How worried should a firefox user be about this password manager issue? I love using firefox, should something like this change my mind?

i looked up and found a new version of Thunderbird, which I guess I have not automatic update for and had to manually install. It was just a slight update, but why doesn't MOzilla offer an auto update for Thunderbird?

Borch said:
"How worried should a firefox user be about this password manager issue?"

I guess the first, and obvious, observation is that it doesn't affect you at all if you don't use the Firefox password manager. (The settings for this are under "Edit / Preferences" on the "Security" tab.) I love Firefox, too, but I don't use the password manager; I wouldn't use one from another browser either, just because of the risk of this kind of thing. (My best friend says I have a nasty, suspicious mind. ;-)

An alternative for keeping passwords, which seems to be quite secure, and has the additional advantage of being usable with any application, is PasswordSafe, originally by Bruce Schneier. Here is his page on it, with links for downloading:

http://www.schneier.com/passsafe.html

It keeps passwords in a file encrypted with the Blowfish algorithm, and is quite easy to use: you cut and paste passwords where they are needed, without ever displaying them "in the clear". The clipboard is cleared securely when the PasswordSafe window is minimized. The main version is for Windows, but there is a forked version for Linux as well.

All I can say is thank you for kicking these Firefox guys in the tush and getting them to fix their browser, although it's been over a month that this password mgr. vulnerability has been around.

Do you know anything about this PasswordSafe?

My FF 2.x "Check for Updates" update didn't properly install, so I had to download and reinstall the whole browser.

No biggie. I just keep FF around as an emergency backup browser. IE7 is my default browser of choice.

I ran FF update and only got to 1.5.9. How do I get 2.0?

Go to this page...
http://www.mozilla.com/en-US/

to download FF 2.0.

I use Netscape which "emulates" (I guess that's the right word) Firefox. Do I need to do any updating in Netscape??? Thanks.

I noticed after loading the latest FF patches, some sites don't load up @ all without a manual refresh: Amazon was the worst - I had to keep hitting F5 over 7 over until the page loaded, another was ESPN Insider.

Anyhow, another great password safe is KeyPassSafe: http://keepass.sourceforge.net/

Open sourced & based on Bruce's fundamentals.

I have tried installing firefox 2.0 a few times but everytime I install firefox 2.0 the browser becomes very slow. I end up going back to 1.5 and that works fine. Anyone else having this same issue? I would like to move to firefox 2.0 but cannot do so until it runs like 1.5. Any suggestions on resolving this issue?

Calling the RCSR attack a "flaw" or a "bug" in Firefox is a bit of a stretch. For one thing, Safari users are equally affected, IE users are almost equally affected, and even Opera users are somewhat affected. (See my comments in the bug report to understand why.)

More importantly, there is no good browser-side UI fix. Browser password management is one the Web's few good defenses against phishing. Making it significantly less convenient to log into all web sites in order to make it slightly harder to pull off RCSR attacks on sites that decide to allow password fields in user-generated content just doesn't make sense.

The issue only affects a small number of sites that do inadequate filtering. MySpace was the only vulnerable site I'm aware of, and they've already fixed the problem.

Regarding Jake's argument on lwn that "Website operators should certainly be doing better filtering, but the browser is the agent that the user has entrusted with their passwords", I'd like to point out that RCSR problems in web sites are much less common than XSS bugs. Users have "entrusted" web browsers with their sessions and cookies, but that doesn't mean the browser is at fault when a site has an XSS flaw. What makes RCSR different?

It's possible that the "check the action URL's host+port+protocol" solution would work. But I think it would break too many sites (immediately and over the years) to be worth it. Either way, it requires a lot more testing than we would have been able to pull off before Firefox 2.0.0.1, which we wanted to release quickly in order to get fixes for actual security holes to users.

jselt said:
"It was just a slight update, but why doesn't MOzilla offer an auto update for Thunderbird?"

Thunderbird does have a "Check for Updates" option in the "Help" menu. I checked a bit earlier, on a Win XP machine with Thunderbird 1.5.0.8, and it told me that 1.5.0.9 was available.

If you are running on Linux as an ordinary user (as you should be), and the executable is installed for system-wide use (in a system directory like /usr/local/bin), then "Check for Updates" will be greyed out, because you can't install the update anyway.

RE: ms2481's problem of 2.0 being very slow compared with 1.5. Try going to:

http://www.mozilla.com/en-US/firefox/2.0/releasenotes/

Read the information under the "Troubleshooting" section. I'd recommend making a backup copy of your bookmarks file and storing that copy somewhere safe before trying anything. But hopefully following their advice of disabling any extensions or creating a new profile will resolve your problem. If you still have no luck, try looking for someone with a similar problem here:

http://forums.mozillazine.org/viewforum.php?f=38

If you can't find any helpful advice posted by someone else, try asking for help in a new discussion yourself. I hope you figure it out. :-) I found version 2.0 to be a really nice upgrade from 1.5.

Roboform is a nice program for Windoze, that helps create and store online passwords.

I unstalled Firefox 1.05 and then installed the new 2.0 - worked a treat.

Now using Firefox - IE7 is a pain and has upset my computer, it cuts me off the internet every time I go to favourites.

@Borch

If you're still running Windows you obviously don't worry enough.

I downloaded linux version Firefox 2.0.0.1 for my Linspire OS. Every thing works fine except I can not open Firefox, outside the folder. Move it to the desktop it will not work. The icon will not open any thing unless it is inside the folder, same for Thunderbird.

you dumb a$$ FF users..back to IE6 lol!!

Ross McGee> The icon will not open any thing unless it is inside the folder, same for Thunderbird.

Ross, I'm not a Linspire user, but here's a suggestion: try making a desktop shortcut instead of moving the application itself; Mozilla apps expect to find various libraries and configuration files in the directory in which they're located. Instructions for making a desktop shortcut are here:

http://forum.linspire.com/viewtopic.php?p=134644

I love FF but every time it automatically updates, my FF crashes and I have to uninstall and reinstall.

Except for this time I cannot even install the new 2.0.0.1 I get some f/n/c/b/ error message on 2 window XP machines I use. My Mac with OS X installed the latest release for mac fine.

I don't Care If FF fixs 20 Flaws.....its still safer then IE and I don't have to worry about Active X installing Crap on my Computer

URL: myspace.com/Crack_that_firewall