Let me start by saying that Lobste.rs is a great community that I enjoined for more than an year. Several very smart guys hungs there, and I got great conversations with them about operating system design, programming languages, artificial intelligence and machine learning, security, privacy and so on.

I also tried to be a constructive member of such community, posting there interesting documents I came across.

NOTE In the url above the two submission marked as "[Story removed by original submitter]" have been removed by the administrator after my ban.

I didn't remove them. I have nothing to hide.

One was my recent article documenting an exploit that let any website you visit to tunnel into your private network (bypassing many corporate firewalls and proxies).

The other was the related bug report that I wrote to Mozilla (than reported to Chromium too) before disclosing such Proof-of-concept exploit.

Something went wrong after these submissions, because despite the fact Lobste.rs was suggested by a Mozilla Security developer as a place to continue the discussion about the HTTP/JavaScript vulnerability I reported, nobody answered to my question "are Firefox users vulnerable to this wide class of attacks?".

Yet I got downvoted so much that an administrator (after writing me on August 30 for the first time) decided that I do not suit to the community's culture.

The official reason of the ban was: "Constant antagonstic behavior and no hope for improvement".

Now let's be clear, I'm fine with Peter's decision, even if I don't agree with it. Your server, your rules.

But I think that my ban is a very nice example of Statistics misuse.

Indeed, since the first private message I got from Peter, he asked me to explain why I was downvoted 18 (and later 22) standard deviations more than the average.

Note, I was also upvoted enough to get a positive ranking on most of my comments and posts, but he was just looking to the downvotes, in isolation.

As one who knows how to lie with statistics this was a bit of a smell, but since my private explanations were not enough I carefully explained how most of those downvotes did not complied with the Lobste.rs own guideline about downvotes (sorry, due to the downvotes, you have to expand this comment to see the explaination).

To get a clue about my bad behavior you can give a look to my recent comments on Lobste.rs (some of the comments have been censored, but Peter has kindly sent me a CSV containing a full export from the DB).

Here some examples of the missing contents (beware, 18+ only! :-D):

I feel very uneasy about the safe browsing thing.

For most people (those using WHATWG browsers like Firefox, Chromium, IE/Edge and derived such as Tor Browser, Safari or Google Chrome) there is not such a thing like "safe browsing".

I mean: if any website you visit can enter your private network or check in your cache if you visited a certain page... or upload illegal contents into your hard disk... calling it safe is rather misleading!

HTTPS protects users by certain threats, by reducing the number of potential attackers to CA and those who have access to certificates (which is a varying and large number of people anyway, if you consider CDN or custom CA you might have to install on your work pc).

As for this being anticompetitive... maybe.

But some of the issues here are rooted in Copyright protection, so... it might just be one of the many problems of a legal system designed before information technology.

see in context here

NOTE: every browser executing JavaScript and honouring HTTP cache controls headers is equally vulnerable.

see in context here

I'm seriously concerned by this attitude among IT people.

My question is simple and have a boolean answer.

Are the attacks described in the bug report possible, or not?

see in context here

Okay, I’ll bite.

+1! I'm Italian! I'm very tasty! ;-)

Bugzilla is not a discussion forum.

Indeed this is a bug report.

Ah, here’s where we disagree. I understand that a bug is an ambiguous concept. This is why we have our Bugzilla etiquette, which also contains a link to Mozilla’s bug writing guidelines.

I'm pretty serious with netiquette, and I checked your before writing the report.

I'm very sorry if I violated one of your etiquette rule, but honestly I cannot see which one.

Even about Bug writing I tried my best, what exactly I got wrong?

Note that this is not a single RCE, but a whole category of them.

And the problem are not just the JavaScript attacks themselves, but the fact that they can remove all evidences.

Furthermore, what you seek to discuss is not specific to Mozilla or Firefox.

True. Several other browsers are affected too, but:

• This doesn’t means that it’s not a bug in Firefox
• As a browser “built for people, not for profit” I think you are more interested about the topic.

Please elaborate, I am not sure what you mean to imply.

As a Firefox user (and "evangelist") from version 0.8 I know Mozilla as a brand that cares about people.

Even the word you used, "people" instead of "users", has always been inspirational to me.

Now, the issue here is specifically dangerous because not all people live under the same law.

Thus I think (and hope) that Mozilla is more interested to the safety of such people than other browser vendors that are led by profit.

I agree with what @callahad@wandering.shop says right away: If you browse to a website. It gives you JavaScript. The browser executes it. That’s by design! Nowadays, the web is specified by W3C and WHATWG as an application platform. You have to accept that the web is not about hyper*text* anymore.

I worked (and still work) on such application platform for 20 years, I think I have understood that pretty well.

The point is if such application platform is broken at design level or not.

This is not a bug in Firefox.

Are you saying that these attacks are not possible?

I am saying that this is not specific to Firefox, but inherent to the browser as a concept.

Sorry if I ask it again, but I'm pretty dumb.

Are the attacks described in the bug report possible in Firefox, or not?

see in context here

This is a just a sampling but if you find other censored contents that you are curious about feel free to ask.

Now, I still think that Lobste.rs is a great technical community and you should really join them. And even Peter is a good administrator: he just did an error.

But I'm a Data Science hobbyist myself, so feel free to ask me how an actual troll could fool such metric by downvoting others. Or why if you do not care about Internet points (and do not try to maximize them), you will obviously loose a lot of them.

Or well... ask me anything else! :-D

I'm not from Mozilla Security.

I will answer. I'm a hacker.