Jump to content

My Browser Builds (Part 4)

roytam1
 Share

Recommended Posts

Mathwiz

Mathwiz

Posted
Posted

Well, there's 2FA, and there's intentionally annoying 2FA. Only form of 2FA I've ever used is the kind where you log in and they send you a OTP, via either text (so you need the cell phone it gets sent to - doesn't have to be a smart phone though) or email (so you need to prove you have access to your email account). Those aren't too bad, and a lot of sites will set a browser cookie so you don't have to do it again, at least for a while. No "special app" needed!

But from what you're saying, it sounds like GitHub will require a special app just to generate the OTP. I can't see any reason for such a requirement, other than to discourage folks from logging into GitHub unless they have to!

30 seconds to key the darn thing in sounds awfully tight too. (That may be the reason you need a special app - text or email would often take longer than that.) GitHub isn't a banking or financial site - or even your email account! Why are they doing this?

Link to comment
Share on other sites

AstroSkipper

AstroSkipper

Posted
Posted
1 hour ago, Mathwiz said:

30 seconds to key the darn thing in sounds awfully tight too. (That may be the reason you need a special app - text or email would often take longer than that.) GitHub isn't a banking or financial site - or even your email account! Why are they doing this?

Because the operators of GitHub no longer tick quite right. retard.gif suisjebete.gif

3
Link to comment
Share on other sites
Mathwiz

Mathwiz

Posted
Posted (edited)
On 5/6/2023 at 4:16 PM, Mathwiz said:

This release fixed Chase.com too! I guess define is defined now....:lol:

Well, that didn't last long!

image.thumb.png.3f69416b3d07cbf9b2efe7355fbf4305.png

Built-in SSUAO pretends to be FF 102; guess that's no longer good enough! Edit: FF 113 is the minimum to avoid the warning, but I wonder what new Googlisms (or conceivably Mozilla-isms, but I'm still betting on the former) will be needed in order to access chase.com, once "soon" arrives?

Edited by Mathwiz
Link to comment
Share on other sites
VistaLover

VistaLover

Posted
Posted (edited)
20 hours ago, Mathwiz said:

Built-in SSUAO pretends to be FF 102

Is that on your "loved" St55 :P ? Because St52 (2023-07-31) (32-bit) has below SSUAO

general.useragent.override.chase.com;Mozilla/5.0 (%OS_SLICE% rv:112.0) Gecko/20100101 Firefox/112.0

But :angry: , as you wrote in your edit ;), that's still NOT enough to satisfy chase.com :realmad: when loading

https://secure.chase.com/

I set the Fx version to 115.0, which is the current ESR branch, and that makes their "notice" go away - still, as you say, if "they" actually move on to needing a Fx-113.0+ JS/CSS feature for "their" pages to work, then all bets are off for UXP users :( ...

20 hours ago, Mathwiz said:

FF 102

Kinda OT, but since I see it all the time here :P by various members ,

https://website-archive.mozilla.org/www.mozilla.org/firefox_releasenotes/en-us/firefox/releases/1.0.6

Quote

How do I spell Firefox? How do I abbreviate it?

Firefox is spelled F-i-r-e-f-o-x - only the first letter capitalized (i.e. not FireFox, not Foxfire, FoxFire or whatever else a number of folk seem to think it to be called.) The preferred abbreviation is "Fx" or "fx".

Best greetings :)

Edited by VistaLover
clarifications/corrections
Link to comment
Share on other sites
Mathwiz

Mathwiz

Posted
Posted
4 minutes ago, UCyborg said:

https://github.blog/2023-03-09-raising-the-bar-for-software-security-github-2fa-begins-march-13/

Noticed a couple of things there: first,

Quote

Last year, we announced our commitment to require all developers who contribute code on GitHub.com to enable two-factor authentication (2FA) by the end of 2023.

But later:

Quote

If your account is selected for enrollment, you will be notified via email and see a banner on GitHub.com, asking you to enroll. You’ll have 45 days to configure 2FA on your account—before that date nothing will change about using GitHub except for the reminders. We’ll let you know when your enablement deadline is getting close, and once it has passed you will be required to enable 2FA the first time you access GitHub.com. You’ll have the ability to snooze this notification for up to a week, but after that your ability to access your account will be limited. Don’t worry: this snooze period only starts once you’ve signed in after the deadline, so if you’re on vacation or out of office, you’ll still get that one week period to set up 2FA when you’re back at your desk.

So I guess you were one of the "lucky" ones that got "selected" well before the end of 2023.

Second, here's the excuse they gave:

Quote

Developers’ accounts are frequent targets for social engineering and account takeover (ATO). Protecting developers and consumers of the open source ecosystem from these types of attacks is the first and most critical step toward securing the supply chain.

I don't think for a minute that Micro$oft cares one bit about "protecting developers." If that were the case, they could've made this optional, perhaps with a banner on your page so visitors would know whether you'd enabled 2FA.

No, I think this has to be about protecting Micro$oft. I think they're worried that someone will upload bad software (buggy, or conceivably even malware) to GitHub, the guilty party will claim that their account was hacked, and Micro$oft will get sued for lax security. Making 2FA mandatory is intended to remove the "my account was hacked" excuse.

Which, I suppose, is fine; if that's what they feel they have to do to protect themselves from legal liability, so be it. I just wish they'd drop the "we're trying to protect you" malarkey.

Third, I see they do support 2FA via SMS, but....

Quote

SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B.

I don't know why it doesn't provide "the same level" of protection, but that makes me worry that other sites requiring 2FA will soon stop supporting SMS as well, so even non-GitHub users may soon find themselves in the same boat.

So thank you for the advice on KeePass. XP/Vista users may soon need it, GitHub or no GitHub!

Quote

https://website-archive.mozilla.org/www.mozilla.org/firefox_releasenotes/en-us/firefox/releases/1.0.6

Seriously?:buehehe:

I couldn't possibly care less how Mozilla prefers I abbreviate the name of their product. It's clear what "FF" means in context! But at least they didn't suggest "F5x"....

1
Link to comment
Share on other sites
VistaLover

VistaLover

Posted
Posted
37 minutes ago, VistaLover said:

Because St52 has below SSUAO

general.useragent.override.chase.com;Mozilla/5.0 (%OS_SLICE% rv:112.0) Gecko/20100101 Firefox/112.0

... Well, I'm still on St52 (32-bit) buildID=20230731064657 and that's indeed its chase.com SSUAO... Next week's St52 release, with buildID=20230810152826, had the Fx version inside that SSUAO downgrade ( :dubbio:) to 102.0; this is still true for latest St52 (32-bit), buildID=20230818021145 ... The related commits I researched appear a bit "off" :whistle:

Official Basilisk:

https://repo.palemoon.org/Basilisk-Dev/Basilisk/commit/633ad774201bdb53fe4fa2424da851af77f1bfc8

(112.0 => 102.0, like in "our" St52)

Roy's custom UXP branch:

[Basilisk] [SSUAO] Update chase.com override
https://github.com/roytam1/UXP/commit/85a5c5821499012f92331b97d5ac2b40b5653794

(79.0 => 102.0) ; but where did v79.0 come from?

[Pale-Moon] [SSUAO] Update Chase override
https://github.com/roytam1/UXP/commit/4bbb81d78ee2f0c6342955cb0b2392a684721653

(112.0 => 102.0)

Trying to understand why the "downgrade" was even implemented, I arrived at below official PM Forum thread:

https://forum.palemoon.org/viewtopic.php?f=70&t=29704

That's an interesting read (though nerve-testing with regard to the chase.com UA-sniffin' practices :realmad: ); @Mathwiz found out that now an upgrade to Fx-113.0+ versions is needed (to make the nag banner go away), but does logging in on

https://secure.chase.com

work as expected with that "upgrade" in place? :dubbio:

Link to comment
Share on other sites
roytam1

roytam1

Posted
  • Author
Posted

Notice for Goanna3-based browsers (NM27/KMG): starting with 2023-08-05 build, browser may crash with random memory locations when browsing (for example, archive.org) and you may workaround it by toggling `javascript.options.ion' to `false'.

issue for tracking this problem: https://github.com/rmottola/Arctic-Fox/issues/149

1
Link to comment
Share on other sites
VistaLover

VistaLover

Posted
Posted (edited)
4 hours ago, UCyborg said:

Is there a working link to ZIP version of MOS Authenticator?

https://www.maxoutput.com/authenticator/MOSAuthenticator_off.zip

WFM :

4FfFXEd.png

Warning: Most AV suites (including mine ;)) outright BLOCK this program  :o; I had to whitelist both its download page (for the download to even begin), as well as the binary (Authenticator.exe) itself; therefore, USE AT YOUR OWN RISK :whistle:...

Regards.

Edited by VistaLover
Update of content
1
Link to comment
Share on other sites
VistaLover

VistaLover

Posted
Posted
9 hours ago, nicolaasjan said:

30 security vendors and no sandboxes flagged this file as malicious. :dubbio:

... I re-analysed the file (previous score was from 8 months ago ;) ) and now the new score is even "bigger" :( : "36/70 security vendors and no sandboxes flagged this file as malicious" ...

I guess most AV suites treat this as a KeyGen of sort :whistle:; the author himself stated in its website:

Quote

while we try to convince Google that this software isn't malware

FWIW, in the latest score, the Google engine simply timed-out :dubbio:...

1
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...