I know security is hard, but...

Posted By: wkempf | Jul 10th @ 5:48 AM
page 1 of 1
Comments: 23 | Views: 745
#Jul 10th @ 5:48 AM
wkempf
wkempf

Wow.  Who thought this was a good idea?

http://weblogs.asp.net/fbouma/archive/2009/07/09/the-firefox-3-5-fiasco.aspx

Too many mistakes like that, and you'll see FireFox start to lose users faster than they gained them.

#Jul 10th @ 6:29 AM
LeoDavidson
LeoDavidson

It's definitely a performance issue and something they need to fix.

Is anyone saying it's a security issue, though? (Maybe it is... Writing a good random number generator is very hard.)

Firefox is definitely no exception to the rule that all the browsers have bugs & security issues. I'll still keep using it so long as it has more features than the others, though, unless things get really bad.

#Jul 10th @ 6:41 AM
wkempf
wkempf

No, it's not a security issue, but it's a performance issue created by a brain dead security implementation.

The fact that FF also loads ALL fonts on startup is stupid. If I hadn't developed on the FF platform for a couple of years, this stuff would shock me. I'm not shocked. Just glad I learned these lessons early and won't install FF on any of my machines now.

#Jul 10th @ 7:07 AM
wkempf
wkempf

The comments on that page are gold as well.

"Works for me!"

 "Must be your system!" - OK, that one is *sorta* true.

"Doesn't happen on Linux!"

"Must be a plugin!"

"User error!"

"Just clean out your temporary files!"

Really, these folks are idiots. The article clearly explains what the issue is, and yet they can't understand why that means it might not happen to them, why it's still a serious issue, and why it's a brain dead idea to begin with.

#Jul 10th @ 7:18 AM
Erisan
Erisan

Yes, they are idiots and stupid and what ever. We are lucky to have you here in C9.

#Jul 10th @ 7:24 AM
wkempf
wkempf

Cute.  Personal attack with no real "meat". What crawled up your craw?

#Jul 10th @ 7:30 AM
Erisan
Erisan

Ah sorry, I don't know you and I have nothing against you. Maybe your comments about other people are just too "direct" (hmmh, my English sucks, I don't think that the word "direct" is the right word here...) for my taste. No offense Smiley

And I agree with you. But I think that the comments are pretty common from fans whose product has problems.

#Jul 10th @ 7:35 AM
wkempf
wkempf

OK, point taken, but you can't really equate what I've said here with what the people are saying in comments there.

#Jul 10th @ 7:45 AM
Erisan
Erisan

Well, I must admit I have not even read the comments. They just have hard time to accepts the truth/pure facts, making out the excuses etc. even after the final line is passed. Firefox failed miserably this time/again and that's it. I'm sure their commants are silly but that's what being a fan (no matter of what) of some program causes.

#Jul 10th @ 10:01 AM
stevo_
stevo_
Human after all

if this was microsoft's mistake, the internet would light up with hordes of linux lovers telling people that ms is stealing their files..

#Jul 10th @ 10:50 AM
LeoDavidson
LeoDavidson

I've spotted Internet Explorer reading files out of the Internet Explorer cache folder as well! OMG!

#Jul 10th @ 10:53 AM
ManipUni
ManipUni
Proving QQ for 5 years!

1) Close Firefox
2) Browse to the Firefox profile folder e.g. C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\1d12oo15.default
3) Execute the following:
FOR %%G IN (*.sqlite) DO ( sqlite3 %%G "VACUUM" )

Now re-launch Firefox 3.5 and expect loading times to be anything as much as 50% faster.

PS - I read the link, and it is a bunch of QQ that I cannot reproduce.

#Jul 10th @ 10:57 AM
Bass
Bass
www.s​preadfirefox.c​om/5years/

I contend (although I don't understand this 100%) it's a security issue as well, if it's using a bunch of files in a tmp directory to calculate a seed, it would give viri the ability to set initial conditions. Hell they might as well have used srand(time(NULL)), it probably is safer Smiley

#Jul 10th @ 11:12 AM
PaoloM
PaoloM
Hypermediocrity

...it would give viri the ability...

it would give men the ability...? Expressionless

#Jul 10th @ 11:13 AM
LeoDavidson
LeoDavidson

From a quick skim of the NSS source, the temp files are not the only entropy source so it doesn't look like that's a problem:

http://mxr.mozilla.org/mozilla/source/security/nss/lib/freebl/win_rand.c#282

(That doesn't automatically mean it makes sense to use them, of course.)

 

#Jul 10th @ 11:22 AM
Bass
Bass
www.s​preadfirefox.c​om/5years/

size_t RNG_GetNoise(void *buf, size_t maxbuf)
{
memcpy(buf, '4', sizeof(char));
return sizeof(char);
}


would this work? Smiley

 

But seriously I think in Linux you can just read /dev/random, doesn't Windows have something similar?

#Jul 10th @ 11:43 AM
fknight
fknight

I think in Windows you could simply read the present state of your folder view setting for Control Panel or My Computer.  It seems random enough.

 

#Jul 10th @ 11:44 AM
blowdart
blowdart
Peek-a-boo

Yes it does. There are cryptographically secure random number generators in the OS and they have been there since Win2k. They can even use hardware randomizers if they're there.

Interestingly enough the code appears to know about them, CryptGenRandom is the main one.

#Jul 10th @ 12:01 PM
Bass
Bass
www.s​preadfirefox.c​om/5years/

Isn't there a function on the bottom of the file that is basically generating random numbers using Win32 calls? I would assume to fix this problem you just replace all calls from RNG_GetNoise to RNG_SystemRNG. But Mozilla probably knows something we don't.

#Jul 10th @ 9:34 PM
eileen123
eileen123

Nice concern has been added, needs no extra addition..

Eileen

 

 

#Jul 11th @ 12:54 AM
joechung
joechung

It was a lousy idea, no doubt.  I would expect Mozilla to fix that $!%@ in 3.5.1.

#Jul 17th @ 4:11 AM
LeoDavidson
LeoDavidson

It's fixed now in the 3.5.1 update. (Help -> Check for Updates to grab it without waiting for the automatic check.)

page 1 of 1
Comments: 23 | Views: 745
Microsoft Communities