taint.org: Justin Mason’s Weblog

Check out what happens when you visit https://www.google.ie/ :

Clicking through Firefox’s ridiculous hoops gets me these dialogs:

Good work, Google and Firefox respectively!

Tags: fail, firefox, google, https, ooh-scary, security, ssl, ui, warnings

• Emergent Chaos: Certifiably Silly : Adam Shostack tells the truth re Firefox 3’s stupid self-signed cert bug. ‘imposing yet another security tax, based on a static analysis of attackers and some certificate authority pixie dust, isn’t going to help things for very long.’
  (tags: firefox firefox-3 security certificates ssl tls ca pki adam-shostack ui usability)

• Image Cerberus: a SpamAssassin plug-in against image spam : a new plugin, subject of a paper at this year’s CEAS conference it looks like
  (tags: plugins spamassassin anti-spam image-spam images ceas conferences)

• Twitter drops SMS-notification support for EU users : interesting, I haven’t received the mail, and it claims to still be sending updates to my Irish mobile (update: I’m not actually *getting* any updates, though)
  (tags: twitter phones mobile sms ireland eu uk)

Tags: adam-shostack, anti-spam, ca, ceas, certificates, conferences, eu, firefox, firefox-3, image-spam, images, ireland, mobile, phones, pki, plugins, security, sms, spamassassin, ssl, tls, twitter, ui, uk, usability

• Hacking Mifare Transport Cards : notable mainly because Schneier calls MIFARE Classic’s crypto ‘terrible’ and ‘kindergarten cryptography’. ‘Anyone with any security experience would be embarrassed to put his name to the design.’ ZING
  (tags: ouch mifare cracks security zing crypto-cards smartcards oyster nxp)

• some good AWS tips : e.g. “upload files to S3 in lexically-sorted order”, apparently it’s faster. who knew!? (Sorry Joshua, gave you a bad tip y’day in that case)
  (tags: amazon aws s3 sqs sdb web-services hosting for:joshua)

• The Coreflood Report : fascinating Joe Stewart post-mortem of a server run by a Russian malware group targeting online banking; one apparent Miami-based victim was defrauded of $90k, and it appears that the group would have had access to a combined $2.5m in all victims’ accounts
  (tags: coreflood trojans joe-stewart secureworks malware banking online-banking autoproxy joe-lopez)

• using “data=writeback” on your Ubuntu filesystems : aha! This is the root cause of the crippling Firefox 3/VIM slowness; Ubuntu and Debian use a crappy ext3 option which sacrifices speed for correctness, by effectively turning every fsync() into a sync(). Here’s how to disable it
  (tags: fsync sync unix linux ext3 ubuntu debian firefox vim grub annoying sysadmin)

Tags: amazon, annoying, autoproxy, aws, banking, coreflood, cracks, crypto-cards, debian, ext3, firefox, for:joshua, fsync, grub, hosting, joe-lopez, joe-stewart, linux, malware, mifare, nxp, online-banking, ouch, oyster, s3, sdb, secureworks, security, smartcards, sqs, sync, sysadmin, trojans, ubuntu, unix, vim, web-services, zing

Happy Firefox Download Day — or rather, Firefox Download Evening!

It turns out that the “day” in question has been defined as a 24-hour period starting at 10am Pacific Time; rather than compensating for the effects of timezones around the world, they’ve just picked an arbitrary 24-hour period.

That’s 6pm in Irish time, for example. At least I’m not one of the 57,000 Japanese pledgers, who’d be waiting up until 2am to kick off their download. It seems a little bizarre that there’s little leeway provided for non-US downloaders, who are right now twiddling their thumbs, waiting, while their “day” passes.

Annoyingly, the main world record page simply says ‘the official date for the launch of Firefox 3 is June 17, 2008′ — no mention of a starting time or official timezone at all!

This is the top thread on their forum right now — in addition to the omission of an entire continent ;)

Tags: downloads, firefox, international, open-source, time, timezones, us

Firefox 3 Release Candidate 1 was released earlier this month. I’ve upgraded.

I tried switching to it a couple of months back, but gave up, since my favourite extensions were AWOL. This time around though, they’re almost all present. Since Firefox is now basically an operating system in its own right, with upgrade pain all of its own, and a couple of people have asked, here’s what I needed to do to get from Firefox 2 to 3:

Make a list of my favoured extensions

Namely, from most important to least:

• Greasemonkey
• MozEx
• Session Manager
• No Squint
• Adblock Plus
• Download Statusbar
• Web Developer Toolbar
• SubmitToTab
• CustomizeGoogle
• Firebug
• Live HTTP Headers

Create a new Mozilla profile

This allowed me to keep my Firefox 2.0 settings entirely intact, a key step. Install Firefox 3, and start it with “firefox -ProfileManager”, then create a new profile and start with that.

Get installing

The following extensions from the above list were available by now for Firefox 3, through addons.mozilla.org:

• Adblock Plus
• Download Statusbar
• No Squint
• Session Manager
• Web Developer Toolbar
• Live HTTP Headers
• CustomizeGoogle

Firebug was slightly trickier, since you need the 1.1 beta version, directly from their site 1.2 beta version, specially designed for Firefox 3 support, available only from their ‘releases’ page.

However, Greasemonkey, SubmitToTab, and MozEx were still missing. :(

Greasemonkey, thankfully, wasn’t too hard to find — the latest nightly build from this directory does the trick.

MozEx seems dead — the Firefox 2 support was added in a development snapshot, and there’s no sign of Firefox 3 support. This was in danger of becoming a show-stopper, since I spend all day editing text in browser textareas in Trac, Bugzilla, and Wordpress — until I found It’s All Text!, which is even slightly prettier and simpler than MozEx. yay. The only thing to watch out for is that after setting the path to the editor command, I had to quit and restart the browser for it to recognise it as valid.

SubmitToTab is the only desirable plugin remaining. It looks like it won’t be making it any time soon, but I’m prepared to live without it. ;)

Also, while discussing this on Twitter, Vipul wondered if XPather was available — turns out that yes, v1.4 of XPather supports FF3. Looks cool too; I’ve installed it ;)

Copy bookmarks

Exit the browser, copy the “bookmarks.html” file from the old profile directory (~/.mozilla/firefox/jocfzbfo.jm in my case) to the new one (~/.mozilla/firefox/7bkf89ws.ff3), and restart it.

I didn’t bother copying cookies — I’m happy to log in again on all those sites. (I don’t like carrying too much baggage between upgrades…)

I also opened the Greasemonkey user scripts dir (~/.mozilla/firefox/jocfzbfo.jm/gm_scripts), clicked on each script there, and installed them that way to FF3. A little laborious, but nothing serious really.

Done!

End result: I’m using FF3, and it’s working quite nicely. Memory usage is consistently below 300MB, so far — I haven’t seen any bloating yet, which is a big improvement. I’m probably going to stick with it.

One thing: I did have to turn off the new image scaling effect, however — text font size modification also now scales images to match, which is very annoying (and jaggy). No Squint allows this quite neatly.

Tags: extensions, firefox, releases, software, upgrades, versioning

Google Calendar has a nifty feature, “Quick Add”, where you can enter a natural-language string like “lunch with Justin, 1pm 20/4/08″, it parses it, and adds an appointment to your calendar. However, the link in the Calendar UI can’t be bookmarked; you have to go to the Calendar page, wait for it to sloooowly load all its AJAX bits, hit the link, and only then type the appointment details, by which time I’ve forgotten it anyway ADD-style. ;)

Elias Torrez came up with a Firefox extension to use the Quick Add feature in one keypress, but in my opinion that’s overkill — I don’t want the overhead of another extension, the upgrade worries, and I don’t want it using up a keyboard shortcut either. I’d prefer to just have this as a Firefox Smart Keyword – and thankfully the trick is in the comments for his blog post, from someone called Bjorn. So here’s the deal:

Name: Google Calendar Quick Add

Location: http://www.google.com/calendar/event?ctext=+%s+&action=TEMPLATE&pprop=HowCreated%3AQUICKADD

Keyword: newcal

Description: add a new event in Google Calendar

enjoy!

Tags: bookmarks, firefox, google, google-calendar, quick-add, smart-keywords, ui

Since it’s been turning out to be really quite useful, here’s a Firefox extension version of the Stretch-to-fit Textareas Greasemonkey user-script I wrote a few weeks back. In other words, Greasemonkey not required!

Tags: extensions, firefox, hacks, mozilla, textareas, ui

Here’s a Firefox Smart Keyword to search your GMail:

https://mail.google.com/mail/?search=query&view=tl&q=%s

Usage example, assuming you use ‘mail’ as the keyword: (CTRL-L) mail whatever

Tags: firefox, gmail, google, mozilla, smart-keywords

Here’s a new Greasemonkey user script which fixes a minor annoyance in the Bugzilla user interface. When viewing the ‘Create a New Attachment’ page, this will transclude the previous comments onto the bottom of that page, for reference while editing: bz_see_earlier_comments.user.js

Thanks to Jesse Ruderman for the nifty AJAXish iframe-transclusion trick it uses.

Tags: bugzilla, firefox, greasemonkey, javascript, mozilla, userscript

Web: Now this is very cool stuff: ‘Greasemonkey is a Firefox extension which lets you to add bits of DHTML (”user scripts”) to any webpage to change it’s behavior.’

In other words, you can rewrite any page viewed in Firefox, as it transits between the server and your client’s display; a form of transcoding.

Traditionally, transcoding is performed using a HTTP proxy which applies the transformation, or a specialised HTTP user agent which transcodes and outputs a whole new set of documents with the results.

That was all a little hacky for full-scale integration into your web browser, though, so Greasemonkey is a big improvement for that use-case.

Some good links:

• The Greasemonkey homepage
• The Greasemonkey script repository (wiki)
• Mailing list archives for greasemonkey users

And some demos:

• a good demo of using it to fix a Bloglines bug, by Michael Moncur
• an MSDN bug-fixing script
• a Boing Boing ad-blocking script
• truly awesome: persistent searches (think vFolders) in GMail!

Remember, these are single, sub-100-line JS scripts, running entirely locally in the user’s web browser. The last one gives you an idea of what coolness is possible…

My contribution: an ad-removal script for Metafilter. It took some 30 seconds of hacking to produce this — soooo easy. It’s a whole new world of site customisation and hackable filtering. You thought AdBlock was good, this is ever niftier ;)

Tags: boing, browser, extension, firefox, greasemonkey, http, script, stuff, user, web

Web: Urgh, I still have this damn cold I picked up in Ireland… sniffle cough etc. More vitamin C needed!

Anyway, just a quick plug for a very deserving Firefox extension, one I haven’t seen mentioned widely. It’s pretty common, when you wish to print out a web page, that you wish you could get rid of the obnoxious extra-wide sidebar tables, gigantic ads, or other extraneous parts of the page. Well, now you can:

Nuke Anything is a Mozilla/Firefox extension which offers two great features in the right-click context menu:

• Remove this object: this will remove the object you’ve right-clicked on — a table TD, paragraphs, images, IFRAMEs, etc.
• Remove selection: more usefully, this allows you to select exactly what you want to remove with a left-button drag, then right-click to remove it.

It’s really useful. I almost never print anything out these days without scrubbing off a few unwanted sidebars ;)

Tags: anything, cough, extension, firefox, page, plug, remove, sniffle, urgh, vitamin, web

Web: The lovely C sent me a link of note — it’s the eglu, ‘the world’s most stylish and innovative chicken house and is the perfect way to keep chickens as pets’. (She has a thing about keeping chickens.)

So I was all set to link to that on NoMoreSocks.newscientist.com, New Scientist’s nifty new xmas-pressies site; but — get this: it will not load in Firefox 1.0PR, 1.0, or Konqueror at all — in fact, using telnet, the site doesn’t actually respond to requests on port 80 from my linux desktop.

The only browser it seems to work with is MS Internet Explorer in VMWare, presumably using MSIE’s psychic powers to contact it without going through TCP/IP.

Mysteriously, it can be lynxed from my server in Ireland, but similarly doesn’t work for C’s Firefox installation on her desktop. How wierd!

Tags: chicken, desktop, eglu, firefox, house, link, note, site, way, web, world

Security: Given the current prevalence of phishing attacks and spyware infestations, designing a good user interface that protects naive users against malware is now more urgent than ever.

Firefox is, of course, widely touted as more secure than MSIE. This is by and large true, due partly to MS’ emphasis in their UIs on one-step ‘easy’ installation and confirmation-dialog reduction (in my opinion) — but also due to the fact that spyware companies don’t yet see Firefox as a target to the same extent.

This changed recently — spyware ‘toolbars’ started to appear for Firefox as well. It was quite a surprise to see a dialog pop up when accessing an otherwise normal-looking (though advertising-heavy) page, using my Linux desktop, prompting me to install some ‘toolbar’ .xpi file!

Firefox 1.0PR now includes code to deal with this. Here’s how it works.

If a site I’m viewing attempts to install an XPI file, I get this prompt:

Note that it’s NOT a dialog. This is pretty handy, because it means that I won’t get annoying dialogs all the time if I do accidentally go to a unscrupulous site; it just appears like the part of the page. In the clueless user case, they may not even notice that they’ve been protected, which reduces the risk that they’ll install the extension anyway.

(However, I would have extended it by using an icon or look-and-feel that indicated that this was a ‘trustworthy’ part of the UI, rather than possibly part of the page.)

If I hit the ‘Edit Options…’ button, I get this:

A simple-enough dialog containing the list of sites permitted to install extensions. update.mozilla.org is in there by default, and I’ve added texturizer.net so I can install from their more extensive list of older extensions. The address of the current site has been dropped in automatically.

To permit the site, I have to hit ‘Allow’, then ‘OK’. So I do that, and hit the ‘install’ link on the webpage again:

And there’s the Software Installation dialog. Note the red Unsigned warning, the proportion of text that is a warning about installing bad stuff (fully half!), and — this is interesting — a greyed-out ‘Install’ button.

The button is on a timer — it becomes clickable after 2 seconds. This, presumably, is to ensure that people read the dialog! Reportedly, users no longer read dialogs, instead hitting OK on every dialog that appears. In my opinion, this is arguably due to ‘the boy who cried wolf’ syndrome: by default, MSIE and older Mozilla versions will ask all sorts of stupid questions about ‘are you sure you want to send stuff on the intarweb?‘ whenever you use Google. If anything is guaranteed to induce dialog fatigue, it’s that feature.

(Update: actually, that’s not the reason. Reportedly, it’s a workaround for a couple of social-engineering attacks, whereby an attacker could persuade the user to type a word ending in ‘Y’, and time the dialog to appear just before ‘Y’ is typed — causing the keyboard shortcut for ‘Yes’ to take effect; or persuade the user to double-click in the right spot, and similarly time the dialog to appear in the right place, in time for the second click. Still, I maintain the measure is useful to deal with the ‘dialog fatigue’ issue too. ;) Thanks to Smyler and Rod for pointing this out.)

I would have gone further:

• the ‘a software install was blocked’ page element should have an indication that it’s ‘trustworthy content’
• both dialogs should default to ‘Cancel’, to avoid users deliberately pressing ‘OK’
• I would possibly require a ‘yes, I read this’ tickbox to be ticked before the software is installed.

Interesting though. This is the way internet-facing UIs are going to have to develop, in my opinion.

Tags: dialog, file, firefox, installation, page, part, security, site, spyware, user, xpi

Mail: I’ve been playing around with GMail a bit more recently. They’ve fixed the issues they had with Firefox and keyboard control, and it is nice.

Threading: since I plan to bother a few open-source MUA developers ;), I’ve written up a thorough analysis of their ‘conversation’ model, with its ‘collapsable history’, archive-not-delete approach, etc. Take a look, if you’re curious.

HTML: one feature that no-one’s commented on, is that GMail does not create HTML mail — all mail composed through their composer is sent as text/plain only.

This is very interesting, because it suits me just fine. HTML mail causes so many more problems than it solves, especially when full-featured web browser components are used to display it, IMO. I get to see the security exploits this enables, every day in my anti-spam work.

But it’s also very significant that nobody else has commented on it – nobody misses it!

Phantom Labels: another interesting thing I’ve noted: sometimes a mail will appear in your Inbox with a ’spam’ label, even though you’ve never defined one. It’s not in the ‘Spam’ folder; it’s in your inbox.

Aaron has a good theory on what this is, and I think he’s right — he suggests it’s when ‘ the two emails are in a conversation (same subject); one is marked as spam, one isn’t. So the conversation (which is what appears in your inbox) gets two tags: Spam, and Inbox. So when viewing the list it looks like it gets the Spam tag.’

Also, while I’m here — details on LiveJournal’s distributed filesystem, MogileFS, which apparently ‘will be open source’. Link via acme.

Tags: bit, conversation, firefox, gmail, html, inbox, keyboard, mail, nobody, spam

Web: More on the Firefox crappy-movie-now-web-browser thing, from Chris Blizzard:

• A mind-controlled UI: but it only works if you think in russian!
• Flashback mode: whenever you hear a helicopter overhead the browser will
  • redirect all page loads to web.archive.org, circa 5 years ago.
  • Stealth mode: using specially malformed headers, Firefox will load your web pages and web servers will be unable to log your vists.
  • Mach 6 Technology: advanced compression algorithms will make the web faster than it’s ever been before!
  • Arctic compliant: you can land firefox on an ice floe in the middle of the north atlantic. Not sure why you would need this, but hey, we had some extra bandwith.

Tags: browser, firefox, flashback, helicopter, mode, overhead, redirect, russian, thing, web

Web: Donncha notes that Mozilla Firebird has been renamed ‘Firefox’. Retro cruddy 80’s Cold War movie reference? check!

I like it. In fact, I’m looking forward to Linux kernel 2.6.2 ‘Red Dawn’.

BTW, my current favourite Firebird^H^H^H^Hfox extension: Session Saver. Load and save the current list of open tabs, and have them automatically saved when you quit the browser. Given that I often have a few tabs on stuff I’m researching, leaving them until I’m a bit less busy (which can take days!), this fits perfectly with my modus operandi.

Funny: This is GREAT!

And if that’s too much product placement for you, there’s Students for an Orwellian Society: ‘Because 2004 is 20 years too late.’

Tags: cold, cruddy, donncha, firebird, firefox, movie, mozilla, reference, retro, war, web