dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6349
share rss forum feed


therube

join:2004-11-11
Randallstown, MD
reply to antdude

Re: Mozilla Firefox 23 Will Block Mixed SSL Content



mip1949

@184.63.248.x
reply to StuartMW
said by StuartMW:

said by therube:

...they are wanting to make the change because it is the correct way to do things.

Of course. But as I alluded to above after a certain time things become "industry standards".

For example take Windows. It was always Microsoft's intention to have developers store applications, but not data, in

C:\Program Files\MyApp

The idea was for data to be saved in the %APPDATA% folder. However how many developers did that?

I sometimes still see applications that want to place their stuff under the root folder

C:\MyApp\Data

Why? Because some developer are lazy and/or ignorant and just want things to work.

The same applies to web developers and end-users.

As a developer, it's not laziness its a matter of choice. Some apps like the one I wrote can not be restricted by MS or permissions because the app does not use the registry and I do not want it to. I want and need users to be able to copy the folder and its files and use anywhere any time because the nature of the app and its purpose. Besides who is MS to tell us what to do? They should provide a secure, "secure os" and that's should be as far as they go. They should not force deveoplers to store apps and files where they think they should be stored. What are we, prisoners of MS? We have our our ideas and as long as our apps run as they should then what's the big deal? Addtionally it leaves another security whole since the whole world knows where "program files" are kept. Dumb!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to praetoralpha
said by praetoralpha:

People who are far more knowledgeable on SSL certificates than anyone on this forum are in charge of maintaining certificates that come with browsers and OSes. If you keep up to date and disabled any of them, you likely deserve all the nagging you have coming to you.

You are ignorant in this regard. It has nothing to do with "maintaining" certificates. It has to do with the CEO of Comodo and the crap he has pulled in the past regarding Comodo/comodo related certs and continues to pull. Mozilla itself told all users back in Dec 2008 to UNtrust Comodo/comodo related certs. Go read Dec 24 2008 email from Eddy Nig to mozilla.dev.tech.crypto newsgroup and read all the discussion through around the end of January 2009 or the first link below has a link to the news group discussion.

The links below are are a VERY TINY FEW to help you understand the issues. There are a lot more recent threads here and other security forums, blogs, websites about the severe issues with Comodo and Comodo related certs. Wilders Security has a lot of threads on Comodo also.

»REMOVE Comodo Certificates from FireFox, Opera!!!

»Comodo Continues to Damage It's Reputation

»Comodo continues to issue certificates to known Malware

If you regularly had read the mozilla.dev.tech.crypto news group since at least Dec 2008 you would have a much better understanding of the issues involved and the POLITICS regarding the browsers, the certificate issuers and what a complete mess it all is and how probably impossible it will continue to be to fix the mess. Mozilla blew its best chance because it lost its resolve back in late Dec 2008 to do what it wanted to do, knew was the right thing, but got scared. Mozilla could have cut the head off Comodo at that time. Now, it is too late and the situation now is similar to the mess we call Congress where lots of talk occurs but almost nothing of importance happens. CA/Browser forum is an attempt by the two sides (browser makers and certificate issuers) to come together and work together to solve some of these very serious problems. But it has taken forever for this group to even come up with bylaws that can be agreed on. At one point, a couple of years ago, Mozilla was inches from leaving the group yet again they proved to not have the backbone to do the right thing.

--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 edit
reply to therube
Click for full size
That test page won't stop loading on Fx 17 ESR.

How is that a test anyway? The page loads as HTTP. So, how is this a test of mixed content on an HTTPS page?

Curiosity

join:2001-10-01
Dawson Creek, BC
reply to evoxllx
said by evoxllx:

All other major browsers already block mixed scripting from loading, both IE and Chrome do it.

Safari does not block mixed content pages. I just loaded one with it. I know it is mixed content because Firefox labels it as such.

Curiosity

join:2001-10-01
Dawson Creek, BC

1 recommendation

reply to Blackbird
said by Blackbird:

Opera's been doing this for quite some time now, and from the chronic and vehement complaining I've noted on Opera's forums, Firefox will probably be in for a rough ride in the user-complaint department. In Opera's case, the behavior can't (yet) be over-ridden with a user setting, though it appears Firefox will enforce it via a setting that might be alterable.

What Opera does is use an icon in the identity box that indicates that the site is not secure. It does not block it, at least the version I am still using does not.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
Click for full size
When you first go there
Click for full size
After you click on OK
This is what the latest version of Opera 12.15 does.

Who would pay any attention to that gray ball before the beginning of the address? I have no idea what that gray ball is for. (I think someone said it signifies the world...really? Nah...it is a gray ball). I thought it ridiculous when Opera decided to do away with the site favicon on the address bar. Stupid move. Just as stupid as stopping the bolding of the ENTIRE ADDRESS so you could easily see if it was HTTP or HTTPS.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL
reply to Mele20
> How is that a test anyway? The page loads as HTTP.
> So, how is this a test of mixed content on an HTTPS page?

The page, »people.mozilla.org/* is an https page.
That particular page loads content from an http page.

It is a case of mixed content.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
Sorry, that makes no sense. If HTTPS then it should load as such for the test. It should NOT load the non-https content. That is a pitiful "test".
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to Curiosity
said by Curiosity:

said by Blackbird:

Opera's been doing this for quite some time now, and from the chronic and vehement complaining I've noted on Opera's forums, Firefox will probably be in for a rough ride in the user-complaint department. In Opera's case, the behavior can't (yet) be over-ridden with a user setting, though it appears Firefox will enforce it via a setting that might be alterable.

What Opera does is use an icon in the identity box that indicates that the site is not secure. It does not block it, at least the version I am still using does not.

You are right, and I stand corrected. What I had in mind is the warning message that pops up in Opera to block the sending of information from an https page to a non-http site. That is also a potential security issue that could leak data, but is a fairly common practice on websites (especially certain online game sites). In the case of simple mixed content (https and http) on a single https site, Opera indeed does just give the gray "ghost" globe in the address bar to replace the normal blue one.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


DrDrew
That others may surf
Premium
join:2009-01-28
SoCal
kudos:16

1 edit
reply to Mele20
said by Mele20:

Sorry, that makes no sense. If HTTPS then it should load as such for the test. It should NOT load the non-https content. That is a pitiful "test".

That's exactly what it's testing. Will your browser load non-HTTPS content when the parent page is HTTPS?

The page is
httpS://people.mozilla.com/~tvyas/mixedcontent.html

The script the HTTPS page calls is
http://people.mozilla.com/~tvyas/script.js


IF it loads mixed content like yours does, the page will show as HTTPS (it does in your screenshot), it will load the HTTP javascript that does the formula 5+4, and display the answer in a window (it does in your screenshot).

If it does not LOAD mixed content, then the page should look blank even with javascript turned on.

My Safari 6.0.3 and Fx 20 browsers do load mixed content. My Fx 23.0a1 browser does NOT.
--
Two is one, one is none. If it's important, back it up... Somethimes 99.999% availability isn't even good enough.


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:12
reply to Mele20

 

quote:
Sorry, that makes no sense. If HTTPS then it should load as such for the test. It should NOT load the non-https content. That is a pitiful "test".
Well the page your going to is HTTPS honey..... The test image is on an HTTP link which is what causes our browsers to alert us of the stuff that ISNT SECURE on the page!


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

1 edit
reply to antdude

Re: Mozilla Firefox 23 Will Block Mixed SSL Content

Click for full size
SeaMonkey 20

FF 23
Click for full size
IE 10
Just some shots of what things look like, presently.

Edit: Sorry about that. The SeaMonkey caption should read, "2.20".

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
Click for full size
Click for full size
SeaMonkey 20? There won't be such an animal for MANY YEARS. Current SeaMonkey version is 2.17.

Current SeaMonkey handles this better than any other browser (it's just sad that the few Fx extensions I really want are not ported to SeaMonkey...hence I use Fx mostly).

SeaMonkey colors the usual GOLD (correct color) lock in the status bar bright red on a page with mixed content and hovering over the open RED lock warns you about unauthenticated content.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

1 recommendation

said by Mele20:

SeaMonkey 20? There won't be such an animal for MANY YEARS. Current SeaMonkey version is 2.17...

2.17.1 as of this morning. See »www.seamonkey-project.org/releas···/changes ...
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


Raphion

join:2000-10-14
Samsara
Reviews:
·Verizon FiOS
reply to intok
said by intok:

said by StuartMW:

And given Mozilla's habit of releasing a major version (which they aren't anyway--Mozilla just likes big numbers) every 6 weeks or so this is only about 4 months away. So how many websites will this break? I can hear the bitchin' now.

I hear this all the time about Firefox, but never hear is about Chrome.

It's an update that brings new features to the public on a non glacial time scale. If you don't like it go back to IE6.

Updates aren't coming any more often than they ever did. It's just now, instead of going from version 20.1 to 20.2 etc, they go by whole numbers. It used to be that the first number incremented for major revisions, the number after the first dot incremented for minor revisions, and numbers after a second dot incremented for bug fixes and such.

Now they're incrementing the first number for any kind of revision, which simply makes it look like they're making progress faster to people that don't know any better. It's just an advertising thing, nothing to do with getting updates out faster.


therube

join:2004-11-11
Randallstown, MD
reply to antdude
Edit: Sorry about that. The SeaMonkey caption should read, "2.20" (Nightly).


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

1 recommendation

reply to antdude
said by antdude:

said by Mele20:

SeaMonkey 20? There won't be such an animal for MANY YEARS. Current SeaMonkey version is 2.17...

2.17.1 as of this morning. See »www.seamonkey-project.org/releas···/changes ...

... therube See Profile posted it in the Mozilla forum - »[Seamonkey] SeaMonkey 2.17.1 Released


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable
said by chachazz:

said by antdude:

said by Mele20:

SeaMonkey 20? There won't be such an animal for MANY YEARS. Current SeaMonkey version is 2.17...

2.17.1 as of this morning. See »www.seamonkey-project.org/releas···/changes ...

... therube See Profile posted it in the Mozilla forum - »[Seamonkey] SeaMonkey 2.17.1 Released

Yeah, but TheRube didn't post in this forum thread.
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

said by antdude:

Yeah, but TheRube didn't post in this forum thread.

Yeah, I found out from you here. Otherwise, I''d still have SM 2.17 not 2.17.1. So, THANKS!
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable
said by Mele20:

said by antdude:

Yeah, but TheRube didn't post in this forum thread.

Yeah, I found out from you here. Otherwise, I''d still have SM 2.17 not 2.17.1. So, THANKS!

Well, SM would have upgraded or let you know about it automatically.
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
No, it would not. I would not use any browser that did not allow me to turn off automatic checking for updates much less automatically update. UGH! My extensions are not even allowed to check automatically for updates.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable
said by Mele20:

No, it would not. I would not use any browser that did not allow me to turn off automatic checking for updates much less automatically update. UGH! My extensions are not even allowed to check automatically for updates.

Same here. I hate these autoupdaters. I want to review before downloading and installing!
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

1 recommendation

I don't allow auto UPDATING, but I do like being notified an update is available. I'll take it from there.


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable
said by La Luna:

I don't allow auto UPDATING, but I do like being notified an update is available. I'll take it from there.

Ditto, but if I already know the schedule in advanced, e-mails, etc. Then, I don't need it. Sometimes, I don't want softwares to phone home (disabled or blocked).
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

+1

I always turn off any auto-update features. No program is allowed to make outbound connections from my computers without my explicit permission. Then I don't need any anti-whatever programs, running on my computers all the time too . And the result of this policy is - computers run faster and more secure...
--
Keep it simple, it'll become complex by itself...


therube

join:2004-11-11
Randallstown, MD
quote:
No program is allowed to make outbound connections from my computers without my explicit permission.
And how do you enforce that?

OZO
Premium
join:2003-01-17
kudos:2

1 recommendation

Very easily - using local outbound firewall.


therube

join:2004-11-11
Randallstown, MD


Ah, OK.
Just wanted to make sure that outbound firewall was not included in the definition of "anti-whatever programs".


Dude111
An Awesome Dude
Premium
join:2003-08-04
USA
kudos:12
reply to antdude

 

FIREFOX 23 WILL FORCE THE USE OF JAVASCRIPT!!

»www.i-programmer.info/news/86-br···ory.html



YOU CANNOT DISABLE IT!!!!!!!!



Who is going to use this piece of crap??