|
WattsvilleBlues posted:http://kb.mozillazine.org/Shortcut_to_a_specific_profile I honestly don't remember, other than I know I pieced together information from both Mozilla sources and various blogs and forums across the web. I also ended up breaking one part of it and got frustrated, so I'm still using Chrome for now on my computer (Win 10). when i get around to fixing Firefox I'll remember to write down all my steps and post it here p.s. iirc even if i get it working how i think it should be able to, i think it will still be slightly clunkier than how Chrome's profiles work. so don't anybody think i found some holy grail solution here Lutha Mahtin fucked around with this message at 21:47 on Sep 6, 2018 |
#
?
Sep 6, 2018 21:42
|
|
|
|
| # ? May 15, 2024 16:43 |
|
|
Jewel Repetition posted:Why does Firefox say it imported all my cookies and bookmarks from chrome but there's no bookmark bar and I'm not signed into anything? Every apparently muddy hurdle like this you go through in your computer life is actually a spa.
|
|
#
?
Sep 6, 2018 22:10
|
|
|
Ola posted:Every apparently muddy hurdle like this you go through in your computer life is actually a spa. Well I haven't cleared this one with an answer yet. Googles not helping either.
|
|
#
?
Sep 6, 2018 22:15
|
|
|
Jewel Repetition posted:Well I haven't cleared this one with an answer yet. Googles not helping either. Your login cookies are thankfully protected by the unique key the browser generated when you logged in. If another app you installed could just passively fetch your logins without the originating apps approval, any app you install could do so silently without telling you, and leak it to Vladimir Putin instead. If it's something trivial like "I want my match.com font to be big" or "I approve of Instagram's GDPR policy", those are ok.
|
|
#
?
Sep 6, 2018 22:23
|
|
|
Jewel Repetition posted:How do you make a new profile window whatsoever? I'm trying to run Firefox with -P but it doesn't prompt me after the first window Lutha Mahtin posted:i did some dinking around with Windows shortcuts a while back and got to a Chrome-like behavior where i could pin two profiles to my (Win 10) taskbar and they would open correctly and not stumble over each other, so it's possible. I don't remember how I did it though You need to use the parameter '-no-remote' to be able to start several separate Firefox processes/profiles.
|
|
#
?
Sep 6, 2018 22:52
|
|
|
Ola posted:Your login cookies are thankfully protected by the unique key the browser generated when you logged in. If another app you installed could just passively fetch your logins without the originating apps approval, any app you install could do so silently without telling you, and leak it to Vladimir Putin instead. If it's something trivial like "I want my match.com font to be big" or "I approve of Instagram's GDPR policy", those are ok. And I'd certainly expect this window to import the cookies:  If it doesn't work then there's always using an extension to export them like https://chrome.google.com/webstore/detail/cookiestxt/njabckikapfpffapmjgojcnbfjonfjfg I'm sure there's some way to import that that's quantum-compatible, never had to do it myself.
|
|
#
?
Sep 6, 2018 23:04
|
|
|
Dylan16807 posted:Unique key? Any desktop app can in fact grab all your logins. If this is true, maybe it's Putin posting and not you. 
|
|
#
?
Sep 7, 2018 00:07
|
|
|
Ola posted:Your login cookies are thankfully protected by the unique key the browser generated when you logged in. If another app you installed could just passively fetch your logins without the originating apps approval, any app you install could do so silently without telling you, and leak it to Vladimir Putin instead. If it's something trivial like "I want my match.com font to be big" or "I approve of Instagram's GDPR policy", those are ok. Can't you just tell the browser to export the key too? Dylan16807 posted:Unique key? Any desktop app can in fact grab all your logins. That window is what I tried, and I'm still not logged into anything on Firefox. Also I don't know what quantum is. Cookies.txt worked but how can I give that text file to Firefox?
|
|
#
?
Sep 7, 2018 01:50
|
|
|
Jewel Repetition posted:Can't you just tell the browser to export the key too? "Quantum" is the new versions of firefox, 57+. The extension search is awful and doesn't distinguish between ones that still work and ones that don't. One of these should do what you need: https://addons.mozilla.org/en-US/firefox/addon/a-cookie-manager/ https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/
|
|
#
?
Sep 7, 2018 08:17
|
|
|
Anyone who hates having to deal with duplicate bookmarks, Update Bookmark add-on is a good successor to Replace Bookmarks (RIP creator).
|
|
#
?
Sep 8, 2018 00:59
|
|
|
Dylan16807 posted:One of these should do what you need: https://addons.mozilla.org/en-US/firefox/addon/a-cookie-manager/ https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/ Neither of those work. Is it just impossible to import a session from one browser to another?
|
|
#
?
Sep 8, 2018 17:09
|
|
|
Jewel Repetition posted:Neither of those work. Is it just impossible to import a session from one browser to another? Yes, it's made that way on purpose so hackers don't steal all your money.
|
|
#
?
Sep 8, 2018 20:00
|
|
|
Jewel Repetition posted:Neither of those work. Is it just impossible to import a session from one browser to another? Ola posted:Yes, it's made that way on purpose so hackers don't steal all your money. Any program on your account can pop open the Login Data database and grab the password data. There is some encryption, but it's just based on being logged in as you, any program you run can decrypt it. Firefox stores passwords in logins.json, encrypted with a key in key4.db. A master password can prevent access when firefox is shut, but most people don't have that. In both cases, the encryption is largely for obfuscation. There is no proper security isolation between two non-admin programs on the same desktop account.
|
|
#
?
Sep 9, 2018 01:23
|
|
|
Dylan16807 posted:Sorry then, I guess the demand's just not high enough to make it work. Active logins are cookies, not stored passwords. I never save passwords, but I could have my cookies stolen. I'm no expert on this, but I know that it's protected enough that a browser swap won't easily import active logins because the cookie also depends on http headers, hard-/software signature and similar. But a dedicated attack might be able to. It's something that should probably be protected better, since it's pretty bad if it succeeds, it can bypass 2-factor authentication etc.
|
|
#
?
Sep 9, 2018 09:22
|
|
|
Any website with an eye for security is going to use encrypted cookies to prevent attacks like Firesheep. In addition to the risk of the cookie being broadcast in the clear over WiFi, there's potential cross-site scripting attacks that could steal your cookie data. By encrypting your data as a countermeasure against these types of attacks it also becomes non-trivial to simply copy your cookies over to a new profile, i.e. everything is working exactly as intended.
|
|
#
?
Sep 9, 2018 09:47
|
|
|
Ola posted:Active logins are cookies, not stored passwords. I never save passwords, but I could have my cookies stolen. I'm no expert on this, but I know that it's protected enough that a browser swap won't easily import active logins because the cookie also depends on http headers, hard-/software signature and similar. But a dedicated attack might be able to. It's something that should probably be protected better, since it's pretty bad if it succeeds, it can bypass 2-factor authentication etc. For any other headers or values, a malicious program could just make a copy of whatever they're based on. isndl posted:Any website with an eye for security is going to use encrypted cookies to prevent attacks like Firesheep. In addition to the risk of the cookie being broadcast in the clear over WiFi, there's potential cross-site scripting attacks that could steal your cookie data. By encrypting your data as a countermeasure against these types of attacks it also becomes non-trivial to simply copy your cookies over to a new profile, i.e. everything is working exactly as intended.
|
|
#
?
Sep 9, 2018 12:41
|
|
|
Dylan16807 posted:You prevent firesheep by using https. Encrypting a cookie won't prevent XSS. None of the settings you can apply to a specific cookie (Secure, HttpOnly, SameSite, Domain, Path) affect an attempt to copy it to a new profile. HTTPS does prevent Firesheep but doesn't secure data stored in browser cookies so you're still vulnerable to XSS. Encrypting a cookie helps prevent XSS because the data in the cookie is garbage data without decryption. You can copy the cookie to a new profile, but depending on whether the server matches that data with a browser fingerprint of some sort it may or may not be functional. Regardless, even if it's not perfect security, it's better than no security at all
|
|
#
?
Sep 9, 2018 13:16
|
|
|
isndl posted:HTTPS does prevent Firesheep but doesn't secure data stored in browser cookies so you're still vulnerable to XSS. Encrypting a cookie helps prevent XSS because the data in the cookie is garbage data without decryption. You can copy the cookie to a new profile, but depending on whether the server matches that data with a browser fingerprint of some sort it may or may not be functional. But you should almost never have personal data in the cookie to begin with. You don't put the password in the cookie, you put a session ID. I usually only hear about encrypted cookies in the context of making sure nothing can tamper with them. That encryption doesn't itself do anything to stop someone from stealing your login. The XSS site doesn't need to understand the cookie to pretend to be you. When you talk about browser fingerprints, do you have anything in mind that can't be copied very easily? And can you name sites that do this to validate cookies? I've never seen a cookie get invalidated when I change user agent, for example. Dylan16807 fucked around with this message at 19:30 on Sep 9, 2018 |
|
#
?
Sep 9, 2018 19:23
|
|
|
Is there an extension similar to "I don't care about cookies" that handles the new GDPR stuff, only this one actually turns off all the tracking poo poo instead of accepting it. Most of the GDPR things all seem to use the same form, so it seems this'd be simple to implement.
|
|
#
?
Sep 9, 2018 23:55
|
|
|
Lum posted:Is there an extension similar to "I don't care about cookies" that handles the new GDPR stuff, only this one actually turns off all the tracking poo poo instead of accepting it. Most of the GDPR things are designed to not let you turn them off anyway, despite that now being flagrantly illegal. I just click accept and let uMatrix keep blocking all the 3rd-party poo poo. They don't want to play fair, why should I?
|
|
#
?
Sep 10, 2018 06:02
|
|
|
I dont know how firefox is still around. https://en.wikipedia.org/wiki/File:StatCounter-browser-ww-monthly-200901-201707.png The trend is dire, and the answers on various ff related help pages are usually to the tone of "code your own solution idiot, we are smart and you are not, take what you are given then shut up". The people asking for help are the loving customers in this scenario. Firefox is killing itself in some kind of self-righteous mentally ill immolation.
|
|
#
?
Sep 10, 2018 10:04
|
|
|
Firefox has its annoyances, but Chrome is steamrolling everything else on the market, and I don't think that has much to do with Mozilla or their help pages.
|
|
#
?
Sep 10, 2018 13:48
|
|
|
FRINGE posted:I dont know how firefox is still around. What's the default browser on most smart phones these days? (it's chrome)
|
|
#
?
Sep 10, 2018 14:22
|
|
|
iospace posted:What's the default browser on most smart phones these days? Can't wait for the EU to force Google to include a dumb browser choice screen on Android. 
|
|
#
?
Sep 10, 2018 14:38
|
|
|
Geemer posted:Can't wait for the EU to force Google to include a dumb browser choice screen on Android. Google can no longer force manufacturers to set Chrome as the default browser in Europe.
|
|
#
?
Sep 10, 2018 14:45
|
|
|
Lambert posted:Google can no longer force manufacturers to set Chrome as the default browser in Europe. It's probably why you see a quick uptick in Samsung Browser at one point.
|
|
#
?
Sep 10, 2018 14:59
|
|
|
FRINGE posted:I dont know how firefox is still around. This almost assuredly has to do with the mobile browser fuckery, particularly on android because there's no reason "Android" should be a competitive browser, considering they mean WebView or whatever is that browser you go to when you hit 'help' in the settings on an android phone. And not to mention "UC Browser" which is basically just WebView with spyware. Because of mobile devices, there are a LOT more people who have new access to the internet so even getting 3% of total mobile device owners today is probably more than getting like 50% of normal home users back in 2005 or something.
|
|
#
?
Sep 10, 2018 15:55
|
|
|
jokes posted:This almost assuredly has to do with the mobile browser fuckery, particularly on android because there's no reason "Android" should be a competitive browser, considering they mean WebView or whatever is that browser you go to when you hit 'help' in the settings on an android phone. And not to mention "UC Browser" which is basically just WebView with spyware.
|
|
#
?
Sep 10, 2018 16:23
|
|
|
The Merkinman posted:and you can't have Firefox (or rather, Gecko) on iOS, but it's Apple, so everything anti-competitve they do is A OK. Apple likes to portray themselves as the underdog still.
|
|
#
?
Sep 10, 2018 16:24
|
|
|
jokes posted:This almost assuredly has to do with the mobile browser fuckery, particularly on android because there's no reason "Android" should be a competitive browser, That is going to remain in place as something to reckon with until all the older/cheaper phones rinse out of people's use.
|
|
#
?
Sep 10, 2018 16:39
|
|
|
Dylan16807 posted:Oh, I think I see what you're saying. If you have personal data in the cookie, encrypting it on the server prevents any other site from understanding it? Take for example a banking website: the first time you attempt to log in, they'll (hopefully) be extra anal about identifying you using 2FA. Once you've been accepted, the site sets an extra cookie to indicate that this is a known device, and that future logins don't have to go through the full process so long as that extra cookie validates even if the original session cookie expires. Steam does the same thing from what I've seen, utilizing 2FA and browser fingerprints (and letting you personally name the device you're connecting from in case you wish to remove authorization later). I'm not a web dev so I don't know exact implementation details (and it varies from site to site anyways since they're all custom designed). Technically you can spoof anything since at the end of the day the server has to trust whatever packets you send it but you'll need to know exactly which fingerprints the website checks for and which values they expect, and having that information probably means you have access to the original browser and spoofing it is an academic exercise. Take a look at the EFF's Panopticlick for examples of things used as fingerprints, as well as AmIUnique. Some things like User Agent likely wouldn't get used because that'll change every time your browser updates, while other things like your WebGL fingerprint can track you across browsers.
|
|
#
?
Sep 10, 2018 16:40
|
|
|
The Merkinman posted:and you can't have Firefox (or rather, Gecko) on iOS, but it's Apple, so everything anti-competitve they do is A OK. I wonder if iOS browsers count their browsers as anything other than Safari because I believe all their browsers use a Safari-based engine or something.
|
|
#
?
Sep 10, 2018 17:01
|
|
|
isndl posted:Take for example a banking website: the first time you attempt to log in, they'll (hopefully) be extra anal about identifying you using 2FA. Once you've been accepted, the site sets an extra cookie to indicate that this is a known device, and that future logins don't have to go through the full process so long as that extra cookie validates even if the original session cookie expires. I wouldn't trust my money with a bank that didn't require 2FA for every access to the online banking or money transfer.
|
|
#
?
Sep 10, 2018 17:15
|
|
|
FRINGE posted:I dont know how firefox is still around. Firefox is losing this battle because the only time it's the default browser is on random Linux distros, which is the same class of tech savvy users that they've had from the start. Meanwhile, not only is Chrome the default browser on most Android devices, they also bundle Chrome as crapware in just about every dodgy Windows installer possible, so people that just click 'ok' when installing something without actually reading will end up installing it by accident one way or another. I think that the term "nice guys finish last" can apply to Firefox here as far the browser wars go. Google owns an entire OS that is used on basically every smart phone that isn't Apple and they get to make their browser the default one. They also ship Chrome as crapware so a lot of people get tricked into using it. And Microsoft owns the most widely used desktop OS in the world and they get to make their browser the default one there. Firefox is 100% optional, Chrome and Edge are defaults that are forced onto people. As more and more people that don't really know their asses from their elbows when it comes to tech own smart phones and laptops, the bigger the numbers will get for Chrome and Edge. I would like to know if Firefox is actually losing users or if they're just not gaining as many new users as Chrome.
|
|
#
?
Sep 10, 2018 17:19
|
|
|
Geemer posted:I wouldn't trust my money with a bank that didn't require 2FA for every access to the online banking or money transfer. Yeah, my bank requires 2FA for every login + every transfer approval once logged in, but his description fits well with 2FA-enabled Gmail for instance.
|
|
#
?
Sep 10, 2018 17:20
|
|
|
Geemer posted:I wouldn't trust my money with a bank that didn't require 2FA for every access to the online banking or money transfer. Still need to use username/password every time, just need 2FA for new devices. It's meant to be a comfortable middle ground for people who do their banking regularly on a home computer while still preventing logins by stolen passwords. It's good enough to protect your hats on Steam.  Here's a question: does your bank's phone app do 2FA? Is it an email or SMS that is received by your phone?
|
|
#
?
Sep 10, 2018 18:08
|
|
|
isndl posted:Still need to use username/password every time, just need 2FA for new devices. It's meant to be a comfortable middle ground for people who do their banking regularly on a home computer while still preventing logins by stolen passwords. It's good enough to protect your hats on Steam. In my bank, 2FA on mobile is either the same code calculator thingy as on desktop, or a mobile ID thingy which relies on a separate app and some device identification fingerprint stuff. Basically it's not enough to hijack SMS or email reception.
|
|
#
?
Sep 10, 2018 18:16
|
|
|
My bank has a mobile app that works as authenticator too. But banks usually prefer SMS to email. Can I post a funny Firefox picture here or this thread is only for serious stuff? I don't want to break rules. Hachiman fucked around with this message at 18:48 on Sep 10, 2018 |
|
#
?
Sep 10, 2018 18:27
|
|
|
isndl posted:Here's a question: does your bank's phone app do 2FA? Is it an email or SMS that is received by your phone? By default: yes, but you can switch it to fingerprints. Doing so means agreeing to a big-rear end disclaimer. Larger transfers or changing certain settings will always still require the 2FA device, though. 2FA is based on a separate purpose-built fully offline device you stick your debit card into. You first enter your account and card number on the app or website, stick your debit card in the device, enter your PIN on it, scan a colorful 2D barcode (which has your account and card number encoded into it, plus details of the transaction/confirmation/login) generated by the app or banking website, confirm the information on the device and then it spits out a number code for you to enter on the app/website. It sounds a lot more convoluted that it is in practice and it's generally just as fast as waiting for an SMS or email to come in, except not hilariously pathetic from a security standpoint. Your point is, unfortunately, a good one though. Plenty of people don't see why it would be a problem. On the topic of Firefox: I was updating a notebook that'd been off for several years. It had Firefox 43 on it, which updated to 45 then 47 and then I lost my patience and just downloaded the installer to get it over with in one go. Anyone have any hot takes as to why the updater doesn't just jump to the latest version?
|
|
#
?
Sep 10, 2018 19:15
|
|
|
|
| # ? May 15, 2024 16:43 |
|
|
Geemer posted:On the topic of Firefox: I was updating a notebook that'd been off for several years. It had Firefox 43 on it, which updated to 45 then 47 and then I lost my patience and just downloaded the installer to get it over with in one go. Anyone have any hot takes as to why the updater doesn't just jump to the latest version? It's all speculation, but: They might have decided to not keep all of the profile migration logic from years-old browser installs. There might have been issues upgrading between specific versions. At least one update might have been downloaded before it had been turned off for several years, pending a browser restart to apply.
|
|
#
?
Sep 10, 2018 20:52
|
|
