mozilla :: #security

18 May 2017
14:23itsfemme-Mjld: consider using https://github.com/projectatomic/bubblewrap
16:45Aprilannevk: thanks for the tip on whatwg/console
17:03abillingsmccr8: coming?
17:17annevkApril: yw
17:18Aprilannevk: having a hard idea determining if my idea is simply bad
17:18Aprilor if this is part of the usual process
17:18Aprilhaha
17:19annevkApril: usual I'd say, console is hard as it's part UI, so sometimes folks want to avoid requirements for it
17:51erahmabillings: sorry dropped from the call
17:51abillingsah ,ok
19:40Caspy7https://twitter.com/fztalks/status/864852163230609408?s=09
21:23charl2293Hi. How is fox more sec than chrome?
23:13Caspy7anyone care to answer here? https://www.reddit.com/r/firefox/comments/6bzhdy/is_there_currently_any_buffer_overflow_image_file/
23:18Peng_:/
23:18kpcyrdCaspy7: I can try doing that, any specific wishes for the response?
23:19Caspy7uh, I suppose I was just thinking I'd hear, "we have no known exploits. If we did, we'd fix them" :)
23:20Caspy7that's what I was going to say, but don't know that I have the confidence of information to say that
23:21Peng_It's possible there are known but secret exploits set to be fixed in the next release. Unless it's the kind of vulnerability that results in a chem spill release?
23:21kpcyrdI mean, in the end you never know if Content-Type of the response for that .txt link is actually going to be text/plain or text/html with some uber secret government exploit :)
23:22Peng_And, of course, there probably *are* unknown vulnerabilities. And i might know someone who knows someone who claims to have a zero day.
23:22Peng_It's a simple question with a complicated answer :D
23:23kpcyrdwe should coordinate a "yes", "no", "maybe" response
23:28kpcyrdI'm a bit worried a long detailed answer that boils down to "security is complicated" is not the best answer to write here
23:29Peng_In section 9 of the response, we review the history of the NSA disclosure process...
23:31kpcyrdAfter we went through the basics of how browsers handle http responses...
23:34kpcyrdCaspy7: satisfied with the response :) ?
23:36Caspy7um, that was a nuanced response. Don't you know you're on the internet??
23:36Caspy7:)
23:37kpcyrd:)
23:39kpcyrda different question that might be offtopic for this channel: does anybody know somebody who'd be interested in malware collected using honeypots I maintain? I'm not that much into reversing and my best idea would be uploading new samples to virustotal so they might be discovered by researchers
23:39dveditzour image formats are all old and well beat on
23:40dveditzlots of fuzzing both internally and from external bounty hunters. I would be surprised if there's still a buffer overflow lurking in one
23:42dveditzbut we're constantly finding and fixing bugs throughout the code so I guess I couldn't say 100% there aren't any.
19 May 2017
No messages
   
Last message: 40 days and 15 hours ago