https://www.oxymoronical.com/blog/tag/security/ Recent content in security on Oxymoronical Hugo en-us Mon, 03 Sep 2007 23:49:14 +0000 https://www.oxymoronical.com/blog/2007/09/Add-on-Security-Restrictions-Landed/ Mon, 03 Sep 2007 23:49:14 +0000 https://www.oxymoronical.com/blog/2007/09/Add-on-Security-Restrictions-Landed/ <p>I have just checked in <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=378216" title="Disable insecure extension updates by default">Bug 378216</a>, and wanted to give a quick heads up on it.</p> <p>What this means is that we are now enforcing a security restriction on all add-ons. To be specific, if an add-on does not provide a secure method of auto-updating then by default Firefox will refuse to install the add-on. If you have add-ons already installed that are insecure in this way then they will be automatically disabled.</p> https://www.oxymoronical.com/blog/2007/08/Practice-what-you-Preach/ Sun, 19 Aug 2007 17:47:08 +0000 https://www.oxymoronical.com/blog/2007/08/Practice-what-you-Preach/ <p>One of the main parts of my work for Mozilla at the moment is about <a href="http://wiki.mozilla.org/User:Mossop:Fx-Docs:AddonUpdateSecurity">securing add-on updates</a>. The spec is now pretty near complete and the implementation is also pretty much complete so hopefully we can start pushing out the necessary tools to add-on authors real soon then land the work shortly after.</p> <p>Of course it wouldn’t be right for me to push this out without first making my own extensions comply with the new requirements. So today I am rolling out updates to all of them, mostly just changing the update url to an SSL one, though a couple of the extensions (<a href="https://www.oxymoronical.com/web/firefox/nightly">Nightly Tester Tools</a> and <a href="https://www.oxymoronical.com/web/firefox/FindBarRX">/Find Bar/</a>) have some additional updates.</p> https://www.oxymoronical.com/blog/2007/07/Securing-Add-on-Updates/ Sun, 01 Jul 2007 00:00:00 +0000 https://www.oxymoronical.com/blog/2007/07/Securing-Add-on-Updates/ <p>Since the disclosure of potential vulnerabilities in the way Firefox (and other Mozilla applications) automatically update your add-ons we have been discussing how to tighten up the system in a way that is hopefully unnoticeable to users and not much extra work for add-on authors.</p> <p>After a process of listening to authors on the newsgroups, forums and by email we now have a <a href="http://wiki.mozilla.org/User:Mossop:Fx-Docs:AddonUpdateSecurity">rough proposal</a> of what changes we are looking to make. There’s still a few minor details to be ironed out of course. This is mainly of interest to add-on authors since there is an impact depending on how you host your updates. I’ve started threads on the <a href="http://groups.google.com/group/mozilla.dev.extensions/browse_frm/thread/a29f213e165d8267/93a7917b0c1e63c3">newsgroup</a> and <a href="http://forums.mozillazine.org/viewtopic.php?p=2927908">forums</a> so if you want to discuss the proposal there then that’d be good. I’d prefer it if you didn’t edit the main page of the wiki but feel free to stick small comments onto the discussion page.</p> https://www.oxymoronical.com/blog/2007/06/why-would-you-want-a-decent-password-its-only-money/ Fri, 15 Jun 2007 22:22:41 +0000 https://www.oxymoronical.com/blog/2007/06/why-would-you-want-a-decent-password-its-only-money/ <p>I guess it goes without saying that I’m fairly technically literate and as such I’m pretty well versed in both what makes a strong password and actually using them. I actually have a pair of passwords, one that I use for what I consider my more important logins (company accounts, servers and the like), and another that is for lesser services that if I lost or it got hacked then it wouldn’t be a major compromise of anything.</p>