David E. Ross wrote:
> On 7/9/2007 1:07 PM, Gervase Markham wrote:
>> Michael Vincent van Rantwijk, MultiZilla wrote:
>>> Hm, and where is this 15% coming from? Just another assumption?
>> It's a conservative estimate of the market share of Firefox.
>>
>> Gerv
>
> That implies the assumption that
On 7/9/2007 1:07 PM, Gervase Markham wrote:
> Michael Vincent van Rantwijk, MultiZilla wrote:
>> Hm, and where is this 15% coming from? Just another assumption?
>
> It's a conservative estimate of the market share of Firefox.
>
> Gerv
That implies the assumption that ALL Firefox users would the
Gervase Markham wrote:
> Michael Vincent van Rantwijk, MultiZilla wrote:
>> Note that we asked (per e-mail) the top 500 download sites, and most
>> of them prefer to wait and see what Link Fingerprinting is and can do
>> for them, because so far nobody really believes that it will do any
>> good
Gervase Markham wrote:
> Michael Vincent van Rantwijk, MultiZilla wrote:
>> Hm, and where is this 15% coming from? Just another assumption?
>
> It's a conservative estimate of the market share of Firefox.
Ah, so in some countries it will be even higher. That sounds promising.
_
Nils Maier wrote:
> Michael Vincent van Rantwijk, MultiZilla schrieb:
>> Note that we asked (per e-mail) the top 500 download sites, and most of
>> them prefer to wait and see what Link Fingerprinting is and can do for
>> them, because so far nobody really believes that it will do any good for
>> t
Michael Vincent van Rantwijk, MultiZilla wrote:
> Hm, and where is this 15% coming from? Just another assumption?
It's a conservative estimate of the market share of Firefox.
Gerv
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https
Michael Vincent van Rantwijk, MultiZilla wrote:
> Note that we asked (per e-mail) the top 500 download sites, and most of
> them prefer to wait and see what Link Fingerprinting is and can do for
> them, because so far nobody really believes that it will do any good for
> them, but that it will a
Michael Vincent van Rantwijk, MultiZilla schrieb:
> Note that we asked (per e-mail) the top 500 download sites, and most of
> them prefer to wait and see what Link Fingerprinting is and can do for
> them, because so far nobody really believes that it will do any good for
> them, but that it will ad
Gervase Markham wrote:
> Nelson B wrote:
>> One needs a trusted source AND a trusted channel to that source.
>
> Yes, although there's also a "herd immunity" feature, as I discuss below.
>
> At the moment, spotting things like the Wordpress download tarball
> trojan took quite a while, because s
On 7/2/2007 2:39 AM, Gervase Markham wrote [in part]:
> At the moment, spotting things like the Wordpress download tarball
> trojan took quite a while, because someone had to bother to check the
> code against the published MD5sum manually - and who does that? Maybe
> just you :-)
When an MD5 o
Nelson B wrote:
> One needs a trusted source AND a trusted channel to that source.
Yes, although there's also a "herd immunity" feature, as I discuss below.
At the moment, spotting things like the Wordpress download tarball
trojan took quite a while, because someone had to bother to check the
c
Gervase Markham wrote:
> Nelson B wrote:
>> Unless the page that contains that link is an https page, to substitute a
>> trojan, an attacker need only substitute his own URL for the original
>> page's URL while the page is in transit. A proxy server is a perfect
>> place to perform such an MITM at
Kyle Hamilton wrote:
> You could just as easily have a 'trusted source' by allowing the
> plug-in author add their own 'updates to this plugin will come signed
> by *this* key' certificates to the other certificates' keystore.
[Note: This thread has morphed into a general discussion of Link
Finge
I must point something out here.
You could just as easily have a 'trusted source' by allowing the
plug-in author add their own 'updates to this plugin will come signed
by *this* key' certificates to the other certificates' keystore.
This would minimize all of the problems of mozilla.org being att
On 6/24/2007 8:49 PM, Justin Dolske wrote [in part]:
> David E. Ross wrote [also in part]:
>> I much more favor providing both the target file and a separate file
>> containing the hash, as is done on the Mozilla FTP site.
>
> And how do you verify the contents of the hash file? Another hash file?
Justin Dolske wrote:
> David E. Ross wrote:
>
>
>> For example, a hash mismatch would cause the downloaded file to be
>> deleted. Also a misformed hash would block downloading. Both of these
>> create denial-of-service opportunities; all a hacker has to do is alter
>> the hash in the anchor (
Nelson B wrote:
> Unless the page that contains that link is an https page, to substitute a
> trojan, an attacker need only substitute his own URL for the original
> page's URL while the page is in transit. A proxy server is a perfect
> place to perform such an MITM attack. Http pages with login
David E. Ross wrote:
> The page also proposes some implementation details that are troublesome.
> For example, a hash mismatch would cause the downloaded file to be
> deleted. Also a misformed hash would block downloading. Both of these
> create denial-of-service opportunities; all a hacker has
David E. Ross wrote:
> For example, a hash mismatch would cause the downloaded file to be
> deleted. Also a misformed hash would block downloading. Both of these
> create denial-of-service opportunities; all a hacker has to do is alter
> the hash in the anchor (link) that would be used to initi
On 6/23/2007 2:31 PM, Nelson B wrote:
> Gerv, Your web page http://www.gerv.net/security/link-fingerprints/
> doesn't provide any obvious channel for feedback or public discussion
> of that proposal, that I can see. So, I'm using this channel.
>
> The page makes certain claims that I don't belie
Gerv, Your web page http://www.gerv.net/security/link-fingerprints/
doesn't provide any obvious channel for feedback or public discussion
of that proposal, that I can see. So, I'm using this channel.
The page makes certain claims that I don't believe. Here's one.
> To substitute a trojan, the
21 matches
Mail list logo
