act as server?
sf
There is one web based chat site (also accessible via IRC)
that cues Zone Alarm to pop up with a message saying that
Firefox is asking to act as a server. I can use the site if
FF is a server or not, so why would it need to be a server
and what is it doing when it acts as a server?
TIA
Jay Garcia
--- Original Message ---
Set ZA to allow that and don't worry about it. It's an internal function
whereas the PSM (Personal Security Module) is acting as a "server" to
"localhost". Strictly an internal function.
--
Jay Garcia Netscape Champion - Mozilla Champion
UFAQ - http://www.UFAQ.org
Mozilla Champions - http://mozillachampions.mozdev.org
Posting Guidelines - http://mozillachampions.mozdev.org/guidelines.html
Chaos Master
> > There is one web based chat site (also accessible via IRC)
> > that cues Zone Alarm to pop up with a message saying that
> > Firefox is asking to act as a server. I can use the site if
> > FF is a server or not, so why would it need to be a server
> > and what is it doing when it acts as a server?
> >
> > TIA
>
> Set ZA to allow that and don't worry about it. It's an internal function
> whereas the PSM (Personal Security Module) is acting as a "server" to
> "localhost". Strictly an internal function.
And on this case the OP is posting (IRC-based web chat) the IRC server
may be sending a IDENTD request. Clients IRC like mIRC or XChat handle
this by default, but not Firefox (as it isn't supposed to do this by
default)
[]s
--
Chaos Master®, posting from Canoas, Brazil - 29.55° S / 51.11° W
GMT-2h / 15m
"Now: the 3-bit processor, with instructions:
1. NOP - does nothing, increase PC. / 2. HLT - does nothing, doesn't
increase PC / 3. MMX - enter Pentium(r) emulation mode; increase PC / 4.
LCK - before MMX: NOP ; after MMX: executes F0 0F C7 C8 / 5. HCF - Halt
and Catch Fire / 6. EPI - Execute Programmer / 7. DPC - Decrease PC"
Nelson B
> Set ZA to allow that and don't worry about it. It's an internal function
> whereas the PSM (Personal Security Module) is acting as a "server" to
> "localhost". Strictly an internal function.
Jay, it has nothing to do with PSM. It's how mozilla and firefox
implement "pollable events" on Windows and OS/2.
Years ago, when PSM ran as a separate process from the browser,
it was true that PSM was one of the reasons mozilla needed this.
But PSM hasn't run as a separate process for years now, and so
this situation has nothing more to do with PSM.
I'm asking all the people who continue to name PSM as the cause
for mozilla wanting server access to stop it, because it generates a
lot of misdirected questions to the PSM/NSS folks.
--
Nelson B
sf
<e-m...@is.INVALID> wrote:
> I wish I had Jay Garcia's angel tonight:
>
> > > There is one web based chat site (also accessible via IRC)
> > > that cues Zone Alarm to pop up with a message saying that
> > > Firefox is asking to act as a server. I can use the site if
> > > FF is a server or not, so why would it need to be a server
> > > and what is it doing when it acts as a server?
> > >
> > > TIA
> >
> > Set ZA to allow that and don't worry about it. It's an internal function
> > whereas the PSM (Personal Security Module) is acting as a "server" to
> > "localhost". Strictly an internal function.
>
> And on this case the OP is posting (IRC-based web chat) the IRC server
> may be sending a IDENTD request. Clients IRC like mIRC or XChat handle
> this by default, but not Firefox (as it isn't supposed to do this by
> default)
>
Okay, I understand that - so you've given me peace of mind
with that particular site. However, if I tell ZA it's okay
for FF to act as a server (in general) am I setting myself
up for trouble? Should I just keep the setting at "prompt"
and say no to most queries?
Ed Mullen
Thanks for the clarification. Now. For those of us mortals who simply
want to know how to answer our firewall alerts, could you please explain:
- what happens if I universally deny Moz/FF server access via the firewall?
- what functionality is lost if I deny Moz/FF server access via the
firewall?
- should I grant Moz/FF universal access as a server via my firewall?
- if I grant universal access as a server via the firewall am I opening
up my system to either current or future vulnerabilities?
So far, and for a couple of years, I have told my firewall to NEVER
allow Moz/FF access as a server. I haven't noticed any fatal results of
this decision. Given your post, could you, please, offer us some more
info so we can be better informed and make better decisions.
--
Ed Mullen
http://edmullen.net
http://edmullen.net/moz.html
Chaos Master
> Okay, I understand that - so you've given me peace of mind
> with that particular site. However, if I tell ZA it's okay
> for FF to act as a server (in general) am I setting myself
> up for trouble? Should I just keep the setting at "prompt"
> and say no to most queries?
No trouble... I think that there's not much that a hacker can do with
IDENTD service.
[]s
--
Chaos Master®, posting from Canoas, Brazil - 29.55° S / 51.11° W / GMT-
2h / 15m
"Now: the 3-bit processor, with instructions:
1. NOP - does nothing, increase PC. / 2. HLT - does nothing, doesn't
increase PC
3. MMX - enter Pentium(r) emulation mode; increase PC / 4. LCK - before
MMX: NOP ; after MMX: executes F0 0F C7 C8
5. HCF - Halt and Catch Fire / 6. EPI - Execute Programmer
Jay Garcia
--- Original Message ---
Great, then I feel certain that you will reply with a more detailed
explanation as to when this switch in implementation occured, the basics
of how it now works or at least some URL's where users can read up on
this. So far, nobody has come forth to correct this.
Nelson B
> On 01.01.2005 19:37, Nelson B wrote:
>>Years ago, when PSM ran as a separate process from the browser,
>>it was true that PSM was one of the reasons mozilla needed this.
>>But PSM hasn't run as a separate process for years now, and so
>>this situation has nothing more to do with PSM.
>>
>>I'm asking all the people who continue to name PSM as the cause
>>for mozilla wanting server access to stop it, because it generates a
>>lot of misdirected questions to the PSM/NSS folks.
>
> Great, then I feel certain that you will reply with a more detailed
> explanation as to when this switch in implementation occured, the basics
> of how it now works or at least some URL's where users can read up on
> this. So far, nobody has come forth to correct this.
Since you asked no nicely... :)
When the decision was made back in 1998 to open the source to the
Netscape browser, U.S. export control laws prohibited making crypto
source code available from U.S. servers to non-US citizens. So, it
was necessary to remove all the crypto code, and separate it into a
separate program, whose source was not open. This program was first
known as NSM, and later as PSM (psm.exe on windows). It worked with
both Communicator 4.x and with Netscape 6.x. It acted somewhat like
a local proxy server (for https only) and it so required server
permissions. So, FAQs began to (correctly) explain that PSM needed
server permissions, but that it only served requests from the local
browser, and not requests from remote systems.
Then in mid-2000 the export regulations changed, and it became possible
to get products with strong crypto identified as "retail commodities" by
the US government. Once mozilla became so categorized, it became legally
possible to open source the crypto code. Thereafter, there was no longer
any legal/regulatory reason to keep the crypto code in a separate process
from the mozilla browser process, and a project (code named PIP, for
"PSM In Process") was begun to rewrite PSM to work as an integral part
of mozilla, rather than as a separate process. This work was announced
to mozilla developers at the mozilla architecture conference in October
2000 (see news://news.mozilla.org:119/39E24DED...@netscape.com )
and more publicly on the mozilla web site in January 2001, when the
project was renamed PSM 2.0 (see
news://news.mozilla.org:119/3A705465...@netscape.com and
http://www.mozilla.org/projects/security/pki/psm/ . Checkins of the new PSM
code into the mozilla open source repository began in January 2001. See
http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp
for the history of one such new PSM 2.0 / PIP source file. Notice the
comments on revision 1.1.
Unlike PSM 1.x, PSM 2.x has never used server sockets to communicate with
the mozilla browser. So, since PSM 2.0 was first released in mozilla, it
has not been true that PSM code in mozilla needs server socket permissions,
but certain third-parties and their web sites have continued to say that
mozilla needs server permissions because of PSM, as it did in PSM 1.x.
However, mozilla has other software that continues to use server sockets.
Like PSM 1.x, these sockets are only used to accept connections from client
sockets running on the same system, not from remote systems. These so-called
loopback connections allow mozilla to notice that certain events have taken
place in the same way (using the same technique) that it uses to notice that
data has arrived on a connection to a remote server, and hence are known as
"pollable events". You can read more about them at
http://lxr.mozilla.org/nspr/source/nsprpub/pr/include/prio.h#1982
Mozilla uses them in its "socket transport service". I'm not sure what,
if any, features of mozilla/TB/FF use that service, but the service is
initialized (and the sockets created) during mozilla's initialization.
As long as mozilla (and TB and FF) continue to use these pollable events,
(and as long as they remain implemented using sockets and the loopback
interface) they will continue to want to be permitted to act as a server
for locally-initiated connections, even though PSM doesn't need it.
I'll make recommedations for software firewall settings in my reply to
Ed Mullen's post.
--
Nelson B
Nelson B
> Thanks for the clarification. Now. For those of us mortals who simply
> want to know how to answer our firewall alerts, could you please explain:
>
> - what happens if I universally deny Moz/FF server access via the firewall?
> - what functionality is lost if I deny Moz/FF server access via the
> firewall?
> - should I grant Moz/FF universal access as a server via my firewall?
> - if I grant universal access as a server via the firewall am I opening
> up my system to either current or future vulnerabilities?
It sounds like you are using a software firewall product that gives you
only an "all or nothing" choice (e.g. "universal access" or nothing) with
regard to moz/FF's use of server sockets. That's unfortunate if true.
If your system is not behind a firewall router, and is only protected from
the big bad Internet by a local software firewall, then I think you'd be
better protected by giving mozilla only server access to local (on your
machine) processes and not server access to remote addresses.
In the world of IP addresses, there is a special range of IP addresses that
always mean "on my local system". IP Addresses of the form 127.xxx.xxx.xxx
all refer to the local system, not to any other system, and not "on the
Internet", and are known as "loopback" addresses. So, programs that attempt
to connect to, or to receive connections from, such an address are not
attempting to communicate to some other box "on the internet" or even
"on your local LAN", but are merely communicating with software on your
own computer. In fact, programs commonly use this technique to communicate
with THEMSELVES.
mozilla uses this technique, connecting to itself via the IP address
127.0.0.1 to tell itself about certain events that require attention.
I would say that mozilla should be allowed to always act as a server on
the loopback IP addresses, and not others.
Some modern software firewall products know about the loopback addresses,
and do not create alerts or log entries when programs use those addresses.
Others can be configured to do that, but don't do it by default. And still
others aren't flexible in that way. How such configuration is accomplished
varies from firewall product to firewall product.
Some firewalls allow you to configure one or more IP addresses (or "subnets"
of IP addresses) as "trusted" or "local" or "safe". If yours does, I'd
suggest adding the loopback addresses to that list. This might be done
by specifying a subnet with an Ip address of 127.0.0.0 and a "subnet mask"
of 255.0.0.0, or it might be done by specifying a "range" from 127.0.0.0
through 127.255.255.255. If you cannot specify a range, it might suffice
just to add one address, the one used by mozilla, namely 127.0.0.1, to the
list of "local" addresses.
After you've added the loopback address(es) to your "local" list, you may
also need to tell your firewall that it's OK for mozilla to act as a server
for the "local" IP addresses.
> So far, and for a couple of years, I have told my firewall to NEVER
> allow Moz/FF access as a server. I haven't noticed any fatal results of
> this decision. Given your post, could you, please, offer us some more
> info so we can be better informed and make better decisions.
I don't know all (or even most) of the purposes for which mozilla uses
these loopback connections. It may be that the uses are so rare that
the practical effects or denying them are negligible (especially since
bugzilla bugs 190000 and 191739 were fixed).
It may also be that your firewall is allowing loopback connections, even
though you've disallowed all server access to mozilla. (That seems to be
what I'm observing on one system with ZAF 5.1.033).
If your choice really is all-or-nothing, and the "nothing" choice seems to
work satisfactorily for you, then I'd suggest you stay with that, and don't
have any heartburn about lost functionality. OTOH, if your choice is all
or nothing, and the "nothing" choice does NOT seem to work well, maybe you
should consider another more-flexible firewall product.
--
Nelson B
Ed Mullen
Thanks for all the info, Nelson. Much appreciated.
I've been using Zone Alarm Pro on all my systems for years and am well
acquainted with configuring access on a per-program and per-address
level. My LAN is also behind routers.
My central question, however, seems to remain unanswered: That is, what
effect does denying server access to Mozilla have? And, by implication,
for what functions does Moz actually use/need this access? Not
expecting you to have the answers, just noting that my curiosity is
still unsatisfied.
So I tried Googling on mozilla.org. It's kind of amusing that searching
for "local server" gave a link to the Mozilla 1.7 Known Issues page
where I found the following quote:
"On Windows, some software firewalls may block Mozilla from properly
accessing the Internet. If Mozilla is not working properly, check that
your firewall settings allows Mozilla to connect to the net. If your
receive a warning from ZoneAlarm that Mozilla attempts to set itself up
as a local server, it is due to Mozilla communicating with Personal
Security Manager (PSM) which is required to access secure Web and mail
servers, and you should allow Mozilla access."
None of the other links shed much light on this. Oh well. Interesting
stuff nonetheless.