointing the user to a GUI that associates the settings with an IE icon (as well as being mixed in with other policies that FF does not adhere to) so that the settings can be adjusted is very, very clumsy. However, despite its drawbacks and upon further reflection, I think ultimately that there are so many different places to change related settings that adding to this with a separate FF interface may be more confusing than helpful in some cases. For example, a separate FF interface would give the illusion that its settings only affected FF, but integration with the system via the Windows APIs mean that changing them in FF changes them for all applications that use the API. That by the way is at the heart of the argument that this is not an IE-only policy. Changing the settings, regardless of where they are set, impact all applications that use the APIs.
Windows provides a number of generic and semi-generic places to change zone policy and related settings outside of Internet Explorer as well as directly through Internet Explorer:
- Internet Options GUI via the Control Panel
- Group Policy console
- Directly editing the registry
- Internet Options GUI via Internet Explorer menus
Using the Windows interfaces directly also reinforces that FF is integrating into the existing system rather than just recreating a different version of it.
I can definitely understand your point of view, and I believe that behind the scenes, there was an even more heated debate among the Mozilla team on how to proceed (or to even proceed at all) with this functionality.
Just as a final note (final ... hmm, I doubt it), I do think a Master ON / OFF switch in the About:Config interface that is not tied to the AV scanner or any other option would be very appropriate. Something along the lines of:
security.policy.honorWindows false | |
OZOPremium
join:2003-01-17
kudos:2 | What I'm trying to say is turning ON / OFF switch is just a tip of the iceberg for security zone configuration. It's considerably deeper than that. In this development if you said 'A', then you should say 'B' as well (if you know what I mean).
E.g. how FF suppose to put variety of web sites into different security zones (as a part of zones security management) or how they even define them (zones) with security settings. Where is the dialog box that will be offered to FF users to change all (and there are plenty) security settings for different zones. Saying - open IE (or use Control Panel to run "Internet Properties" dialog box, which is the same) and adjust those settings, I hope, is not an option here... And I agree with you that a separate FF interface may be more confusing than helpful in some cases..
That why I've said earlier - is it the right direction to move for FF? And I'm not positive that it is...
And finally, FF is integrating into the existing system rather than just recreating a different version of it is not what I want to happen. We already have one web browser that some claim is an integrated part of the OS. I do now want to have yet another one with the same claim. Web browser should not be an integrated part of any OS. That's my strong opinion.
--
Keep it simple, it'll become complex by itself... | |
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to BandHeight
I finally got it to work partially. (Not the AV scanning because Avira doesn't do that but I now see the ADS on the file).
I'm embarrassed to say that the problem was that I hardly ever open IE8 because it is soooo crippled (back button doesn't work, can't select part of auto quote here to delete, can't, can't, can't, ...about all IE8 can do unless you emulate IE7, which I don't want to do, is display a page and you can read the page but not do anything and not want to use the back button either). So, because I hardly ever open it, I was under the impression that I had changed the IE setting back to prompt. But evidently I had not as when I finally opened IE8 a few minutes ago, it wouldn't load my tabs and said I had unsafe settings and it was that one setting I had changed from prompt to disabled when I first read this thread. So, after putting it back to prompt, I tried Fx3 and downloaded an eicar zip file (with Avira Guard disabled so I could download it) and then I looked at the properties of the file and it shows an ADS tag. I ran the file so something is still not working right as I should have been stopped or warned at least right?
(Fx3 is acting nutty again and it continually loads this site and others but this site is the worst. I switched to my host computer with Fx 1.5 and this site loads just fine. IE8 is continually loading this site also on my guest machine).
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
| reply to OZO
said by OZO:What I'm trying to say is turning ON / OFF switch is just a tip of the iceberg for security zone configuration. It's considerably deeper than that. In this development if you said 'A', then you should say 'B' as well (if you know what I mean). Yes. It goes much deeper than that. My proposal concentrated on the ability to cleanly and clearly provide a means to turn off the functionality. Changing the value to "true", however, does get us back to the question of, "What interface do we use to change the settings?". For better or for worse, for now it is only available through the Windows interface.
said by OZO:And finally, FF is integrating into the existing system rather than just recreating a different version of it is not what I want to happen. We already have one web browser that some claim is an integrated part of the OS. I do now want to have yet another one with the same claim. Web browser should not be an integrated part of any OS. That's my strong opinion. Nothing wrong with a strong opinion.
"Integration" brings some strongly negative connotations in the context of Internet Explorer. Integration that forces users into something they may not wish or that stifles fair trade and competition is the kind we don't want to see. On the other hand, integration can be good, integration has many different tiers from loose-integration to breaks-if-you-remove-it-integration, and all software that is installed on any platform has to "fit in", so to speak, on some level to even run.
A very simple and benign bit of integration, I think you will agree, is that FF 3.0 looks different in Windows versus its appearance in Linux, even going as far as foregoing the new style back-forward buttons in Linux so that it fits in better with the Linux environment (that, of course is the Mozilla teams opinion).
Let's just say that integration is an integral (pun intended) part of computing. The good news in the case under discussion here is that the integration does not approach the level of integration (the really bad kind) usually implied when discussing IE and Windows. | |
| reply to OZO
said by OZO:You've made a lot of efforts explaining what shdocvw.dll is and why it's not IE, but, at the same time, why it's an important component for an HTML browser. Let me ask you a question - why FF doesn't use that important component then? Because Firefox uses its own HTML rendering engine: Gecko. Firefox is an entire web browser with no dependencies on external components. If Firefox used shdocvw.exe, then it could become another browser that is basically a new shell on top of the core from IE (Maxthon, MyIE).
This Wikipedia article does a good job at describing the IE architecture: »en.wikipedia.org/wiki/Internet_E···itecture
Files hosted by the Internet Explorer main executable, iexplore.exe:
- WinInet.dll: handles HTTP and FTP.
- URlMon.dll: handles MIME-type stuff.
- MSHTML.dll: contains the Trident rendering engine which is responsible for displaying the pages on-screen and handling the Document Object Model of the web pages.
- ShDocVw.dll: provides the navigation, local caching and history functionalities.
- BrowseUI.dll: responsible for the browser user interface, including the browser chrome, which houses all the menus and toolbars.
ShDocVw.dll also apparently contains the API for the Attachment Manager. I guess it made the most sense to stick a feature that deals with downloaded files in a DLL that is used by IE.
said by OZO:Some browsers (e.g. Maxthon or MyIE) do benefit from that component ( shdocvw.dll). Many web site developers will then say a big thanks for not developing and testing their sites for two different rendering engines used by IE and FF. I know they certainly will appreciate *that* simplification (there are other drawbacks though)... So, why we need yet another browser (FF.3) that is based on the same security model of IE, but offering a different rendering engine (a headache for web developers and users, who suffer from various formattings of web pages in different brothers)? Because it's good to have choice? Yes, Firefox is a different web browser with its own rendering engine. But, that's why we have web standards. Some web browsers aren't as good as others, but aside from nuances, both give you a webpage with the important stuff in the right place.
--
less talk, more music | |
| reply to Mele20
said by Mele20:I finally got it to work partially. (Not the AV scanning because Avira doesn't do that but I now see the ADS on the file). Cool.
said by Mele20:... and said I had unsafe settings and it was that one setting I had changed from prompt to disabled when I first read this thread. So, after putting it back to prompt ... Hmm. Changing "Launching applications and unsafe files" to "Disabled" isn't unsafe (it's actually the "safest" setting) and shouldn't be issuing a warning in your GUI (e.g., "Your security settings put your computer at risk" should not show up). Setting "Launching applications and unsafe files" to "Enabled (not secure)", as the name may suggest, does cause the settings to be flagged as unsafe.
Anyway, yes, setting "Launching applications and unsafe files" to "Prompt (recommended)" is what you need for the test you are conducting.
said by Mele20:... then I looked at the properties of the file and it shows an ADS tag. I ran the file so something is still not working right as I should have been stopped or warned at least right? You should be getting the prompt after executing the file. Keep digging around. Something's still a little funky.
| |
SUMwarePremium
join:2002-05-21
kudos:2 | reply to BandHeight
said by BandHeight:FF 3.0 looks different in Windows versus its appearance in Linux, even going as far as foregoing the new style back-forward buttons in Linux so that it fits in better with the Linux environment (that, of course is the Mozilla teams opinion). Mine, too. FF3 flows into Linux nicely on my shiny new openSUSE 11.0 IMO...
... and I'm so glad that, as a Linux user, I don't need to deal with any of the convoluted issues raised in this thread.
[but i don't think that the 'awesome bar' is] | |
1 edit | said by SUMware:... and I'm so glad that, as a Linux user, I don't need to deal with any of the convoluted issues raised in this thread. Excatly.
said by SUMware:[but i don't think that the 'awesome bar' is] I don't know anybody who does (I guess maybe the mozilla team members that coded it). I'm as switched back to the old-style as can be accomplished with extensions and About:Config settings.
Edit:
I assumed you read all my posts, which is the wrong assumption, so I'll clarify here that my primary OS is Linux as well (Arch + Gnome or Openbox, though; haven't used SuSE since version 8.something and never installed OpenSuSE, so I don't know what FF 3.0 looks like in KDE if that is what you are using). | |
SUMwarePremium
join:2002-05-21
kudos:2
1 edit | said by BandHeight:said by SUMware:[but i don't think that the 'awesome bar' is] I don't know anybody who does (I guess maybe the mozilla team members that coded it). I'm as switched back to the old-style as can be accomplished with extensions and About:Config settings. Exactly. | |
 sivranBack to Opera againPremium
join:2003-09-15
Arlington, TX
kudos:1
 ·RoadRunner Cable
| said by SUMware:said by BandHeight:said by SUMware:[but i don't think that the 'awesome bar' is] I don't know anybody who does (I guess maybe the mozilla team members that coded it). I'm as switched back to the old-style as can be accomplished with extensions and About:Config settings. Exactly. Pssst. What is the awesome bar? I must not have noticed it when I tried FF3.
--
Think outside the fox...Seamonkey | |
| said by sivran:Pssst. What is the awesome bar? I must not have noticed it when I tried FF3. I'll bump the font so others can hear as well.
It's the term being applied to the location bar (I think it was referred to, perhaps unofficially, as the "almighty bar" during the beta phase ... now its just "awesome").
There have been many complaints about the location bar in FF 3.0, some involving its appearance (without mods, it takes up a lot of real estate), some involving the search algorithm (it picks up a lot more results that some people don't want included), some involving the fact that it lists all URLs and not just the ones you manually type in, etc.
See here for some ways to get it back to the old-style as much as possible (the search algorithm is not modifiable, however):
»How to get yellow address bar with SSL in firefox 3 | |
sivranBack to Opera againPremium
join:2003-09-15
Arlington, TX
kudos:1 Reviews:
·RoadRunner Cable
| Oh, right. That thing. For some reason, I was thinking it was an actual toolbar or something. Opera 9.5 does the same thing. I find it useful on rare occasions but annoying most of the time. I'd want a way to quickly (read: not involving about:config) turn it on and off. Maybe even have it only behave that way if I typed words, rather than an address.
Thankfully my primary browser, SeaMonkey, doesn't bug me with such things. 
--
Think outside the fox...Seamonkey | |
OZOPremium
join:2003-01-17
kudos:2 | said by sivran:Thankfully my primary browser, SeaMonkey, doesn't bug me with such things. I see your point.
I do not support the use of ADS at all. I think with introducing those ADS'a in SP2 m$ has actually opened Pandora's box. ADS's may be very easily misused. I hope we realize that, for example, under the Notepad.exe name a smart guy may hide folders and folders of any files (creating actually a whole new FS). And with current state of public knowledge and tools to find and work with ADS's - it's obvious to me that it's a dangerous thing that just wait to show its ugly head...
I try to keep amount of ADS's on my NTFS at minimum level. I do not allow IE to create ADS's on my downloaded files. I know, that I've downloaded them. And I do not need any reminder about that. There are probably a few files that currently have ADS's on my HD. And I watch it carefully.
That's why I think this tendency of Mozilla to embrace this move towards spreading ADS's in not the right thing for computer security. But, of cause, they may don't care...
--
Keep it simple, it'll become complex by itself... | |
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to BandHeight
said by BandHeight: Keep digging around. Something's still a little funky. Avira is now invoked on Vista by Fx3 Download Manager. I watched it scanning (at least Download Manager showed my AV scanning so I assume it was scanning) during a download of a Microsoft Patch a little while ago. The patch is for IE8 which I also have on a machine with XP so I just now downloaded the patch on that machine. Avira was not invoked during the download by Fx3 Download Manager. I have the same settings for Firefox and IE on both versions of Windows.
There is a thread in the Avira forum where an Avira tech posted yesterday and said that the Fx3 problem was fixed (and was online) in regards to the Download Manager. He didn't elaborate so I still am puzzled as to why the scan is invoked on Vista but not XP.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
| said by Mele20:There is a thread in the Avira forum where an Avira tech posted yesterday and said that the Fx3 problem was fixed (and was online) in regards to the Download Manager. He didn't elaborate so I still am puzzled as to why the scan is invoked on Vista but not XP. Thank you for the info. I'll check up on it. | |
|
