Discussion in 'other software & services' started by JRViejo, Mar 18, 2014.
I do NOT like the changes they have made to the Search box.
If like me you don't like the new Search UI, instructions here to return it to the old one.
FYI. Mozilla Firefox, Portable Edition 36.0 (web browser) Released, courtesy of PortableApps.com.
Finally, addons can now show the used TLS version on a HTTPS site
Well, in my case it says this:
"The procedure entry point GetLogicalProcessorInformation could not be located in the dynamic link library KERNEL32.dll.", Windows XP Professional Service pack 3.
Can you say which addons show TLS version?
At least the current Cipherfox can already do it, it looks like Calomel needs to be updated first.
You need to go in Cipherfox options and add the $PROTOCOL string, for example:
Firefox ESR 31.5.0 released.
Download Firefox Extended Support Release in your language.
Security Advisories for Firefox ESR.
Also, Mozilla Firefox ESR, Portable Edition 31.5.0 (web browser) Released, courtesy of PortableApps.com.
CWS, this guy solved a somewhat similar issue with Firefox after installing SP3. Since you are using SP3, perhaps your computer is missing a file or an update for Firefox36 to work in that computer.
You could go back in versions using Firefox Extended Support Release and see what happens next time it updates. This might work for you. FWIW, Firefox 36 works fine in my XP. I haven't upgraded in W7 yet.
Firefox 36.0 requests a firewall exception which has not been seen previously.
There is no reason why your Browser should require a permanent pinhole in the Windows Firewall.
I have alerted Mozilla via Twitter and am waiting to hear back. The emphasis here is that Mozilla have not come clean with what they were delivering to us via way of changes made to this new version.
I view this as a serious privacy and security breach as millions of users use Firefox as a primary web Browser.
interesting i did not get this pop up when installing ff 37 beta version
I tried several registry tricks so I what I did is that I have created some tricks where instead of service pack 3 I put back into service pack 2, now I did manage update to MF (MF=Mozilla Firefox) 36, and it worked for a short time, until the connection to the internet broke, it's a funny thing that my other web-browsers like Google Chrome and Internet Explorer were connecting just fine, but Firefox 36 could not!
So this is directly Firefox's problem, I even checked my windows files with system file checker, everything was fine and no file was missing, this is Mozilla's own fault, I truly hope they will solve this.
Before that there have never been problems with update, so my conclusion is this is directly Firefox's fault, not mine, it's not my error here, it's Firefox's error.
In the end I had to back to 35.0.1 version where everything worked just fine.
Bug or not?
Thanks for the details. I changed the cipher string and cert entries to match your screenshot and CipherFox now shows TLS version .
I see that you unchecked the "show Builtin Object Token Certificate Authorities in chain" option and checked "disabled RC4 cipher". Why is that preferable? When I disabled the RC4 cipher I got a popup saying it could make me vulnerable to the "Beast attack"...?
By the way, I was going to contact the calomel.org folks, but they have an obscure contact routine. This is from their contact instructions:
"run the following shell code and send your email to the result"
echo 'rznvy1gb:email@example.com' | tr '1?a-z%#' ' .n-za-m'
I don't remember unchecking "show Builtin Object Token Certificate Authorities in chain", perhaps it was default unchecked in the version I installed in the past. When you click on the cipher details it shows the certificate details, if this is checked it also shows details of other certificates in the chain.
The BEAST attack is an attack against a vulnerability in CBC mode ciphers(such as 3DES and AES(not AES-GCM)), since RC4 is not a CBC mode cipher it was is not vulnerable and was advised as a quick fix back then. Most major browsers have implemented 1/n-1 record splitting as a workaround for BEAST and TLS 1.1 and higher are not even vulnerable to BEAST, so it is not much of a problem anymore. RC4 was already cryptographically weaker than 3DES and AES, and attacks have become more practical over the past years, so it is being phased out. Since this version, Firefox is also trying to minimize RC4 usage:
"No longer accept insecure RC4 ciphers whenever possible" and SSL Labs server test limits servers to a B rating if they offer RC4.
IETF - Prohibiting RC4 Cipher Suites
I'm not sure how to solve Calomels contact routine, I thought it might be easier to submit an addon review to AMO, but their most recent response there is from 2011.
EDIT: Got someone to solve their emailadress for me If you want it please PM me so they won't be spammed.
I had this with 1 user this morning but I have not seen it on any other machines. I guess we'll see how this plays out.
Many are reporting the Firewall breach but no one from Mozilla has responded in a way users can understand. More as I know more.
Going back as far as last August, the Mozilla devs are openly discussing this issue in the bug reports ronjor links to above and here:
ronjor's links from above:
It sounds like the firewall pop up after installation is necessary for Firefox's new video chat feature, Hello, to work (which stands to reason, a chat client couldn't work without it).
It used to be that the firewall rules were created during Firefox setup/install, while the installer had been given administrator privileges. But that changed and now Firefox is asking permission at first startup after install. So one could argue Firefox is being more transparent about what priviliges it needs--although, if I'm understanding correctly, it sounds like this change was more inadvertent, than deliberate. In any case, Firefox is not doing anything it didn't already do. Presumably Skype and any other chat clients also have similar privileges, you just don't notice because the firewall rules are created when you install the program and grant the installer administrative privileges.
I don't think Mozilla is doing anything nefarious or under cloak of darkness. Heck for closed source programs (IE, Skype), you'd never even see the bug reports openly discussed by devs in public.
Yes, Calomel has updated the SSL Validator extension to show TLS version as part of the score.
It's gets' better; the folks at Calomel said:
"In Firefox 37 Developer tools we are getting a new security panel
which also shows HSTS and Public Key Pinning status.
We should be able to get the addon to display the same information"
Victek, you can also read about this here: Post. It's pretty good.
I have installed Mozilla Firefox ESR 31.5.0 on my Windows XP Professional service pack 3, everything was installed correctly, and Mozilla Firefox ESR 31.5.0 is openning and running just fine, correctly as it should!
Mozilla Firefox 36.0 has that problem with kernel32.dll, that says it is missing but that's not true, because I checked 6 times already, it's a bug with Mozilla Firefox 36.0.
I wonder if Mozilla Firefox ESR 31.5.0 also has sandbox, like Mozilla Firefox 36.0 does?
Separate names with a comma.