The diary and photos of Chris Beach. I'm into windsurfing, coding, badminton, drawing and composing music using computers and synths.

You know, you can add your own quotes on the quotes page. Need inspiration? Think along these lines:
 "Men never commit evil so fully and joyfully as when they do it for religious convictions" Blaise Pascal


comment on journal entry: the fundamental security flaw in Mozilla browsers

:

  • Recreating in IE
    You can create a similar thing in HTML, and have it work for Internet Explorer. They have only addressed this in SP2: blogs.msdn [Marcus] [reply]
    • So, in IE you can spoof the padlock icon in the status bar, complete with fake certification UI? I don't think so!
      [Chris Beach] [reply]
      • Yes, of course you could; well, at least until SP2 was released. SP1 went some way to prevent this as well. You could spoof the status bar in a chromeless window, icon included and use it to pop-up the spoofed certification in another window.
        [Marcus] [reply]
        • you simply could never do this in IE
          You are probably thinking of a similar technique as described here:

          http://www.siteexperts.com/tips/techniques/ts05/page1.asp

          However, you fail to see that this would never recreate the real look and feel of the user's browser as it would have to be "hard-coded" in images and javascript etc. Experienced users would instantly know it was fake.

          With the huge bug in Mozilla, one is allowed to use all the core components of the browser, even assuming the user's current theme. It's a ghastly situation because not even an experienced user would be able to spot the spoof until it was too late.

          You need to understand that the Firefox browser is written in XUL, and will execute remote XUL from any website without so much as a flicker of warning. This has been the case for FIVE years. Such a hapless lack of foresight leaves me with no faith in Mozilla browsers. [Chris Beach] [reply]
          • Spoofing the IE UI in HTML
            Yep, spoofing the IE UI in HTML requires external resources for the status bar and certificate dialog, but that's no big deal as there's no reason to spoof anything else (apart from the location); IE can provide the rest.

            I've had a quick go at it and, without actually going through the bother of creating a full certificate dialog, I was able to create a rather dangerous page using a normal pop-up window, an i-frame and a fake status bar containing a lock icon that opens a modal window on double-click. Easy. Now, how many years has IE had that problem? How many years will IE have that problem on non-XP platforms? [Marcus] [reply]
            • No worse than Firefox
              IE changes are propogated out via Windows Update. There has never been an automatic patching system built into Mozilla. Several of my friends are using Firefox versions that are way out-of-date. Therefore, relatively speaking, more Mozilla users will be left with this dreadful security hole.

              ..particularly as Mozilla prefer to keep bugs like this "confidential." (they did for 5 years with the fundamental and critical XUL issue)

              Not even an experienced user can spot the Firefox spoof because it uses the native Firefox windowing system (including the user's current theme!). Your approach to spoofing IE is much more "hacky." [Chris Beach] [reply]

[view more replies on journal entry the fundamental security flaw in mozilla browsers]