Is the same stuff i tested my Gorilla 2 K-meleon with

No Risk.......

http://bcheck.scanit.be/bcheck/


Your browser reports to be: "Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.8.1.1) Gecko/20061228 Firefox/3.0.6"
Browser name: Firefox
Version: 3.0.6
Platform: Solaris


* Passed Mozilla crashes with evidence of memory corruption - passed
* Passed Internet Explorer bait & switch race condition - passed
* Passed Mozilla crashes with evidence of memory corruption - passed
* Passed Internet Explorer createTextRange arbitrary code execution - passed
* Passed Windows MDAC ADODB ActiveX control invalid length - passed
* Passed Adobe Flash Player video file parsing integer overflow - passed
* Passed XMLDOM substringData() heap overflow - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.5) - passed
* Passed Opera JavaScript invalid pointer arbitrary code execution - passed
* Passed Apple QuickTime MOV file JVTCompEncodeFrame heap overflow - passed
* Passed Mozilla code execution via QuickTime Media-link files - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.8) - passed
* Passed Mozilla memory corruption vulnerabilities (rv:1.8.1.10) - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.12) - passed
* Passed Apple QuickTime 'QTPlugin.ocx' ActiveX Control Multiple Buffer Overflows - passed
* Passed Window location property cross-domain scripting - passed
* Passed Mozilla Firefox MathML integer overflow - passed
* Passed Internet Explorer XML nested SPAN elements memory corruption - passed

Congratulations! The test has found no vulnerabilities in your browser!


Try it for yourself



Edited 2 time(s). Last edit at 02/24/2009 12:48AM by Gorilla no baka.

IE7 and The WorldBrowser also pass all their tests

Quote

Mozilla crashes with evidence of memory corruption - passed
Internet Explorer bait & switch race condition - passed
Mozilla crashes with evidence of memory corruption - passed
Internet Explorer createTextRange arbitrary code execution - passed
Windows MDAC ADODB ActiveX control invalid length - passed
Adobe Flash Player video file parsing integer overflow - passed
XMLDOM substringData() heap overflow - passed
Mozilla crashes with evidence of memory corruption (rv:1.8.1.5) - passed
Opera JavaScript invalid pointer arbitrary code execution - passed
Apple QuickTime MOV file JVTCompEncodeFrame heap overflow - passed
Mozilla code execution via QuickTime Media-link files - passed
Mozilla crashes with evidence of memory corruption (rv:1.8.1.8) - passed
Mozilla memory corruption vulnerabilities (rv:1.8.1.10) - passed
Mozilla crashes with evidence of memory corruption (rv:1.8.1.12) - passed
Apple QuickTime 'QTPlugin.ocx' ActiveX Control Multiple Buffer Overflows - passed
Window location property cross-domain scripting - passed
Mozilla Firefox MathML integer overflow - passed
Internet Explorer XML nested SPAN elements memory corruption - passed
Congratulations! The test has found no vulnerabilities in your browser!

I think maybe we need to up the ante.

It is more save than official

Try to reach the following pages that have something wrong with their security certificates:

https://www.mrtech.com/forums/index.php?action=printpage;topic=126.0 / missmatch
https://group.nctu.edu.tw / expired
https://oim.grid.iu.edu/gocticket/viewer?id=4873 / unknown

Reason for the behavior. Missing certificates menus. So browser cannot ask You to ok.

gunter, i was wondering if next km will use same certificate error pags in ff gre 1.9, 1.9.1.. or will use old dialogs in 1.8, i really hate those error pages and prefer the dialogs because they are far more informative..

i don't know why mozilla chose those dumb neterror pages over the proper dialogs.. but it could be something related with google.. since the 'get me out of here' button sends you directly to google



more and more i feel there are so many loose ends in gre 1.9+.. i don't care about the unstable tracemonkey speed gain. km 1.5.2 is perfection and i'm afraid 1.9 geckos will just make km less than perfect :mad:

i really hate to see anything changed in kmeleon just because its tied to their gre

PETITION: please use same old proper error dialogs in next kmeleons

Means that I have a problem - Since I have not seen all of that dialoge with 1.6.

I want the FPox3/SeaMonkey2 toolkit page to signal what is wrong and that it can open current accept dialoge. I will try to find out how this can be doen; If I fail one with more XUL knowledge should try.

p.s. IMHO K-Meleon should remain a browser not become a baby pamper.

It is up to the user to make sure what is wrong!
Or accept because its his Alma Mata or he comes from Google.

Quote
guenter

p.s. IMHO K-Meleon should remain a browser not become a baby pamper.

It is up to the user to make sure what is wrong!
Or accept because its his Alma Mata or he comes from Google.

exactly! and those invalid certs pages can actually do more harm.. contains vague information about what is wrong and unlike a proper warning message/dialog it doesn't emphasise the seriousness of an invalid certificate.. instead of properly overriding your browser and halting all connections and surfing, it opens a nice page in a tab with an airport policeman telling you.. you better go to google.

apparently this thing has been on for a while.. have not being aware of it, living on the tiny kmeleon planet... although i did test out ff3 when it first came out but it was a very brief test and then trash

this thing first started (error page for certs) with ie7 and it appears ff3 copied them, apparently as you've mentioned it's a nanny thing.. you're naiive and we will treat you as such.

first the error page.. no info
advise to go to google
or accept, you go through other steps untill eventually you get the acceptance dialog displaying all proper info and view certificate

for some weird reason, i couldn't get to the other steps in my firebloat.. when i click "add exception" nothing happens so there's something wrong with it, could be due to not being installed and just extracted... but that doesn't make sense, i might have unwittingly deleted some chrome while porting it to km 1.6

i don't know if this will work in km.. the testing chrome doesn't show any buttons, maybe it's time to use those embedded warnings inside the exe.. i hope it's possible to trigger them from the mozillaclasswindow .. i think they are way better than xul warnings

related links:
http://blog.verwilst.be/2008/03/01/firefox-3-ssl-certificate-warnings-confusing/
http://blog.archive.jpsykes.com/178/firefoxs-invalid-security-certificate/index.html

this one is very interesting: (and not surprising)
https://bugs.launchpad.net/xulrunner/+bug/236610/+viewstatus
http://tech.slashdot.org/article.pl?sid=08/08/22/1139236
http://www.osnews.com/story/20230/Firefox_3_0_s_SSL_Certificate_Interface_Meets_Resistance

there's a more serious problem than dialog or webpage, from what i read.. this thing is so annoying to some that some are disabling it all together with some setting in about:config or an extension
http://www.sslshopper.com/article-more-discussion-about-how-firefox-3-handles-ssl-certificates.html
http://www.sslshopper.com/article-more-discussion-about-how-firefox-3-handles-ssl-certificates.html
http://forums.mozillazine.org/viewtopic.php?f=29&t=651994&start=0&st=0&sk=t&sd=a
http://www.neowin.net/forum/index.php?showtopic=704912

-currently using opera because forum won't let me in using kmeleon!! the irony

Mozilla becomes more and more intrusive pretending to protect the user, dual purpose featured as user conveniences and benefits to data-miners, and encroaching user control:

- Firefox 2 -

auto-download on adding bookmark >>
>>Microsummaries
This feature is not disclosed to users neither can it be turned off. (source

Firefox 2.0 may actually send and receive data over the internet as soon as it's started - even if the home page is blank or local, update features are turned off, anti-phishing feature is turned off, etc..>>
>> Why does FF 2.0 need DNS prior to any visible external reque

true yogi.. i noticed this 'calling home' thing with ff since 1.5.. and i watched it evolve with their next versions.

i always set ff to open blank page homepage and then fire a net monitor and watch it connect to 4 different servers.

it's not an update check thing either because i disable that and no matter what configs i change according to their forums it still connects without me asking.. firebird phoenix was their only browser that didn't do that..and maybe a few of their early beta releases do not have that ugly habit.

the first firefoxes only called mozilla.. since version 3 they connect to mozilla, and google(i assume for updating phishing list) and a couple of other servers i haven't bothered to trace them... but the point is..this is a browser, it shouldn't initiate a connection unless you tell it so. now that new gre has all loads of crap, especially the new certs thing.. i can only imagine what the devs will have to go through just to make it behave for kmeleon.. ff is becoming more and more painful with every release and every gre... the epiphany folks were right to migrate to webkit.

on slashdot, there's a guy that summed it best

Quote
anonymous coward
Before all the security fanatics start telling everyone to "just spend ten bucks on a cert"...

1. Embedded appliances (you know, the hundreds of millions of routers, firewalls, etc.) cannot use an authority cert. The choice is between self-signed and no encryption only, and Firefox is pushing manufacturers towards the less secure option.

2. Typically, you first encounter a self-signed cert in a secure context (for example, setting up such an appliance by plugging it directly into your PC and visiting the web interface). After that, all you care about is whether the cert changes. The whole man-in-the-middle thing is NOT a guaranteed problem with self-signed certs.

3. Real cert authorities are not the invulnerable swiss banks everyone thinks they are. They can and have issued certs when they shouldn't have. And that isn't just new certs; last week there was a story about a Firefox-trusted cert authority that issued a Microsoft live.com domain cert to someone. So those who think authority certs are secure are deluding themselves.

In the end, Firefox's current behavior does not promote security; it simply makes life hard and annoying for legitimate users.

johnathan nightingale is the "genius" behind the new dumb certs.. ironically since it's so obnoxious (and obviously due to pressure from lots of users), he wrote an extension to override it!
https://addons.mozilla.org/en-US/firefox/addon/6843
..and warns you it's a terrible idea.

it is a terrible idea johnathan.. but i'm not sure which is more terrible, this stupid and extremely risky extension or the original cert warnings he designed in the first place.

idiot.....

this is what might happen if km adopts firefuck cert errors
http://snowulf.com/index.php?/archives/498-Firefox-3.0-SSL-Security-Upgrade-or-lack-there-of.html

Good day!
http://www.info-svc.com/news/2008/12-12/
On this page you can view results of browsers' password manager tests. They're sad
Also there are link to test
http://www.info-svc.com/news/2008/12-12/pm-evaluator/
K-Meleon have many vulnerabilities too.
What do you think about it?

Quote
AirSpirit
K-Meleon have many vulnerabilities too.

What do you think about it?

1.) K-Meleon would be as bad or good as Firefox
Seems to be state of the art. But is not really good.

2.) I start an extra session that uses Roboform when I go banking.
Lets hope that is sufficient.

Guenter,

You're using RoboForm with 1.5.2?

N

Quote
guenter
1.) K-Meleon would be as bad or good as Firefox

I used to think that K-Meleon uses it's own password manager (because password manager isn't a part of Gecko). Am I wrong?

Quote
ndebord
Guenter,

You're using RoboForm with 1.5.2?

Yes, why should I not use Roboform with 1.5.2? I use it since 1.0.x .

IFF You want to use it? Just install the 1.1.x version & delete the kmm.

Next create a session with two tabbed items.

1.) chrome://roboform/content/roboNavigatorOverlay.xul

2.) Bank at what's-de-mc-call it com.

Cave: never use 1.). You can leave it open, but do not surf with it.
I use a/the auto fill setting. After I initiated the sign in my Roboform pops up and is clicked to sign in.


BTW. Normally 1.) will load faster - if not, reopen session.
A local resourse in chrome will load faster (mostly but not always).

The kmm currently does not work. I posted the how too without kmm several times.

Quote
AirSpirit
I used to think that K-Meleon uses it's own password manager (because password manager isn't a part of Gecko). Am I wrong?

1.) You are absolutely right, Roboform is no part of Gecko.

2.) To explain. I use K-Meleon's manager to come here. And for many other things. But I use the free version of a dedicated password manager to do banking.


p.s. The Roboform Development Team says they do not support K-Meleon.

PPL here do. I use a clumsy hack & it works.



Edited 2 time(s). Last edit at 03/02/2009 01:25AM by guenter.

Guenter,

Thanks. I do vaguely remember yours (and Alain's) posts on Roboform and recall deciding to walk away from it until such time as their developers woke up and supported KM. Guess that will never come to pass. <sigh> So thanks for the tips. I've got it working now!!!

N

Guenter,

I've never liked letting any password manager handle my banking. I just type the info in each time. However, if there were a secure (reallly good encryption) password manager out there, I could be persuaded to change my ways. <g>

N

Quote
ndebord
I just type the info in each time.

if there were a secure (reallly good encryption) password manager out there

1.) I do not like that - nowadays there are trojans that can intercept key input.


2.) No idea how good it is - but Roboform's master pass?

It stopped at #10 telling me it could not continue the tests because I do not have Quicktime, which I have no intention of downloading let alone installing. Then later it informs me that I passed all 18 tests. I guess KM is smarter than the tests.

* Passed Mozilla crashes with evidence of memory corruption - passed
* Passed Internet Explorer bait & switch race condition - passed
* Passed Mozilla crashes with evidence of memory corruption - passed
* Passed Internet Explorer createTextRange arbitrary code execution - passed
* Passed Windows MDAC ADODB ActiveX control invalid length - passed
* Passed Adobe Flash Player video file parsing integer overflow - passed
* Passed XMLDOM substringData() heap overflow - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.5) - passed
* Passed Opera JavaScript invalid pointer arbitrary code execution - passed
* Passed Apple QuickTime MOV file JVTCompEncodeFrame heap overflow - passed
* Passed Mozilla code execution via QuickTime Media-link files - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.8) - passed
* Passed Mozilla memory corruption vulnerabilities (rv:1.8.1.10) - passed
* Passed Mozilla crashes with evidence of memory corruption (rv:1.8.1.12) - passed
* Passed Apple QuickTime 'QTPlugin.ocx' ActiveX Control Multiple Buffer Overflows - passed
* Passed Window location property cross-domain scripting - passed
* Passed Mozilla Firefox MathML integer overflow - passed
* Passed Internet Explorer XML nested SPAN elements memory corruption - passed

Charlie

~~If it ain't broke, why screw it up?~~

Certificates errors in Seamonkey 2.0a3 are similar to Firefox 3.1b3.
This is how show this certificate errors in K-Meleon 1.6 preview with Seamonkey 2.0a3 chrome:
cert_invalid.jpg
expired_certificate.jpg
untrusted_issuer.jpg

K-Meleon in Spanish

Quote
desga2
Certificates errors in Seamonkey 2.0a3 are similar to Firefox 3.1b3.
This is how show this certificate errors in K-Meleon 1.6 preview with Seamonkey 2.0a3 chrome:
cert_invalid.jpg
expired_certificate.jpg
untrusted_issuer.jpg

think i'll stick to gecko 1.8, don't like nannies