A Couple of Thunderbird Questions

Magnus Therning magnus at therning.org
Wed May 4 07:41:53 UTC 2005


On Tue, May 03, 2005 at 11:56:12PM -0700, Daniel Robitaille wrote:
>On Tue, 2005-03-05 at 23:34 -0700, Alex Mandel wrote:
>
>> > OK, found them under ~/.mozilla-thunderbird/nuqi35wy.default/Mail/Local
>> > Folders/Inbox.sbd
>> > 
>> > (I have no idea what the 'nuqi35wy' is all about.  Anybody know?)
>> 
>> It's some random generation of profiles thing, been around in 
>> Netscape/Mozilla and Windows as far as I can remember although I don't 
>> know why.
>
>if it's random  then someone or an application cannot guess where your
>user profile is be located on your computer.  Not knowing where it is
>could make a big difference if there is one day a new still-unknown
>vulnerability in Mozilla/Firefox/Thunderbird that could read your user
>profile (i.e, your cache, user profile, address book, etc). The
>randomness in your profile path could possibly stop that future
>vulnerability.

Hmmm, I do wonder if that's the reason. I mean '*.default' would find
the directory in question. The evil attacker could also simply ready
~/.mozilla/firefox/profiles.ini to find out where the configuration is
located. My guess would be that it's a way to prevent overwriting
configurations:

 Ex:
 Create user 'silly' (-> user dir 'silly')
 Rename user 'silly' to 'dum' (-> user dir is still 'silly')
 Create user 'silly' (-> user dir 'silly' overwrites user 'dum')

By adding the randomness this scenario is prevented.

/M

-- 
Magnus Therning                    (OpenPGP: 0xAB4DFBA4)
magnus at therning.org
http://magnus.therning.org/

Software is not manufactured, it is something you write and publish.
Keep Europe free from software patents, we do not want censorship
by patent law on written works.

He who joyfully marches to music in rank and file has already earned
my contempt. He has been given a large brain by mistake, since for him
the spinal cord would fully suffice.
     -- Albert Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050504/c0e480e8/attachment.sig>


More information about the ubuntu-users mailing list