Iceweasel updates

classic Classic list List threaded Threaded
32 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Iceweasel updates

Verde Denim
Got a msg this morning from online bank service that my browser
(iceweasel) is no longer up to date (equates to ff31) and wants to
'either update your browser to a compatible version or install one of
the following - [list of usual suspects].
The next version of iceweasel i found in deb packages is 41 (quite a
jump), but says it is likely buggy (i'm guessing its in experimental).
Has anyone installed this version and had significant issues with it?
I'm stuck for online banking without it unless i install ff or chrome
which I'd rather not do at this point. Thanks for any input/advice.

Jack

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Brad Rogers
On Mon, 02 Nov 2015 07:19:46 -0500
Jack Dangler <[hidden email]> wrote:

Hello Jack,

>Got a msg this morning from online bank service that my browser

Your banking service is being lazy;  They don't want to 'support' an
older version Ff.  If Iceweasel still works on their site, carry on
using it.  Security issues with IW v31 notwithstanding, of course.

Chances are, they're sniffing the ID string simply to figure out what the
browser can handle (flash, java-wise, etc.)  Again, the lazy way to do
it.

I use Pale Moon (a fork of FF), version ID v25, and am constantly
informed my browser is either "out of date" or "unsupported".  Again,
because these sites are being lazy.  It works;  So what do I care?

--
 Regards  _
         / )           "The blindingly obvious is
        / _)rad        never immediately apparent"
This is the fifty first state of the USA
Heartland - The The

attachment0 (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Vincent Lefevre-10
On 2015-11-02 12:35:43 +0000, Brad Rogers wrote:
> On Mon, 02 Nov 2015 07:19:46 -0500
> Jack Dangler <[hidden email]> wrote:
> >Got a msg this morning from online bank service that my browser
>
> Your banking service is being lazy;  They don't want to 'support' an
> older version Ff.  If Iceweasel still works on their site, carry on
> using it.  Security issues with IW v31 notwithstanding, of course.

The reason is probably security issues. This may be a good reason
for banking services. FF 31 is no longer supported:

  https://en.wikipedia.org/wiki/Firefox_release_history

"End-of-life 31.x.x ESR product line on August 11, 2015."

--
Vincent Lefèvre <[hidden email]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Vincent Lefevre-10
In reply to this post by Verde Denim
On 2015-11-02 07:19:46 -0500, Jack Dangler wrote:
> The next version of iceweasel i found in deb packages is 41 (quite a
> jump), but says it is likely buggy (i'm guessing its in experimental).

Yes, it's in experimental. But 41 is *not* the next version.
The current stable version is 38.3.0esr-1~deb8u1. But...

> Has anyone installed this version and had significant issues with it?

There are some issues in version 38 (also present in some older
versions), and some of them are fixed in version 41, the main one
being the problem with videos that autoplay:

  https://bugzilla.mozilla.org/show_bug.cgi?id=659285

Electrolysis should also solve some problems such as a tab freezing
the whole browser, and one needs a more recent version than 38 (IIRC,
41 should be OK). But I haven't tested yet.

--
Vincent Lefèvre <[hidden email]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Brian
In reply to this post by Vincent Lefevre-10
On Mon 02 Nov 2015 at 13:48:13 +0100, Vincent Lefevre wrote:

> On 2015-11-02 12:35:43 +0000, Brad Rogers wrote:
> > On Mon, 02 Nov 2015 07:19:46 -0500
> > Jack Dangler <[hidden email]> wrote:
> > >Got a msg this morning from online bank service that my browser
> >
> > Your banking service is being lazy;  They don't want to 'support' an
> > older version Ff.  If Iceweasel still works on their site, carry on
> > using it.  Security issues with IW v31 notwithstanding, of course.
>
> The reason is probably security issues. This may be a good reason
> for banking services. FF 31 is no longer supported:
>
>   https://en.wikipedia.org/wiki/Firefox_release_history
>
> "End-of-life 31.x.x ESR product line on August 11, 2015."

The reason you advance is probably the one which bank's IT section would
give if you asked them. Quite how a user's browser can compromise the
security of the site itself is unlikely to be explained.

The OP could look at

  https://wiki.debian.org/Iceweasel#User-Agent_string

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Alex Moonshine-2
In reply to this post by Verde Denim
Not really a solution to OPs problem, but I've decided that it's much
easier to just use a stand-alone precompiled Firefox downloaded from
Mozilla website, which happily updates itself. Debian's update policy
for Iceweasel is far from ideal or comprehensive, using third-party
repositories is bothersome, additionally, my bank's website simply
refuses to work with any version of Iceweasel, apparently, because the
userstring doesn't contain anything it looks for
(Chrome/Firefox/IE/Safari), which is of course stupid in it's own right.

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Vincent Lefevre-10
In reply to this post by Brian
On 2015-11-02 13:03:14 +0000, Brian wrote:
> The reason you advance is probably the one which bank's IT section would
> give if you asked them. Quite how a user's browser can compromise the
> security of the site itself is unlikely to be explained.

The user's browser cannot compromise the site itself. But a security
bug may permit an attacker to get the user's login and password, and
neither the bank nor the user would like this.

> The OP could look at
>
>   https://wiki.debian.org/Iceweasel#User-Agent_string

Note that if the user tries to overrides the bank security decision
and has his bank account compromised, he will probably get the full
responsibility. I would definitely not recommend to do this.

--
Vincent Lefèvre <[hidden email]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Vincent Lefevre-10
In reply to this post by Alex Moonshine-2
On 2015-11-02 15:10:55 +0200, Alex Moonshine wrote:
> Not really a solution to OPs problem, but I've decided that it's
> much easier to just use a stand-alone precompiled Firefox downloaded
> from Mozilla website, which happily updates itself.

But some videos are not supported with official precompiled Firefox
versions due to obsolete gstreamer:

  https://bugzilla.mozilla.org/show_bug.cgi?id=947287

> Debian's update policy for Iceweasel is far from ideal or
> comprehensive, using third-party repositories is bothersome,
> additionally, my bank's website simply refuses to work with any
> version of Iceweasel, apparently, because the userstring doesn't
> contain anything it looks for (Chrome/Firefox/IE/Safari), which is
> of course stupid in it's own right.

You may be using some broken extension. Debian's Iceweasel does have
something like "Firefox/38.0". It seems that Iceweasel/xxx is just
added at the end of the User-Agent string, i.e. this is something
standard + additional information.

--
Vincent Lefèvre <[hidden email]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Brian
In reply to this post by Alex Moonshine-2
On Mon 02 Nov 2015 at 15:10:55 +0200, Alex Moonshine wrote:

> Not really a solution to OPs problem, but I've decided that it's much
> easier to just use a stand-alone precompiled Firefox downloaded from
> Mozilla website, which happily updates itself. Debian's update policy
> for Iceweasel is far from ideal or comprehensive, using third-party
> repositories is bothersome, additionally, my bank's website simply
> refuses to work with any version of Iceweasel, apparently, because the
> userstring doesn't contain anything it looks for
> (Chrome/Firefox/IE/Safari), which is of course stupid in it's own
> right.

It takes a minute or two to download and change the user-agent string
with xul-ext-useragentswitcher.

We've had "lazy" and "stupid" for this behaviour of admins; could we add
"braindead"?

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Gene Heskett-4
In reply to this post by Verde Denim
On Monday 02 November 2015 07:19:46 Jack Dangler wrote:

> Got a msg this morning from online bank service that my browser
> (iceweasel) is no longer up to date (equates to ff31) and wants to
> 'either update your browser to a compatible version or install one of
> the following - [list of usual suspects].
> The next version of iceweasel i found in deb packages is 41 (quite a
> jump), but says it is likely buggy (i'm guessing its in experimental).
> Has anyone installed this version and had significant issues with it?
> I'm stuck for online banking without it unless i install ff or chrome
> which I'd rather not do at this point. Thanks for any input/advice.
>
> Jack

iceweasel is slowly turning into a space on my drive waster.  38.3.0, on
wheezy here, and it refused to go to a site link in an email message,
where I could confirm I wanted to opt in to a new server one of my
mailing list memberships is moving to, getting away from yahell.  That
forced the list-owner to have to do it by hand.

It even offered to retry it, but that failed also, with it reporting that
the destination port was not one normally used for that service and that
it had canceled that request.

'Scuse me but how can I turn that nannying off?

Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Brian
In reply to this post by Vincent Lefevre-10
On Mon 02 Nov 2015 at 14:17:39 +0100, Vincent Lefevre wrote:

> On 2015-11-02 13:03:14 +0000, Brian wrote:
> > The reason you advance is probably the one which bank's IT section would
> > give if you asked them. Quite how a user's browser can compromise the
> > security of the site itself is unlikely to be explained.
>
> The user's browser cannot compromise the site itself. But a security
> bug may permit an attacker to get the user's login and password, and
> neither the bank nor the user would like this.

Would this obtaining of the password be before or after encryption
takes place?

> > The OP could look at
> >
> >   https://wiki.debian.org/Iceweasel#User-Agent_string
>
> Note that if the user tries to overrides the bank security decision
> and has his bank account compromised, he will probably get the full
> responsibility. I would definitely not recommend to do this.

I'd maintain the bank's decision on which user-agent to accept has
little or nothing to do with security.

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Vincent Lefevre-10
On 2015-11-02 13:47:41 +0000, Brian wrote:
> On Mon 02 Nov 2015 at 14:17:39 +0100, Vincent Lefevre wrote:
> > The user's browser cannot compromise the site itself. But a security
> > bug may permit an attacker to get the user's login and password, and
> > neither the bank nor the user would like this.
>
> Would this obtaining of the password be before or after encryption
> takes place?

With an XSS[*] vulnerability, before.

[*] https://en.wikipedia.org/wiki/Cross-site_scripting

--
Vincent Lefèvre <[hidden email]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

John Hasler-3
In reply to this post by Gene Heskett-4
Jack Dangler wrote:
> The next version of iceweasel i found in deb packages is 41 (quite a
> jump), but says it is likely buggy (i'm guessing its in experimental).

Unstable has 38.3.  Works fine.
--
John Hasler
[hidden email]
Elmwood, WI USA

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Alex Moonshine-2
In reply to this post by Vincent Lefevre-10


On 11/02/2015 03:22 PM, Vincent Lefevre wrote:
> But some videos are not supported with official precompiled Firefox
> versions due to obsolete gstreamer:
> https://bugzilla.mozilla.org/show_bug.cgi?id=947287

Oh, right. I use gstreamer from http://www.deb-multimedia.org/
Yes, I know I just said using 3-rd party repos are bothersome :)
Deb-multimedia is somewhat of an exception, I've been using it for a
long time (since squeeze, I think).

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Charlie Kravetz
In reply to this post by John Hasler-3
On Mon, 02 Nov 2015 08:00:59 -0600
John Hasler <[hidden email]> wrote:

>Jack Dangler wrote:
>> The next version of iceweasel i found in deb packages is 41 (quite a
>> jump), but says it is likely buggy (i'm guessing its in experimental).  
>
>Unstable has 38.3.  Works fine.

The stable release of Firefox is Version 41.0.2, released Oct 15.
Doesn't that make 38 old?


--
Charlie Kravetz
Linux Registered User Number 425914
[http://linuxcounter.net/user/425914.html]
Never let anyone steal your DREAM.   [http://keepingdreams.com]

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Vincent Lefevre-10
On 2015-11-02 07:23:07 -0700, Charlie Kravetz wrote:

> On Mon, 02 Nov 2015 08:00:59 -0600
> John Hasler <[hidden email]> wrote:
>
> >Jack Dangler wrote:
> >> The next version of iceweasel i found in deb packages is 41 (quite a
> >> jump), but says it is likely buggy (i'm guessing its in experimental).  
> >
> >Unstable has 38.3.  Works fine.
>
> The stable release of Firefox is Version 41.0.2, released Oct 15.

Stable, but not ESR.

> Doesn't that make 38 old?

No, 38 is still the latest ESR release.

--
Vincent Lefèvre <[hidden email]> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Markus Schönhaber
In reply to this post by Charlie Kravetz
Am 02.11.2015 um 15:23 schrieb Charlie Kravetz:

> The stable release of Firefox is Version 41.0.2, released Oct 15.
> Doesn't that make 38 old?

No, it doesn't.
38.x is the currently stable extended support release (ESR) of Firefox.

--
Regards
  mks

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Brian
In reply to this post by Vincent Lefevre-10
On Mon 02 Nov 2015 at 14:58:24 +0100, Vincent Lefevre wrote:

> On 2015-11-02 13:47:41 +0000, Brian wrote:
> > On Mon 02 Nov 2015 at 14:17:39 +0100, Vincent Lefevre wrote:
> > > The user's browser cannot compromise the site itself. But a security
> > > bug may permit an attacker to get the user's login and password, and
> > > neither the bank nor the user would like this.
> >
> > Would this obtaining of the password be before or after encryption
> > takes place?
>
> With an XSS[*] vulnerability, before.
>
> [*] https://en.wikipedia.org/wiki/Cross-site_scripting

Quoting from that page:

  XSS enables attackers to inject client-side script into web pages
  viewed by other users.

The bank's site would be compromised. It wouldn't matter what user-agent
string was sent by the user.

MBNA accepts "My Very own Browser" as the user-agent. RBS says the
browser I am using is not supported, (whatever that means). How remiss
is MBNA in the area of security?


Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Lisi Reisz
In reply to this post by Vincent Lefevre-10
On Monday 02 November 2015 14:34:49 Vincent Lefevre wrote:

> On 2015-11-02 07:23:07 -0700, Charlie Kravetz wrote:
> > On Mon, 02 Nov 2015 08:00:59 -0600
> >
> > John Hasler <[hidden email]> wrote:
> > >Jack Dangler wrote:
> > >> The next version of iceweasel i found in deb packages is 41 (quite a
> > >> jump), but says it is likely buggy (i'm guessing its in experimental).
> > >
> > >Unstable has 38.3.  Works fine.
> >
> > The stable release of Firefox is Version 41.0.2, released Oct 15.
>
> Stable, but not ESR.
>
> > Doesn't that make 38 old?
>
> No, 38 is still the latest ESR release.

I have 41.0.2 on Wheezy with
deb http://mozilla.debian.net/ wheezy-backports iceweasel-release
in my sources list.

Lisi

Reply | Threaded
Open this post in threaded view
|

Re: Iceweasel updates

Verde Denim
In reply to this post by Charlie Kravetz
On Mon, 2015-11-02 at 07:23 -0700, Charlie Kravetz wrote:

> On Mon, 02 Nov 2015 08:00:59 -0600
> John Hasler <[hidden email]> wrote:
>
> >Jack Dangler wrote:
> >> The next version of iceweasel i found in deb packages is 41 (quite a
> >> jump), but says it is likely buggy (i'm guessing its in experimental).  
> >
> >Unstable has 38.3.  Works fine.
>
> The stable release of Firefox is Version 41.0.2, released Oct 15.
> Doesn't that make 38 old?
>
>
I added unstable main to my apt sources as -
'deb http://ftp.debian.org/debian unstable main'

apt-get update ran fine.

On asking to install the unastable iceweasel as -
apt-get -t unstable install iceweasel

I get quite a large list of packages but did not notice iceweasel among
them.

Is there something I missed or should I allow the long list of packages
to install? (the list isn't here as it is fairly large but I can supply
it. Again, thanks for the input.

Regards

Jack

12