mozilla :: #firefox

17 Mar 2017
00:34eightfoldcan i make a backup of the settings for a certain app without installing something like titanium?
00:34eightfoldi'd like to export my firefox mobile configuration/extensions etc before reinstalling android
01:39delta67hi, all. recently when using firefox I find a bunch of websites give warnings saying "connection not encrypted", and among which I've checked several sites their certs and found they are still valid, and I have their root certs installed. What can be the cause of this problem?
01:48delta67is any encryption algorithm recently deprecated? I'm not sure if that would be the cause.
03:16globCaspy7: regarding firebot - a channel op can /invite it into the channel
03:16globCaspy7: it _should_ remain in channel, however there's times when that hasn't happened
03:17globif the irc connection drops, and it's rejected from joining the channel when it reconnects it'll give up on the channel
03:17globi have a nasty hack that has a list of channels that are persistent; it periodically checks if it's in those channels and joins if it isn't
03:18Caspy7ah, I see
03:18Caspy7Thanks for the reply
03:23Caspy7glob: sorry, just to clarify, they need only to do: /invite firebot
03:23Caspy7cool cool, thx
03:24globif it falls out of the channel let me know and i'll add the channel to the perm list
03:24Caspy7glob: heh, looks like the issue at the moment is the channel has no op
03:24globCaspy7: if it doesn't join, they should pm me. firebot is pushing up against server limits
03:24globCaspy7: ok, what's the channel? i fix this now :)
03:25Caspy7glob: #flow
03:25Caspy7and thanks
03:33Caspy7thanks a bunch
03:33globthat reminds me i have to fix the karma module
03:35Caspy7well, you probably know which issue is my biggest annoyance
03:44globCaspy7: autokick on large pastes?
03:44Caspy7glob: if you mean auto-permaban, then yes :)
03:45globCaspy7: should i ping you every time it saves us from a spammer?
03:45Caspy7it's not as much the kick. I don't want it completely removed
03:45Caspy7just think the policy needs fixed
03:46globCaspy7: i agree, but my hands are tied :(
03:47DaggerI haven't seen it trigger for an actual spammer in a while
03:47Caspy7yeah, does trigger much more for the innocent
03:47Daggerit could do with allowing one more line, or a slightly smaller window or something (letting people spam the channel accidentally isn't much better than deliberately)
03:48Daggeralthough in the accidental case a temporary ban would make a lot more sense than permaban+kick...
03:50Caspy7which apparently is the rub here in terms of the change
03:50Daggerglob: what's tying your hands? it's a channel mode, you should just be able to set it
03:51globDagger: i'm still waiting for the irc admins to install the required module
03:51* glob going hunting for the bug
03:52DaggerI'm talking about the +f mode that we're already using
03:57glob(sorry, have to do some work - a service just died)
04:52bowhy does firefox let any web page hijack default keyboard shortcuts for core behavior? e.g. any page can block refreshing the page (ctrl+r), selecting the url bar (ctrl+a) , opening the find menu (ctrl+f) by simply calling preventDefault() on keypress events
04:53Caspy7Bo: not an area of great expertise for me, however I'm pretty sure there are some shortcuts that are preserved and not allowed to be overridden. Also, I think there is a pref to disallow pages from doing this (from my vague memory)
04:58boi'll have to go looking for that preference. couldn't find much info on this issue myself. it seems to me like anything that is related to accessing the DOM of the current page can be prevented, whereas other things, e.g. closing tabs are hard coded. Seems like a pretty serious accessibility issue to me. If there is a preference, it should be the default
05:15globbug 1052569
05:15firebot NEW, Prevent web pages from overriding core tab/window-management shortcuts
05:19bofirebot is magic
05:19firebotbo: Sorry, I've no idea what 'is magic' might be.
05:19Me-meand humble, too
05:19Me-meand humble, too
05:20HavvyIt's not magic.
05:21firebotcan confirm, not magic
05:26bo...when you're not sure whether a bot is a bot
05:26bomagic it is
05:29Havvybo: If it helps, glob owns firebot, so can probably make it say anything.
05:30globHavvy: shh
05:32globmost is automated..
05:32globfirebot: are you magic?
05:32firebotglob: Sorry, I've no idea what 'are you magic' might be.
05:33globlet's see if i remember the syntax..
05:33globfirebot: are you magic is <reply> yes
05:33firebotglob: ok
05:33globfirebot: are you magic?
05:33firebotglob: yes
05:34Havvyrustbot: learn Are you magic? = Without a doubt.
05:34rustbotLearned factoid &#39;Are you magic?&#39;.
05:35globbo: 12 years of people doing..
05:35globrustbot: firebot?
05:36Havvyrustbot: factoid firebot?
05:36rustbotNo such factoid &#39;firebot?&#39; found.
05:36globi could get firebot to ask rustbot when it doesn&#39;t know :)
05:36HavvySure, but the only channels they&#39;re both in are this one, and that&#39;s temporary.
05:37decebalusone of this robots can solve Fx problems?
05:37globHavvy: it doesn&#39;t have to be in channel. right now it asks &#39;word&#39; if it doesn&#39;t know (another infobot)
05:38globanyhow, that&#39;s a project for another day as the syntax is different for rustbot
05:38* glob runs away
05:39Havvyglob: See `/msg rustbot help learn
05:45Caspy7my current favorite is...
05:46Caspy7firebot: open the pod bay doors
05:46firebotCaspy7: I&#39;m afraid I cant do that
05:47Havvyglob: It probably wouldn&#39;t help, since rustbot&#39;s factoids are focused on rust
05:47rustbotRust is a systems programming language that runs blazingly fast, prevents nearly all segfaults, and guarantees thread safety.
05:48Havvy!learn rust f= Rust is a systems programming language focused on safety, speed, and concurrency.
05:48rustbotLearned factoid &#39;rust&#39;.
05:48Havvyfirebot: rust
05:48firebotHavvy: hmm... I think Rust is a new programming language that is hoped will eventually replace C/C++. It&#39;s homepage is
05:48HavvyIt won&#39;t eventually replace C/C++.
05:48boCaspy7 and firebot, thanks for the help, it&#39;s apparently a 10 year old issue that is still being discussed.
05:48Havvyrustbot: part #firefox
05:48firebotBug 380637 ASSIGNED, Should web pages be restricted from being able to override the browser&#39;s keyboard shortcuts?
05:50Caspy7Bo: honestly, I found the issue, but didn&#39;t want to provoke more frustration, but there a couple of now-reviewed patches, so it looks as though it&#39;s actually on the way to being fixed
05:51boawesome thanks
05:52Caspy7the last comment is a review on the second of 4 patches it seems
05:54boyep, trying to decide whether to implement a hackaround in my extension, or wait for it
05:55Caspy7in my google search thought I saw something about an extension, oh, for *your* extension. Presumably with a different primary purpose
05:57boit&#39;s a keybinding extension, like vimium and vimFX. trying to figure out the best way to block all input, but not built-in shortcuts
05:58Caspy7bo: webextension?
05:59* Caspy7 nods
06:00Caspy7Bo: have you seen this?
06:00Caspy7scroll down to the &quot;Abandoned&quot; section for more
06:05boi have seen that actually. I was actually wondering why a new API was proposed regular keyboard event listeners work just fine. Seems like he came to the same realization
06:06boit&#39;s just corner cases that mess things up
06:06boand the fact that you can&#39;t install them on protected pages
06:07bobut, my extension works mostly fine... just got annoyed when i realized i couldn&#39;t refresh the page with ctrl+r
06:07bobut... now that i think about it, i&#39;m stupid
06:08boi&#39;ll just stopEventPropogation and not call preventDefaultBehavior()
06:14Caspy7Bo: you know of #webextensions and #extdev yes?
06:15bothe first, not the 2nd, i&#39;ll check that out
07:12decebalusAnyone know if &quot;One Tab&quot; may be in conflict with &quot;Tree style tab&quot;?
09:20forgottenonehi when I try to add new bookmark firefox freezes about 1 minute or more. any suggestions?
09:22Corkforgottenone: are your firefox profile on a network drive?
09:22Cork(if not then i would prob run a check disk and make sure the drive isn&#39;t having problems)
09:24forgottenoneCork: No on an ssd drive, I checked disk recently but I&#39;ll do again. Any other suggestion?
09:24Corkmight be the places.sqlite is corrupt
09:24Corkyou should have a lot of .corrupt or something like that (don&#39;t remember) in the profile if that is the case
09:24forgottenoneI rebuilt it from a json backup
09:25Corknot sure then
09:25Corktried in firefox safe mode?
09:25Cork(so it isn&#39;t an extension meddling with it)
09:25forgottenoneI have about 100k,but I had it before and this problem came up recently
09:26forgottenoneI mean 100k bookmarks
09:26Corkya, might be worth filing a bug about it
09:26Corkit might be a code change that effects when there is very large databases
09:27forgottenoneCork: ok thx for the help i&#39;ll try rechecking disk
09:33TimvdeDutch article, but the graphs should be easy to read. Looks like Firefox at the back of the power usage pack nowadays :(
09:34forgottenoneCork:you were right,I disabled the extensions and problem dissapeared, now I have to hunt down the addon caused this
09:36CorkTimvde: the page is comparing apples and pears though
09:36CorkTimvde: as they compare browsers on different operation systems
09:36Corkand the os affects power consumption a lot
09:37Cork(not saying firefox has better values then they show, just that the test is moot to me)
09:38decebalusTimvde: I do not think is something relevant ..Most important is speed and reliability...that&#39;s more worrisome
09:38Corkdecebalus: it is very relevant if you run it on a laptop that is running more or less constantly on battery
09:39TimvdeCork: They want to give a full overview
09:39Cork(and as firefox wants to work on android it matters there too)
09:39CorkTimvde: ya, and that is what i argue they don&#39;t
09:39TimvdeCork: so for each browser, look at one OS
09:39CorkTimvde: then they should have picked one os and compared the browsers that can work there
09:40TimvdeCork: Second graph does that, on 2 OSes
09:40Corkwhat they are comparing now is 60% or so os and 40% browser and then they say &quot;browsers compare&quot; when that isn&#39;t even the case
09:41TimvdeCork: They don&#39;t, they are comparing OSes only going from the first image, which uses default browsers
09:43CorkTimvde: ya, again i don&#39;t care they are massing there values and making the result moot
09:43TimvdeCork: So according to you, it would have been better to split it up in two graphs?
09:44CorkTimvde: they should have compared browsers on the same os
09:44TimvdeIn the text, they are specifically doing that
09:44decebalusPower consumption is given by CPU and RAM usage in same conditions and what I read is Fx is one of the lowest consumer in that sense (except if you are on Facebook and some Google search)
09:44Corkso ie on windows, firefox on windows, chrome on windows and so on
09:44Corkand then similar for mac
09:44Corkand similar for ubuntu
09:44TimvdeLook at the text below the second graph. First paragraph: &quot;In macOS...&quot;, second paragraph:&quot; &quot;... Windows 10&quot;
09:45Corkand then you can check the browsers that work on multiple oses as a reference to see how the different os:es affect the result
09:45TimvdeCork: they divided the graphs by hardware. Second graph is Macbook, third graph is Thinkpad
09:45Corkthen they wouldn&#39;t have mungled the different values
09:45Corkya, but they are still referencing browsers cross oses
09:45TimvdeIn they text, they are separating the OSes for the browser results
09:46TimvdeBig deal that they put it on one graph...
09:46TimvdeSplit it mentally if you like, they even gave the OSes different colours
09:46Timvde(on the Macbook, I&#39;m not sure what the colours represent on the Thinkpad graph...)
09:56TimvdeAnyway, looking at the graphs, you can see how much Chrome has improved
09:56TimvdeMozilla should find some new resources for Project Candle
10:16Mardegfirebot: Project Candle
10:16firebotMardeg: Sorry, I&#39;ve no idea what &#39;Project Candle&#39; might be.
10:16Mardegstarting with a factoid ^
10:19Timvdefirebot: Project Candle is a project to reduce Firefox&#39;s power consumption. It is currently on hiatus, but may return in the future.
10:19firebotTimvde: ok
10:20Timvdeomnomnom, karma
10:59Score_Undercan we stop removing every good feature from firefox
11:01Score_Underlike tab groups, which provided a way to search for tabs by title removed
11:01Score_Underadd-ons, by far firefox&#39;s greatest strength removed
11:01Score_Underand now, alsa support removed
11:01Score_Underwhat next, headless-only firefox?
11:04Score_Underoh wait, the new tab page chooser got removed too
11:04Score_Underthe extensions to work around that aren&#39;t pretty, though they&#39;re still far better than what&#39;s offered for chrome
11:05Score_Underanyway I think that&#39;s rant over. Feels like every year that goes by, the best browser gets a little worse and I really don&#39;t like the trend.
11:06TimvdeScore_Under: Your message won&#39;t reach anyone here, just saying
11:06TimvdeThis channel is mainly populated by users, not Mozilla
11:07Score_Underoh well
11:07TimvdeIf you *really* want to argue about this with Mozilla, I suggest you go to the mailing list, but I don&#39;t think it&#39;ll change anything...
11:07Score_Underno point
11:07Score_Undernobody gives a fuck about power users anyway
11:07TimvdeThey make decisions based on telemetry, and power users are kinda a small minority
11:08Score_Underkind of annoying though
11:08Score_Underpower users are going to be the majority of those who disable telemetry
11:08Score_Underand power users are going to use firefox
11:08Score_Underbecause I mean, they&#39;re not going to use dillo
11:09Score_Underand Google&#39;s browser, well, I had to switch to firefox at work so that my machine stopped swapping haha
11:10TimvdeAnd it also generally kinda sucks, I don&#39;t get how people can stand to use it
11:10TimvdeBut hey, that&#39;s just me :P
11:10Score_Underget a certain amount of tabs open and they&#39;re all just scaled to small triangles with no text or icon
11:10Score_Underabsolute nightmare to keep organised
11:11TimvdeScore_Under: But that&#39;s just a measure to protect itself
11:11Score_Underand don&#39;t get me started on chrome&#39;s excuse for extensions
11:11Score_Undermost of which are about as useful as <script>
11:11TimvdeA (non-technical friend of mine asked me why I use Firefox instead of Chrome &quot;since everyone uses Chrome&quot;, so I opened 100 empty tabs on her laptop
11:11TimvdeIn Chrome
11:12decebalusThat&#39;s one of the 3-4 reasons that I don&#39;t switch to chrome (yet)
11:12TimvdeThe tabs weren&#39;t just small and unusable, it actually *broke* the tab bar when I reached the point where tabs couldn&#39;t get any smaller, and Chrome completely froze
11:12TimvdeHad to force kill it
11:12TimvdeThose were *empty* tabs
11:12Timvde(Well, built-in Chrome new tab page)
11:13TimvdeBut yea, the problem is that people view &quot;everyone uses Chrome&quot; as a good reason to use Chrome...
11:14decebalusSorry but Chrome is faster than Fx
11:14TimvdeAnd Firefox needs to get *a lot* better than Chrome to move people back over. Not a little bit, but *a lot*
11:14Score_Underyeah chrome is faster on JS-heavy pages (which is an unfortunate majority)
11:14Timvdedecebalus: Depends on the use case
11:14Score_Underbut I don&#39;t think it&#39;s worth throwing away firefox&#39;s features just to run a website a little faster
11:14TimvdeScore_Under: I wouldn&#39;t even dare to say that
11:14TimvdeNot in the general case
11:14decebalusIs better on WEBgl also
11:14Score_Underdo you use facebook?
11:15TimvdeIt&#39;s silky smooth in Nightly
11:15TimvdeI scroll at 60fps
11:15decebalusAh Facebook bug in issue
11:16Timvdedecebalus: I do believe that you have hit an issue there, it&#39;s just that performance is really hard to get right
11:16decebalusTimvde: you do not should talk about nightly, just about releases..
11:16TimvdeAnd expecting them to just fix it right away is not realistic
11:17Timvdedecebalus: Well, Nightly 3 versions ago is pretty much current release
11:17Timvdedecebalus: I do force e10s and hwa on
11:17Timvdeand disable e10s add-on compatibility shims
11:17decebaluswell in 52 e10s is enabled by default
11:18Timvdedecebalus: depending on your add-ons
11:18TimvdeI also have it set to multiple content processes
11:18TimvdeI like living on the edge ;)
11:18Score_UnderI&#39;m not using e10s until pentadactyl works on it
11:19decebalusTimvde: I always running with e10s enabled and a lot of time with 10 processes enabled but it seems is no good with more than 1 process..
11:19TimvdeScore_Under: good luck...
11:20Timvdedecebalus: What problems are you running into?
11:20TimvdeThere *are* problems, that&#39;s why it&#39;s not enabled by default yet
11:20TimvdeBut I seem not to encounter them, so yay :P
11:23decebalusI have no problem except what you know..Facebook bug..Google..etc..but Fx run smoothie with just 1 process enabled than with more..But generally is slower that&#39;s the problem
11:30Score_UnderI wonder when right clicking will be fixed btw
11:31decebalusScore_Under: yes is a issue with right click, don&#39;t show the menu
11:31Score_UnderI get that all the time!
11:32Score_Underthe menu shows for a couple of frames then vanishes before it can be interacted wit
11:32Score_Underdrives me up the wall
11:32Score_Underof course it fixes if I restart firefox, but then I have to reload all my tabs
11:32decebalusfor me is just on certain pages
11:32Score_Underand I have to carefully avoid reloading Redmine tabs until I&#39;ve logged in again, otherwise it redirects me to the homepage
13:02wrytdie bluetshkin
13:05wrytso much for security emilghitta
13:05wryttank you india
13:17Burdsdoes firefox currently support dxva?
13:24Tewff does have / tries to have hardware acceleration for video on.. there are bugs filed that suggest it includes dxva
13:26Tewpref mentioned:
13:30Tewwhat you probably want is the plain about:support - &quot;Supports Hardware H264 Decoding&quot;
13:32WG9sBurds: also currently means different things to different people users might think it means released. Developers would think it means what is on the latest developent code base to be relased with version 55
13:34firebotJust appeared in Planet Mozilla - :
13:34firebot Niko Matsakis: The Lane Table algorithm
13:39Mardeghopefully nothing that rainbow tables can take advantage of
13:42Burdstew : thanks
13:43Burdswhat does it mean when i try to load up firefox and i get a popup saying unresponsive script : chrome://browser/content/tabbrowser:xml:6790
13:45BurdsHardware H264 Decoding No; Hardware video decoding disabled or blacklisted
13:45Burdsi have hardware acceleration turned on in options and about:config though?
13:49cbauerwhen throttling via &quot;responsive design mode&quot; does it also decrease responsiveness by increasing delay of network requests or just limit bandwith?
13:51cbauerhow can I only limit bandwith then?
13:52allizomI don&#39;t know
13:53cbauerthanks for the link nontheless
13:55allizomcbauer: you could ask on #devtools (maybe not on weekends)
13:55cbaueris it already weekends for them? I&#39;m still at work...
13:57Mardegdepends on location. For the New Zealand office it&#39;s 3am Saturday
14:02WG9sand Mozilla is headquarted in California it is not even start work time there yet.
14:03WG9sit is 7AM
14:05cbauerthat&#39;s why I wondered why devs were apparently alreadu in weekend
14:06Soniis there a firefox extension or debug switch for HTTP/2? (not HTTPS/2)
14:06WG9schauer: not in weekend in california, just still not workind yet for today.
14:08sysKinSoni: I wouldn&#39;t think so. extensions can&#39;t do networking as far as I know and mozilla said they won&#39;t support it...
14:09WG9sthere are many parts of the project where the module owher and eve most o fthe team working on it are in a timezone way different than yours
14:09Soniso how do I test my HTTP/2 implementation in localhost?
14:09sysKinnot with firefox I guess....
14:10sysKinand I think chrome said the same... >_<
14:11Sonican I just HTTP/2 over websockets or something?
14:12sysKinthat I don&#39;t know
14:12Soniare there any HTTP/1.1<->HTTP/2 proxies?
14:13WG9ssysKin: I don;lt understand you extensions cant do networking assertion. with the old extension thing forecastfox certainly seems to need to access the network to get the weather forecast and with the new webapp only thing the Chrome-gnome-shell thing could not get the lsit of vailable extensions without accessing the network so I don;t understand where you re getting this misinformation from.
14:13sysKinWG9s: I meant &quot;networking&quot; as a component of mozilla. forecasfox would just use existing networking to do their request
14:14sysKinwhat Soni is asking is to replace/plug into that componenent
14:15WG9swellsysKin:well there are webapp based things that do pings to do ISP latenc and bandwidth tests so I still donlt understand where you are coming from here.
14:16sysKinthat&#39;s websockets
14:16cbauerhow can I see current network transfer rate caused by a webpage/tab?
14:17WG9sso more i am whining becuase i can;t do it the way i want to than i cannot do it.
14:17sysKinyou can use websockets to do whatever you want, but it doesn&#39;t replace/plug into &#39;networking&#39; in the sense that you&#39;re not suddenly supporting http/2 for the entire web browser
14:18SoniI mean why can&#39;t extensions add support for SSH file transfer straight into the browser?
14:19Sonior namecoin?
14:19Sonior <insert something here>?
14:19sysKinI would think they could....
14:19sysKinalthough it might be slow in javascript :)
14:20WG9sSoni: because you donlt want the browser to be able to access random files on your computer. this is a security thing. you just don;t get it.
14:21sysKinWG9s I don&#39;t think you&#39;re following our topic exactly
14:21WG9sno i think i am
14:22WG9syou don;t get that fromt he browser perspective if you support ssh or scp then you support file access by less secure methods.
14:23WG9sthere is no way for the borwser to know the add-on that it has granted file access to is going to actrually proide any security measures.
14:25WG9sThere are real security implication in wahat you are asking for that you obviously do not understand.
14:27Tewhmm, I thought http/2 is https only but I was (technically) wrong (wiki:) &quot;HTTP/2 is defined for both HTTP URIs (i.e. without encryption) and for HTTPS URIs ... Although the standard itself does not require usage of encryption, most client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto
14:36WG9sTew: well this is a lame requirement. without end-to-end verified encryption (which there is not) this is compeltely useless
14:36WG9sinterim hosts int he path can decrypt and re-encrypt so it is completely useless.
14:39Tewppl are smart, so I guess there are some ways around that (besides exchanging keys in a different way beforehand), but it falls under &quot;yes, MITM is possible, live with it&quot; for me.
14:40Soniwhy can&#39;t I have that?
14:40Soniit didn&#39;t send
14:40SoniWG9s: I want http over ssh
14:40Soniwhy can&#39;t I have that?
14:41Tewyou can tunnel with ssh whatever, no? you just have to do it &quot;yourself&quot;, not expect ff to do it for you
14:43SoniI want an extension to do it for me
14:43SoniI want `ssh://` to send an HTTP-over-SSH to google
14:46WG9sSoni: well that is not what was asked for in the message i responded to they wanted arbitrary file transfer via ssh
14:47SoniWG9s: is there really a difference between downloading files over HTTP-over-SSH and downloading them straight over SSH?
14:48RobinStamerWhy do you want this?
14:49WG9sno just sayng the fact that the file transfer is encrypted by ssh or tls or any other amnner does n ot alter the giving a server via the browser access to arbitrary files on the client system si a non-starter idea.
14:49Sonithat way I can implement non-TLS http/2
14:50SoniWG9s: how does it give the server access to arbitrary files on the client system?
14:50decebalusIs there a way to enable D3D9_COMPOSITING in Fx52?
14:50Soniunless you have sshd running on localhost and the server accesses ssh://localhost or something
14:51RobinStamerTo route through SSH, you have to have SSH access somewhere.
14:53WG9sSoni: because that is what sysKin asked for. my arguement is not with you
14:54SoniWG9s: uh did I miss something? I don&#39;t see it
14:54Sonioh I see it now
14:54Soniuh yeah they misunderstood me
14:55WG9sSoni: I mean why can&#39;t extensions add support for SSH file transfer straight into the browser?
14:55WG9staht was the message i was reacting to.
14:56RobinStamerYeah, that&#39;d be bad. Let&#39;s give webpages access to launch SSH-based attacks through browsers!
14:57WG9sSoni: I am sure you know to access files for either reading or writing you need autheintication to make sue youa re taking to who you think you are and autorization to make sure that acess shousl be allowed. the fact that the data will be encrypted in transoprt is kind or irrelvant.
15:01SheogorathSoni there is actually no real benefit by using ssh. ssh works on the same layer as HTTP (layer 7). Other than TLS which works on Layer 4. You have no real benefit by using SSH. As TLS itself simply uses TLS itself and the authentification you can use for SSH is more or less also available by HTTP by using a basic or a certificate auth
15:01Sheogoratheh SSH itself uses TLS
15:03WG9sMy objections aw becuase it is encrypted it is trusted impied assumption.
15:05Dagger(SSH doesn&#39;t actually use TLS)
15:05Daggeralso the browser already has access to everything so you can upload files over http://, so that&#39;s not an argument
15:06WG9sThis si what i dont; like about the https everywhere thing. currently the bad guys dont bother to get certs to allow them to do https so we have at least some way to differentiate real sites from fake ones once https everywhere beccomes the noerm then we will lose this distinction becuase the bad guys will get certs.
15:06WG9sJUst my opinion, but this is a really stuid approach to a problem.
15:07gchristensenif your defense involves &quot;bad guys don&#39;t spend $20 on an ssl cert&quot; then that doesn&#39;t seem like a good defense
15:09RobinStamerMaking everyone half impliment HTTPS (the encryption part) and ignore the other half (the validation, IE: &quot;I am actually this organization&quot;) it weakens HTTPS
15:09gchristensendomain validated certs have always been weak in exactly the same way, and making it more widely deployed doesn&#39;t affect that
15:10Burdsis it normal for firefox cpu usage to spike to about 13% when loading a web page?
15:10Daggerpreventing passive eavesdropping and easy MITM is very much worth doing TLS everywhere, EV or no
15:11WG9sgchristensen: well actually most did nto spend the $20 but now they do. but my real point was telling pople to not trust htto but to trust httos is just an entirely wrong direction to go.
15:13WG9sThe only difference is that is si less liekly your traffic will be captured in transit by bad guys, but becuase of backdoors the US DoD and you emplyer demanded being in pace so they could intercentp your data make it really not tha much more secure even in transit
15:15WG9sThe technology exists to mee this end-to-end secure, but the powers that be prvent it from being implemented.
15:19DuClareOh installing an add-on failed
15:20Daggerwithout https:// you wouldn&#39;t need to go to the lengths of a backdoor. it&#39;s definitely worth using
15:20gchristensenWG9s: no doubt
15:20WG9sBTW I am wearing my tinfoil hat ;-)
15:21Daggerof course TLS is not the only aspect of &quot;being secure&quot;. there are other things involved too. we all understand this already...
15:22sam113101are there paid addons?
15:22WG9sDagger: but what we are telling mom and pop people is if it is http it is not secure and if it is https it is. that is just wrong.
15:23Daggertrue, but that doesn&#39;t imply that it&#39;s okay to not use it
15:24WG9swell that is what we seem to be telling pople. this is the wrong message
15:24SoniWG9s: and by &quot;SSH file transfers&quot; I meant downloading files from a server by inputting ssh:// into the browser&#39;s address bar
15:24Sonione-way file transfers, not two-way
15:25RobinStamerBy allowing that, you&#39;d be allowing any random webserver you interact with to start initiating SSH connections, which can be used to launch attacks.
15:25WG9sSoni: so then they donlt go to anypalce more priveleged that where files downloaded via ftp?
15:26SoniRobinStamer: tell me how accessing remote files over SSH can be used to launch attacks?
15:26Sonias long as you don&#39;t send env vars or anything
15:26Daggerwell, using plain-text HTTP certainly is insecure
15:26WG9sif that is the case I am fine with that and sorry i went off on this rant, biut then i think the rest of the security discussion was in fact amybe useful
15:26Daggerand for the parts of security that it covers, HTTPS isn&#39;t
15:26RobinStamerSoni: accessing a website by default allows that website to run code on your computer. If that code&#39;s allowed to make SSH connections, then they can make SSH connections.
15:32RobinStamerEven if it were to limit cross-site requests, one could still use XSS to make visitors attempt to brute-force SSH.
15:51pimuhow can I make firefox 52 esr only display a list of saved usernames when I manually click the login field as opposed to on automatic focus of the field?
15:53pimuI have browser.formfill.enable;false
15:55pimuand signon.autofillForms;false
15:55pimueverything worked fine in firefox 45 ESR
16:01pimuI also have security.insecure_password.ui.enabled;false but that seems to do nothing
16:02SoniRobinStamer: and you&#39;re saying you can&#39;t brute-force HTTP auth?
16:04RobinStamerSoni: You can, no-one uses it. But SSH is a much higher value target.
16:04SoniRobinStamer: anyway, you do realize &quot;guest SSH&quot; is a thing, yes?
16:04SoniRobinStamer: uh HTTPS auth?
16:04Sonipretty sure github uses HTTPS auth
16:05Sonialso pretty sure SSH supports user agents?
16:05Soniso just block firefox
16:06pimuI also have this issue
16:06pimuanyone know how to make it work like in firefox 45 ESR?
16:06RobinStamerYou&#39;re going to have to give a source on that SSH using user agents claim
16:07pimuI need to have these two issues solved by the time firefox 45 ESR stops being supported, so that I can deploy it on client machines
16:07glenn__can&#39;t play anny java in firefox 58 on linux
16:08pimuglenn__: that is to be expected, firefox no longer supports java
16:09glenn__pimu: why ? java is frequently used
16:09pimuglenn__: because java is not frequently used
16:09philippjava is no longer supported:
16:09glenn__philipp: thx
16:09pimuglenn__: the only remaining supported plugin is flash
16:10glenn__philipp: but how can whe play java
16:10* RobinStamer hasn&#39;t seen a Java applet in forever.
16:10pimuglenn__: virtual machine with Firefox 52 ESR
16:10pimuthat will work until 2018
16:10pimuafter that just keep this old version indefinitely
16:10pimuin a secure environment
16:11glenn__pimu: what is a alternative to java
16:11glenn__android is that not java
16:11pimuglenn__: ask your systems administrator to upgrade whatever needs java
16:12glenn__pimu: is for me at home and is a website that use java
16:12pimuglenn__: contact the website maintainer to upgrade
16:13glenn__what is the new standard
16:13pimuif the website is no longer maintained, look for replacement, or create a virtual machine that runs java
16:13pimuthe new standard is called html and javascript
16:13pimuit has been around for some time now
16:13glenn__and android is that not java
16:14SoniRobinStamer: pretty sure the sshd can tell OpenSSH and PuTTY apart
16:14glenn__that is android than
16:16RobinStamerWhat makes you say that?
16:17* RobinStamer sees nothing to suggest a user agent is sent with ssh -vvv
16:20RobinStamerEven if there were, I&#39;m not seeing any existing means of detecting that on connect to block it.
16:21RobinStamerAlso, your argument is, from what I can tell, &quot;well, it&#39;s only a little bit more extra work they didn&#39;t have to do before to secure against this new attack vector&quot;
16:23Soniagain what stops me from bruteforcing github https?
16:23Sonia massive botnet attempting to get git repo access through github https
16:24gchristensenSoni: presumably per-repo bad password ratelimiting is implemented
16:24SoniRobinStamer: do you have any evidence of that kinda attack being used in the wild?
16:25Sonigchristensen: yes, presumably sshds implement the same
16:25gchristensenan arbitrary sshd doens&#39;t
16:26Soniand I don&#39;t even use ssh passwords
16:26Sonianyone sane knows hackers attempt ssh bruteforce whether through a browser or not
16:27Soniand by &quot;sane&quot; I mean anyone who has looked at sshd logs
16:29RobinStamerSoni: My argument is you&#39;re providing a new botnet platform to perform this function. There are similar attacks, like the GitHub DDoS a while back, or the malware that made anyone who connected to a certain webpage start doing bitcoin mining.
16:29RobinStamerThere&#39;s no real benefit to doing allowing it either.
16:30Sonihow about &quot;it&#39;s a browser extension and it doesn&#39;t come built-in by default&quot;?
16:31Sonihmm oh yeah wrong channel
16:48Soniwhat happens if I toggle &quot;network.http.spdy.enforce-tls-profile&quot; btw?
17:04firebotJust appeared in Planet Mozilla - :
17:04firebot Mozilla Addons Blog: Migrating to WebExtensions? Dont Forget Your Users
17:10amarpandeyAny mozilla developer group ?
17:12kbrosnanthis whole server is for people working with Mozilla to create things
17:13amarpandeykbrosnan do you know anything about the Github API ?
17:14amarpandeykbrosnan Any mozilla developer group ?
17:14kbrosnani don&#39;t know what you mean
17:15kbrosnanwhat are you trying to accomplish?
17:15kbrosnanor what are you trying to do
17:16MkllTechany mozilla staff/members here
17:17amarpandeykbrosnan I want to fetch all the events made by a user in github, but the github Event API limits it to only 300. Any Idea how can i get that info ?
17:17kbrosnanpay github money?
17:18amarpandeyIs that possible ?
17:18amarpandeyi mean there is no other way to do that ?
17:18TimvdeMkllTech: Not a staff here, but just ask your question. We might be able to answer, or otherwise direct you to the right people.
17:19MkllTechI&#39;m looking for someone to talk to regarding the development of WebExt APIs
17:20MkllTechThank you
17:21kbrosnanamarpandey: i don&#39;t know. you are asking random people on the internet. the better thing would be to ask github
17:22amarpandey@kbrosnan thanks
17:23kbrosnanmaybe ?
17:24amarpandeykbrosnan: checking
17:36MkllTechHey, um
17:48kbrosnanMkllTech: yes?
17:48MkllTechcan I suggest something here
17:48MkllTechlike a feature?
17:48ronCaspy7: so it doesn&#39;t seem to be lastpass. I ended up disabling it, and it&#39;s not it.
17:50kbrosnanMkllTech: you can talk about suggesting something, though best to file a bug at bugzilla
17:50MkllTechah ok
17:50MkllTechwill file bug instead
17:51MkllTechthank you.
17:51kbrosnanit is reasonable to ask about your idea here
17:51ronCaspy7: also, hello ;)
17:59Caspy7ron: sorr