Mozilla/Issues

< Mozilla

Discussing current problems, possible better configuration settings. Note that this is NOT Bugzilla, the formal method for fixing problems in Mozilla, and should be addressed there first.

These items are under discussion:

Contents

The Random Profile Directory Issue

Mozilla uses ~/.mozilla/defaults/<random-8>.<random-3> to save it’s profile information. This has no real use but to more easily distinguish users.

To remove this “functionality”:

  • edit ~/.mozilla/appreg
  • change the directory string which refers to that random character profile directory.
    • Change it to default/ and delete the random junk after it.
  • Move all those files from the random junk directory into default/.
  • Remove the junk directory entirely.

Why would this random junk directory name exist in the first place? Why would it continue to exist after years of use? It can’t be unintentional.

Followup: Under Firebird 0.61, ~/.phoenix/appreg has been encoded. This could only have been done to intentionally void the above security resolution. I’m jumping off the boat.

I am not certain (I am a security newbie) but I think it might have something to do with a thing called sym-link following. If I understand correctly it goes something like this: someone guesses what the filename of a file is going to be, so they put their own there with a sym-link to a file they want to overwrite. Then when Mozilla writes to that file it follows the sym-link and overwrites something important. The higher the privelidge level of Mozilla the worse the potential problem. ->
Again, I am a security newbie so this could all be complete crap. Do some research and then get back to us. — nw
While I understand what you describe, I don’t understand how this applies. — Sy

RESPONSE

> found an long-lived, intentional, anonymity hole, I’m bailing out!

Could you specify what this is? I can’t figure it out from Mozilla/Talk. I have submitted two articles to Mozillazine in the past, I can get this – if it is an anonymitiy hole – fixed. And/or submit it as a bug. I don’t think the Mozilla project has any motivation to have allow bad code. — Webfork
The “random” profile directory allows users to be more easily distinguished, if abused by malicious code. IIRC I had reported this a long long time ago, and nothing came of it. I’ve been forgiving in that Mozilla does have a known habit of leaving old problems unsolved.. =/ This potential problem may not even be acted upon, but that doesn’t matter.. since this is now not just unresolved but escalated by the obfuscation of a kludge fix, I’ve lost faith. In my mind the encoding act labels the random profile directory as intentional. Even if the problem is fixed I’m too unhappy with the history of Mozilla to trust it now. — Sy

PROJECT RESPONSE

Here’s an explanation for the hole in Mozilla from one of the project guys: Alex Bishop.

> Possible anonymity hole in Mozilla?>> A friend pointed me to this possible hole in Mozilla’s code. I am not> technical enough to decipher it but I wanted to submit it to you guys,> fearing that this might be something Microsoft or Apple’s Safari> project could point to and say “See? Mozilla isn’t that great.” Can I> get some feedback on this?>> “The random profile directory” issue> http://takedown.net/wiki/wiki.pl?Mozilla/Talk>> “The “random” profile directory allows users to be more easily> distinguished, if abused by malicious code. I had reported this a long> long time ago, and nothing came of it.”

Actually, the random ‘salting’ of the profile directory is intended to

increase privacy and security, not reduce it. It essentially makes the

location of profile files unpredictable, reducing the risk that a

security flaw could allow an attacker to access user data.

See bug 56002 <http://bugzilla.mozilla.org/show-bug.cgi?id=56002> for

more details.

Alex

Alex Bishopalex at mozillazine dot orghttp://www.mozillazine.org/


Thank you for your feedback Alex. I will add my comments to http://bugzilla.mozilla.org/show-bug.cgi?id=97180 bug 97180. ->

Doing some more research, it appears that this is another case where my very adamant personal preferences diverge from those of the Mozilla developers. This is an issue which hasn’t been addressed in a couple of years and, in my mind, is merely a configuration option away from resolution. Depressing. — Sy

Forced Homepage Issue

  • Change the settings to set a user homepage
  • Move <tt>~/.mozilla</tt> to a backup
  • Start phoenix (note the forced homepage)
  • Exit
  • Delete <tt>~/.mozilla</tt>
  • Restore the old <tt>~/.mozilla</tt>
  • Start phoenix
    • Note the forced homepage even though the user’s setting is somewhere else

Mozilla has the ability to force interaction with a website, ignoring the user’s preference.

TakeDown.NET -> “Mozilla/Issues