BandHeight
join:2004-08-30
Portland, TX
| reply to Mele20
Re: Firefox 3 honors Windows Security Zones...
said by Mele20  :There is a thread in the Avira forum where an Avira tech posted yesterday and said that the Fx3 problem was fixed (and was online) in regards to the Download Manager. He didn't elaborate so I still am puzzled as to why the scan is invoked on Vista but not XP. Thank you for the info. I'll check up on it. |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to Herohtar
said by Herohtar :You actually do not have to modify the Security Zones settings at all -- the browser.download.manager.scanWhenDone setting is responsible for adding the ADS. If you disable that, the zone information will no longer be added and you won't get the security warning. More information can be found here: » blog.case.edu/bes7/2008/04/21/re···refox_30 It works partially:
said by BandHeight :To make this most effective, I still say that there should be a Master On / Off option. As it stands now, simply setting: browser.download.manager.scanWhenDone false is problematic: - it turns off AV scanning, which is expected - it impacts FF zone policy functionality, which is unexpected and even perhaps baffling unless you know that they share common APIs - it impacts FF zone functionality, but only partially, e.g., it prevents ADS from being embedded in files, but it still honors the blocking of downloads from URLs in Zone 4 (at least per my testing). |
|
jmorlan
Hmm... That's funny.
Premium
join:2001-02-05
Pacifica, CA
 ·Pacific Bell - SBC
| reply to HA Nut
said by HA Nut :None of this discussion affects XP Home right? Since it doesn't support Group Policies? XP Home is affected. It's not Group Policies. It is about the security tab settings under "Internet Properties" accessible via Control Panel or IE. There are four zones; Internet, Local Intranet, Trusted Sites & Restricted Sites. FF3 now pays some attention to those security settings.
--
"All men are equal before fish." (Herbert Hoover) |
|
HA Nut
Premium
join:2004-05-13
USA | reply to HA Nut
None of this discussion affects XP Home right? Since it doesn't support Group Policies? |
|
Herohtar
@sbcglobal.net
| reply to HA Nut
You actually do not have to modify the Security Zones settings at all -- the browser.download.manager.scanWhenDone setting is responsible for adding the ADS. If you disable that, the zone information will no longer be added and you won't get the security warning.
More information can be found here: »blog.case.edu/bes7/2008/04/21/re···refox_30 |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to BandHeight
said by BandHeight : Keep digging around. Something's still a little funky.  Avira is now invoked on Vista by Fx3 Download Manager. I watched it scanning (at least Download Manager showed my AV scanning so I assume it was scanning) during a download of a Microsoft Patch a little while ago. The patch is for IE8 which I also have on a machine with XP so I just now downloaded the patch on that machine. Avira was not invoked during the download by Fx3 Download Manager. I have the same settings for Firefox and IE on both versions of Windows.
There is a thread in the Avira forum where an Avira tech posted yesterday and said that the Fx3 problem was fixed (and was online) in regards to the Download Manager. He didn't elaborate so I still am puzzled as to why the scan is invoked on Vista but not XP.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
OZO
Premium
join:2003-01-17
| reply to sivran
said by sivran :Thankfully my primary browser, SeaMonkey, doesn't bug me with such things.  I see your point.
I do not support the use of ADS at all. I think with introducing those ADS'a in SP2 m$ has actually opened Pandora's box. ADS's may be very easily misused. I hope we realize that, for example, under the Notepad.exe name a smart guy may hide folders and folders of any files (creating actually a whole new FS). And with current state of public knowledge and tools to find and work with ADS's - it's obvious to me that it's a dangerous thing that just wait to show its ugly head...
I try to keep amount of ADS's on my NTFS at minimum level. I do not allow IE to create ADS's on my downloaded files. I know, that I've downloaded them. And I do not need any reminder about that. There are probably a few files that currently have ADS's on my HD. And I watch it carefully.
That's why I think this tendency of Mozilla to embrace this move towards spreading ADS's in not the right thing for computer security. But, of cause, they may don't care...
--
Keep it simple, it'll become complex by itself... |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
 ·RoadRunner Cable
| reply to BandHeight
Oh, right. That thing. For some reason, I was thinking it was an actual toolbar or something. Opera 9.5 does the same thing. I find it useful on rare occasions but annoying most of the time. I'd want a way to quickly (read: not involving about:config) turn it on and off. Maybe even have it only behave that way if I typed words, rather than an address.
Thankfully my primary browser, SeaMonkey, doesn't bug me with such things.
--
Think outside the fox...Seamonkey |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to sivran
said by sivran :Pssst. What is the awesome bar? I must not have noticed it when I tried FF3. I'll bump the font so others can hear as well.
It's the term being applied to the location bar (I think it was referred to, perhaps unofficially, as the "almighty bar" during the beta phase ... now its just "awesome").
There have been many complaints about the location bar in FF 3.0, some involving its appearance (without mods, it takes up a lot of real estate), some involving the search algorithm (it picks up a lot more results that some people don't want included), some involving the fact that it lists all URLs and not just the ones you manually type in, etc.
See here for some ways to get it back to the old-style as much as possible (the search algorithm is not modifiable, however):
»How to get yellow address bar with SSL in firefox 3 |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to SUMware
said by SUMware :Exactly. Pssst. What is the awesome bar? I must not have noticed it when I tried FF3.
--
Think outside the fox...Seamonkey |
|
SUMware
Premium
join:2002-05-21
1 edit | reply to BandHeight
Exactly. |
|
BandHeight
join:2004-08-30
Portland, TX
1 edit | reply to SUMware
said by SUMware :... and I'm so glad that, as a Linux user, I don't need to deal with any of the convoluted issues raised in this thread. Excatly.
said by SUMware :[but i don't think that the 'awesome bar' is] I don't know anybody who does (I guess maybe the mozilla team members that coded it). I'm as switched back to the old-style as can be accomplished with extensions and About:Config settings.
Edit:
I assumed you read all my posts, which is the wrong assumption, so I'll clarify here that my primary OS is Linux as well (Arch + Gnome or Openbox, though; haven't used SuSE since version 8.something and never installed OpenSuSE, so I don't know what FF 3.0 looks like in KDE if that is what you are using). |
|
SUMware
Premium
join:2002-05-21
| reply to BandHeight
said by BandHeight :FF 3.0 looks different in Windows versus its appearance in Linux, even going as far as foregoing the new style back-forward buttons in Linux so that it fits in better with the Linux environment (that, of course is the Mozilla teams opinion). Mine, too. FF3 flows into Linux nicely on my shiny new openSUSE 11.0 IMO...
... and I'm so glad that, as a Linux user, I don't need to deal with any of the convoluted issues raised in this thread.
[but i don't think that the 'awesome bar' is] |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to OZO
said by OZO :Then it comes to browsers's developers attitude (or their perspective). That is most important of all. So far, I'm still okay with FF, even with the new features (or regressions, again, depending on perspective). I've worked around things I don't like and embraced the things I do like.
I have no control over developers' direction and intentions for future versions of FF. There are some things I see currently as potentially troubling indications of the direction things are heading, but I'll react when appropriate (perhaps, as you say, by switching browsers).
said by OZO :said by BandHeight :- FF is really only honoring policy in regard to downloads / attachments. This may not make FF 3.0 safer, but it certainly doesn't make it any less secure, especially since it heretofore ignored the policy anyway (meaning it operated in the equivalent of the zone policy's least restrictive zone). Do you really mean Trusted zone (or zone #2)? Do they save ADS with ZoneID=2 line? Well, by least restrictive in this context, I could have meant any of the zones that have no impact on, or relevance to, file downloads or attachments. So, looking at the table of zones:
I could have been referring to anything below Zone 3.
And as far as I can tell, Zone 3 is the only identifier tagged onto files per policy as it is the only one that may require further action (e.g., prompting upon execution) once it is downloaded (see tangential note below).
said by OZO :said by BandHeight :Beyond that, FF gets some modifications to it in order for it to be portable (e.g., it gets its disk cache disabled, among other things), so the same thing would apply in regard to zone policy. Now, that's finally the right direction to move :). I mean to make FF portable. But then forget about zone configuration which is saved in registry. »portableapps.com/
»www.u3.com/
Note:
Minor points of interest:
- you can turn your list of Trusted Sites into Restricted Sites by setting "Launching applications and unsafe files" to "Disable" under the Trusted Sites tab
- you can turn your list of Restricted Sites into Trusted Sites by setting "Launching applications and unsafe files" to "Enable" under the Restricted Sites tab (this will get you a warning that "Your Security Settings Put Your Computer At Risk"). |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas | reply to HA Nut
That's funny, I thought I was using Firefox, not IE. |
|
OZO
Premium
join:2003-01-17
| reply to BandHeight
said by BandHeight :What you say: ... What an IT admin might say: ... It's all about perspective, I suppose. I agree. Then it comes to browsers's developers attitude (or their perspective). They may say - IT admin is right, and therefore has all the rights, including an IT admin wishes - "I want to know all your browsing history - past, present and future (saved links and autocompltetes)", "I need to know all your passwords that in case you forgot it I'll help you...", etc.
It's done in IE (and that's the reason why I'm looking for a substitute). If it's FF future policy as well, then well... It's good for a corporate environment, but certainly not for a private user.
- FF is really only honoring policy in regard to downloads / attachments. This may not make FF 3.0 safer, but it certainly doesn't make it any less secure, especially since it heretofore ignored the policy anyway (meaning it operated in the equivalent of the zone policy's least restrictive zone). Do you really mean Trusted zone (or zone #2)? Do they save ADS with ZoneID=2 line?
Beyond that, FF gets some modifications to it in order for it to be portable (e.g., it gets its disk cache disabled, among other things), so the same thing would apply in regard to zone policy. Now, that's finally the right direction to move . I mean to make FF portable. But then forget about zone configuration which is saved in registry.
--
Keep it simple, it'll become complex by itself... |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to Mele20
said by Mele20 :I finally got it to work partially. (Not the AV scanning because Avira doesn't do that but I now see the ADS on the file). Cool.
said by Mele20 :... and said I had unsafe settings and it was that one setting I had changed from prompt to disabled when I first read this thread. So, after putting it back to prompt ... Hmm. Changing "Launching applications and unsafe files" to "Disabled" isn't unsafe (it's actually the "safest" setting) and shouldn't be issuing a warning in your GUI (e.g., "Your security settings put your computer at risk" should not show up). Setting "Launching applications and unsafe files" to "Enabled (not secure)", as the name may suggest, does cause the settings to be flagged as unsafe.
Anyway, yes, setting "Launching applications and unsafe files" to "Prompt (recommended)" is what you need for the test you are conducting.
said by Mele20 :... then I looked at the properties of the file and it shows an ADS tag. I ran the file so something is still not working right as I should have been stopped or warned at least right? You should be getting the prompt after executing the file. Keep digging around. Something's still a little funky.
|
|
BandHeight
join:2004-08-30
Portland, TX
3 edits | reply to OZO
said by OZO :And here is one more issue which I think is very important and unfortunately was missed in this thread - and it's portability. I need a portable web browser that I may take with me to any place (with all my configuration settings, especially security settings) and run it there. I will never achieve this with IE (without its total sandboxing, which is quite difficult to obtain in an uncontrolled environment). If FF starts to relay on uncontrolled environment, "honoring" its settings, I do not need such browser and will go with Opera or something else. Sorry... We noticed it. But from a different angle.
What you say:
"I can't run my browser in this [potentially] unsafe environment because it will adopt that environment's settings.
What an IT admin might say:
"I don't want you to run your browser on my machine without adopting the environment's settings because your browser's settings may be unsafe. More importantly, your USB drive might be infected, blah blah..."
It's all about perspective, I suppose.
BUT ... does it matter anyway (from your perspective)? Let's see:
- FF is really only honoring policy in regard to downloads / attachments. This may not make FF 3.0 safer, but it certainly doesn't make it any less secure, especially since it heretofore ignored the policy anyway (meaning it operated in the equivalent of the zone policy's least restrictive zone).
- I don't really know how FF 3.0 would behave as a portable application. It may "know", even without modification, it's not installed on the host and therefore does not change its behavior to match the host machine's policy.
Beyond that, FF gets some modifications to it in order for it to be portable (e.g., it gets its disk cache disabled, among other things), so the same thing would apply in regard to zone policy.
To make this most effective, I still say that there should be a Master On / Off option. As it stands now, simply setting:
browser.download.manager.scanWhenDone false
is problematic:
- it turns off AV scanning, which is expected
- it impacts FF zone policy functionality, which is unexpected and even perhaps baffling unless you know that they share common APIs
- it impacts FF zone functionality, but only partially, e.g., it prevents ADS from being embedded in files, but it still honors the blocking of downloads from URLs in Zone 4 (at least per my testing).
Maybe there is already another option somewhere that does what I suggest, but I am unaware of it. |
|
OZO
Premium
join:2003-01-17
| reply to HA Nut
And here is one more issue which I think is very important and unfortunately was missed in this thread - and it's portability. I need a portable web browser that I may take with me to any place (with all my configuration settings, especially security settings) and run it there. I will never achieve this with IE (without its total sandboxing, which is quite difficult to obtain in an uncontrolled environment). If FF starts to relay on uncontrolled environment, "honoring" its settings, I do not need such browser and will go with Opera or something else. Sorry...
P.S. As you probably has noticed from all my posts (not only from this thread) - my main browser is IE. I use FF as portable browser, to test compatibility issues and to visit sites that do not offer proper IE support (yes, there are some).
--
Keep it simple, it'll become complex by itself... |
|
Ctrl Alt Del
Premium
join:2002-02-18
| reply to OZO
said by OZO :You've made a lot of efforts explaining what shdocvw.dll is and why it's not IE, but, at the same time, why it's an important component for an HTML browser. Let me ask you a question - why FF doesn't use that important component then? Because Firefox uses its own HTML rendering engine: Gecko. Firefox is an entire web browser with no dependencies on external components. If Firefox used shdocvw.exe, then it could become another browser that is basically a new shell on top of the core from IE (Maxthon, MyIE).
This Wikipedia article does a good job at describing the IE architecture: »en.wikipedia.org/wiki/Internet_E···itecture
Files hosted by the Internet Explorer main executable, iexplore.exe:
- WinInet.dll: handles HTTP and FTP.
- URlMon.dll: handles MIME-type stuff.
- MSHTML.dll: contains the Trident rendering engine which is responsible for displaying the pages on-screen and handling the Document Object Model of the web pages.
- ShDocVw.dll: provides the navigation, local caching and history functionalities.
- BrowseUI.dll: responsible for the browser user interface, including the browser chrome, which houses all the menus and toolbars.
ShDocVw.dll also apparently contains the API for the Attachment Manager. I guess it made the most sense to stick a feature that deals with downloaded files in a DLL that is used by IE.
said by OZO :Some browsers (e.g. Maxthon or MyIE) do benefit from that component ( shdocvw.dll). Many web site developers will then say a big thanks for not developing and testing their sites for two different rendering engines used by IE and FF. I know they certainly will appreciate *that* simplification (there are other drawbacks though)... So, why we need yet another browser (FF.3) that is based on the same security model of IE, but offering a different rendering engine (a headache for web developers and users, who suffer from various formattings of web pages in different brothers)? Because it's good to have choice? Yes, Firefox is a different web browser with its own rendering engine. But, that's why we have web standards. Some web browsers aren't as good as others, but aside from nuances, both give you a webpage with the important stuff in the right place.
--
less talk, more music |
|
