Believing Your Own Hype

Bashing competing closed-source products seems to be more widely accepted in the open source world, especially when those products are made by Microsoft. Personally, I deplore this tendency (though again, there’s nothing wrong with straightforward factual comparisons), not merely because it’s rude, but also because it’s dangerous for a project to start believing its own hype and thereby ignore the ways in which the competition may actually be superior.

— Karl Fogel, Producing Open Source Software

The Pregnancy Predictor

Does it really matter that companies, both online and in real life, profile you based on your purchasing and surfing habits? After all, it means you get ads and offers more targetted to you, and that can only be a good thing, right?

An angry man went into a Target outside of Minneapolis, demanding to talk to a manager:

“My daughter got this in the mail!” he said. “She’s still in high school, and you’re sending her coupons for baby clothes and cribs? Are you trying to encourage her to get pregnant?”

The manager didn’t have any idea what the man was talking about. He looked at the mailer. Sure enough, it was addressed to the man’s daughter and contained advertisements for maternity clothing, nursery furniture and pictures of smiling infants. The manager apologized and then called a few days later to apologize again.

On the phone, though, the father was somewhat abashed. “I had a talk with my daughter,” he said. “It turns out there’s been some activities in my house I haven’t been completely aware of. She’s due in August. I owe you an apology.”

Footnote: Target’s revenues have grown from $44 billion in 2002 to $67 billion in 2010. Company president Gregg Steinhafel has boasted to investors about the company’s “heightened focus on items and categories that appeal to specific guest segments such as mom and baby.”

Opening the Mobile Web

Jean-Yves Perrier has published the plan for prising open the mobile web – evangelism of individual sites and frameworks is a big component, along with spec work and technical changes to Firefox Mobile.

I don’t think I exaggerate when I say that the tasks on that page are some of the highest priority non-coding tasks we have at Mozilla. A WebKit-only web is not much better in the long run than an IE-only web. If you have time to help, please pitch in. Contact Jean-Yves if you aren’t sure where to start.

Particularly if you are someone who doesn’t want Firefox to implement webkit-prefixed properties: working on these tasks is how you can avoid us having to do it, or reduce the amount of it we have to do.

Official MITM Mode in Firefox?

I had a mad idea last week, which I shared with the NSS team. The fact is that some companies want to monitor everything going into and out of their network. And, my view is, as it’s their network, it’s their right legally, and it’s OK with me morally too as long as everyone using the network is aware of it.

However, the current SSL trust model makes this MITMing of all connections very difficult (which is a good thing, in many ways). Companies such as BlueCoat sell boxes which will MITM SSL connections and log the data, but browsers will complain that the auto-generated certs presented are not trusted. Companies are supposed to deploy their own root to all endpoints – but this is a massive administrative hassle, particularly for mobile devices. As we have found out anew recently, this creates an incentive for trusted CAs to sell trusted intermediate certificates to these big companies. However, such certificates could potentially be abused to silently MITM anyone.

So my mad idea was that Firefox should have one cert in the root store for which the private key was published. However, when an SSL connection occurred which chained up to that root, the browser would bring up an irremovable red infobar which said: “Your connection is not private – all data transferred is being monitored by X”, where X was the O field from the intermediate cert being used. (We would require the use of exactly one intermediate.) If the O field was empty, it would say “by Unknown Attackers”, or something equally scary.

This week I found Phillip Hallam-Baker of Comodo proposing something very similar on the “therightkey” mailing list:

What I find wrong with the MITM proxies is that they offer a
completely transparent mechanism. The user is not notified that they
are being logged. I think that is a broken approach because the whole
point of accountability controls is that people behave differently
when they know they are being watched.

I don’t mean just changing the color of the address bar either. I
would want to see something like the following:

0) The intercept capability is turned on in the browser, this would be
done using a separate tool and lock the browser to a specific
intercept cert root.

1) User attempts to connect to https://www.example.com
2) Browser throws up splash screen for 5secs stating ‘Your connection
has been intercepted’
3) Business as usual.

The splash screen would appear once per session with a new host and
reset periodically.

It should show the interception cert being used as well.

Phil’s point 0 rather defeats the point – if you had to reconfigure the browser, then companies would just add their own root. But if it were built in by default, his point 0 is not necessary. He is right that you’d need a splash screen or confirmation step – we can’t sent initial data or cookies or anything until we know the user knows they are being MITMed, and gives permission to continue.

What do people think?

Marketing

Although most open source developers would probably hate to admit it, marketing works. A good marketing campaign can create buzz around an open source product, even to the point where hardheaded coders find themselves having vaguely positive thoughts about the software for reasons they can’t quite put their finger on. It is not my place here to dissect the arms-race dynamics of marketing in general. Any corporation involved in free software will eventually find itself considering how to market themselves, the software, or their relationship to the software.

— Karl Fogel, Producing Open Source Software

Summer of Code 2012

Google has announced that they will be running the Summer of Code again this year, 2012. The Mozilla Project has had the honour of participating in every SoC so far, and intends to submit a request to take part again. This means we need to produce a list of suitable student projects in the next four weeks.

For those who are not familiar with it, Summer of Code is where Google pays students to work on free software projects – as long as those projects can provide support and a mentor for the particular task the student is undertaking. This is a great opportunity for us as a project to introduce new people to Mozilla, and for you as an individual to get new people involved in your team :-) In the past, it has been the source of major features of our flagship products. For example, the 3D web page debugging tool Tilt started life as a SoC project.

It doesn’t matter where in Mozilla you contribute. We are collecting project ideas for every part of the project – Firefox, Thunderbird, Camino, SeaMonkey, Bugzilla, L10n, NSS, B2G, IT and many more. Can you think of an 8-week-sized task you might be able to guide a student through?

If you have a proposal, head over to the Brainstorming page, which is our idea development scratchpad. Please read the instructions at the top – following them vastly increases your chances of your idea getting added to the formal Ideas page.

Note that, in order to have much chance of going ahead, ideas need to have a suitable mentor. So if you submit an idea and you aren’t available to or suitable to mentor it, you may want to go about trying to find one by politely emailing experienced hackers in the appropriate areas of the code.

Disabling Private Browsing Mode in Firefox

This subject has been discussed before on this blog. I support the right of parents to review what their children have been looking at, both morally in terms of my understanding of the way God has given parents authority over their children, and for the pragmatic reason that it’s likely that, with such an ability, they will give their children greater access to the web than they would otherwise have. So I think it should be possible to disable PBM. However, I’m not really interested in having that discussion again – this post is about the best way to do it, not whether it’s a good idea.

William Wood has written a program, “Incognito Gone”, which turns off private browsing or the equivalent in Chrome, IE and Firefox. However, his page says:

Note: While Incognito Gone completely removes the private browsing function from Google Chrome and Internet Explorer, in Mozilla Firefox only the option for private browsing is removed. In other words, if you know the keyboard shortcut for private browsing in Firefox, it is still available.

Technically, Chrome and IE support this disabling using a registry option and, if your Windows computer is set up correctly with user accounts for each person, then this is an effective method, and it’s what William’s program uses. For Firefox, he just drops in a userChrome.css to hide the menu item, which is clearly suboptimal.

Is it possible to have an “uninstallable extension”, under the same conditions (user account separation) as IE and Chrome have “unchangeable registry entries”? If so, that seems like it would provide parity with Chrome and IE.

If we added a private browsing pref, does “pref locking” still work, and could that be used? There are docs about it on the web, but no clear info as to whether it currently works and can be done in a non-defeatable manner. Are any EWG participants using it?

William Joseph Markham

I am pleased to announce the birth of William Joseph Markham at 8.28am on the morning of 1st February 2012, weighing 9lb 4.5oz. Mother, father and baby are all well :-)

He is called William after:

  • William Tyndale, who risked his life to bring the word of God to people in a language they could understand, and whose work underpins much of the King James version and later translations;
  • William Carey, who risked his life to bring the gospel to the people of India, including what is now Bangladesh;
  • William Wilberforce, who spent his life trying to persuade this country to live out the gospel truth that God created all men equal in status before Him; and
  • various Markham family Williams from whom he is descended, including William Markham, Archbishop of York.

We pray this William be a devoted follower of the Lord Jesus also, and shed as much of His light into the world as these men.

He’s spent the first 12 hours of his life mostly asleep, but we expect that to change…