Google Safe Browsing Now Blocks “Deceptive Software”

From the Google Online Security blog:

Starting next week, we’ll be expanding Safe Browsing protection against additional kinds of deceptive software: programs disguised as a helpful download that actually make unexpected changes to your computer—for instance, switching your homepage or other browser settings to ones you don’t want.

I posted a comment asking:

How is it determined, and who determines, what software falls into this category and is therefore blocked?

However, this question has not been approved for publication, let alone answered :-( At Mozilla, we recognise exactly the behaviour this initiative is trying to stop, but without written criteria, transparency and accountability, this could easily devolve into “Chrome now blocks software Google doesn’t like.” Which would be concerning.

Firefox uses the Google Safe Browsing service but enhancements to it are not necessarily automatically reflected in the APIs we use, so I’m not certain whether or not Firefox would also be blocking software Google doesn’t like, and if it did, whether we would get some input into the list.

Someone else asked:

So this will block flash player downloads from https://get.adobe.com/de/flashplayer/ because it unexpectedly changed my default browser to Google Chrome?!

Kudos to Google for at least publishing that comment, but it also hasn’t been answered. Perhaps this change might signal a move by Google away from deals which sideload Chrome? That would be most welcome.

Awesome Article on Browsers

James Mickens on top form, on browsers, Web standards and JavaScript:

Automatically inserting semicolons into source code is like mishearing someone over a poor cell-phone connection, and then assuming that each of the dropped words should be replaced with the phrase “your mom.” This is a great way to create excitement in your interpersonal relationships, but it is not a good way to parse code.

Read more.

IE11, Certificates and Privacy

Microsoft recently announced that they were enhancing their “SmartScreen” system to send back to Microsoft every SSL certificate that every IE user encounters. They will use this information to try and detect SSL misissuances on their back end servers.

They may or may not be successful in doing that, but this implementation raises significant questions of privacy.

SmartScreen is a service to submit the full URLs you visited in IE (including query strings) to Microsoft for reputation testing and possible blocking. While Microsoft tries to reassure users by saying that this information passes to them over SSL, that doesn’t help much. It means an attacker with control of the network can’t see where you are browsing from this information – but if they have control of your network, they can see a lot about where you are browsing anyway. And Microsoft has full access to the data. The link to “our privacy statement” in the original SmartScreen announcement is, rather worryingly, broken. This is the current one, and it also tells us Each SmartScreen request comes with a unique identifier. That doesn’t contain any personal information, but it does allow Microsoft, or someone else with a subpoena, to reconstruct an IE user’s browsing history. The privacy policy also says nothing about whether Microsoft might use this information to e.g. find out what’s currently trending on the web. It seems they don’t need to provide a popular analytics service to get that sort of insight.

You might say that if you are already using SmartScreen, then sending the certificates as well doesn’t reveal much more information to Microsoft about your browsing than they already have. I’d say that’s not much comfort – but it’s also not quite true. SmartScreen does have a local whitelist for high traffic sites and so they don’t find out when you visit those sites. However (I assume), every certificate you encounter is sent to Microsoft, including high-traffic sites – as they are the most likely to be victims of misissuance. So Microsoft now know every site your browser visits, not just the less common ones.

By contrast, Firefox’s (and Chrome’s) implementation of the original function of SmartScreen, SafeBrowsing, uses a downloaded list of attack sites, so that the URLs you visit are not sent to Google or anyone else. And Certificate Transparency, the Google approach to detecting certificate misissuance after the fact which is now being standardized at the IETF, also does not violate the privacy of web users, because it does not require the browser to provide information to a third-party site. (Mozilla is currently evaluating CT.)

If I were someone who wanted to keep my privacy, I know which solution I’d prefer.

Uses of the Public Suffix List

For several years, Mozilla has maintained the Public Suffix List, a “map” of responsibilities within the DNS, as a service to the greater Internet community. We originally created it for browsers, but it has seen wider use in a surprising variety of places. There is now renewed interest in replacing it with something DNS-based and more robust. As a precursor to that work, I’m collecting a list of all the things the PSL is used for.

If you are a Mozilla hacker and know of somewhere we are using the PSL that isn’t listed, or if you know of uses of the PSL outside Mozilla, please add them.

Living Flash Free: Part 1

I’m trying to live Flash-free on my desktop. The first thing that didn’t work was Vimeo. I use Aurora, and so I set media.gstreamer.enabled to true, to turn on the gstreamer backend for the <video> tag. However, this still didn’t work. I tried installing more codec packs, but no luck. It turns out Ubuntu 13.10 comes with both gstreamer-1.0 and gstreamer-0.10, and Firefox only supports gstreamer-0.10. So I had to find the appropriate codec packs for 0.10 and install those also. Then, Vimeo worked (using H.264).

YouTube seems to work fine using WebM. :-) I do have the YouTube Flash to HTML5 addon installed so I don’t need to keep opting back in to the ‘trial’.

Living Flash Free

I’ve just got a new laptop, a Thinkpad X230 running Ubuntu 13.10, and I’m going to try living Flash-free. (I know, I know – James Dean, eat your heart out.) I know there are free software Flash implementations, including one from Mozilla, but I’d like to see how much stuff breaks if I don’t have any of it installed. I’ll blog from time to time about problems I encounter.

IE 11 Ignoring “autocomplete=off”

According to the IE blog Eric Lawrence’s blog, IE 11 has an “improved Password manager” which “keeps [the] user in control”. So far so good (here at Mozilla, we’re all in favour of user control :-), but it then goes on to say that one of the ways it does so is that it “ignores autocomplete=off”.

autocomplete=off is the way that pages give a “hint” to the browser as to what sort of form autocomplete behaviour they should provide. Ignoring it is, as I read the HTML5 spec, permitted, and one can see the superficial attractiveness of this. I’m sure we’ve all come across pages where the form fields won’t save even when we want them to.

However, we at Mozilla have never agreed to ignore this attribute across the entire web to “fix” this problem, because what we think would happen then (and what may happen with IE) is that sites implement non-standard workarounds. For some people, such as banks, stopping the browser storing authentication credentials is a business requirement – no argument. And if we don’t provide a standards-compliant way of doing it, they’ll use a non-standard one. For example, they might read the form fields out in an onsubmit() handler, then blank them, and submit the values in differently-named hidden form fields – so when the submit happens, the browser “sees” those fields as empty and doesn’t save anything. This is worse because it means the page requires JavaScript, but also because it’s much harder or impossible for particular individuals to disable such work-around mechanisms (e.g. those with accessibility needs which make filling in form fields much harder, and who want to make a different trade-off).

Ignoring autocomplete=”off” leads to an arms race, with users as the losers. So I hope Microsoft reconsider this move.

Web Standards Project Shuts; Not Paying Attention?

The WaSP has closed its doors, with a post titled “Our Work Here Is Done“:

Tim Berners-Lee’s vision of the web as an open, accessible, and universal community is largely the reality.

If by the web you mean “the desktop web”, then things are undeniably much better than they used to be. But what about the mobile web? Opera just shifted to WebKit precisely because the vision of Tim and the Web Standards Project is not a reality. Did they notice that happening?

They later go on to almost say the opposite:

The job’s not over, but instead of being the work of a small activist group, it’s a job for tens of thousands of developers who care about ensuring that the web remains a free, open, interoperable, and accessible competitor to native apps and closed eco-systems.

When was it not, in the end, up to developers? It’s always been up to the developers, and it was the case that the WaSP helped them. Seemingly no more.

I also saw this news on the same day that Lawrence Mandel posted a call for help with the numerous problems we are having due to people coding mobile websites which assume “Android”. That needs to change, and you can help. Is Mozilla now the flag bearer for web standards? Former WaSPers, join us and help out :-)

Investment Spam?

Today I received the following (company name changed to protect the guilty):

Hi Robert [sic],

Yoyodyne Partners is a technology buy-out fund managed by an experienced team of investors and entrepreneurs. Through committed capital and a network of strategic resources and investor relationships, Yoyodyne has the capability to build long-term value and growth for acquired businesses, thereby providing attractive exit opportunities for software company founders, shareholders and divestitures.

When it’s convenient for you, I would like to learn more about Mozilla Corporation. Please give me a call or send me an email to set it up.

Thank you,

Fred Flintstone, Partner
Yoyodyne Partners
Tech investors and Entrepreneurs
BigCity|AnotherBigCity|AThirdBigCityButStillNotSanFrancisco
555-123-1234
fflintstone@yoyodyne.com
www.yoyodyne.com

Are investors really so desperate to find companies that they’ve resorted to research-less spam? 5 minutes of research would be enough to understand why Mozilla Corporation is not available for sale…

MITM Boxes Reduce Network Security Even More Than They Are Designed To

It was recently discovered by the Tor project that a manufacturer of Man-In-The-Middle boxes with SSL interception capability, called Cyberoam, have been embedding the same root certificate in all of their boxes.

Background: SSL is not supposed to be interceptable. The only way to do it is for the intercepting box to be the endpoint of the SSL session and then, after inspecting the traffic, send the information over a different SSL session to the client. Now that we have explicitly banned trusted CAs from facilitating this after the Trustwave incident, the box should not be able to generate its own trusted-by-default certificate for the target site. Instead, it generates a cert which chains up to the box’s own embedded root. Therefore, any user of a network whose owners wish to use a such a box to inspect SSL traffic will have been asked to import whichever root certificate the box uses into their trusted root store, in order to avoid getting security warnings – the very warnings which would otherwise correctly tell you that your communications are being intercepted.

If each box uses a different root certificate, this is not a big problem. (Well, apart from the general issue of having to permit your employer or school to intercept your secure communications.) However, as noted above, Cyberoam uses the same root for all the boxes they manufacture. This root reuse means that sites who have tried to use Cyberoam boxes to punch a small hole in their security for ostensibly reasonable purposes have actually punched a rather larger one.

If you have trusted this root, your communications could potentially be silently intercepted by anyone who owned a Cyberoam box, not just the legitimate owners of the network you were using. This would be true whether you were on that network, or elsewhere (e.g. if you went to another location with your phone or laptop). Furthermore, anyone who purchases a Cyberoam box can try and extract the root (they may have physical security in place, but that’s just a speedbump) and then they don’t even need a Cyberoam box to MITM you.

From reading their online docs, this problem seems to also occur with similar devices from Sonicwall (PDF; page 2) and Fortigate. (Thanks to a commenter on the Tor blog for noticing this.) I suspect that many vendors use this insecure configuration by default.

The Cyberoam default root certificate is not trusted by the Mozilla root store – Cyberoam is not a CA – and we do not plan to take action at this time. However, this is another important lesson in the unintended consequences of intentionally breaking the Internet’s security model. Messing with the Internet security infrastructure breaks things, in unexpected and risky ways. Don’t do it.

Opening the Mobile Web

Jean-Yves Perrier has published the plan for prising open the mobile web – evangelism of individual sites and frameworks is a big component, along with spec work and technical changes to Firefox Mobile.

I don’t think I exaggerate when I say that the tasks on that page are some of the highest priority non-coding tasks we have at Mozilla. A WebKit-only web is not much better in the long run than an IE-only web. If you have time to help, please pitch in. Contact Jean-Yves if you aren’t sure where to start.

Particularly if you are someone who doesn’t want Firefox to implement webkit-prefixed properties: working on these tasks is how you can avoid us having to do it, or reduce the amount of it we have to do.

Is Firefox Unforkable?

The indispensable ingredient that binds developers together on a free software project, and makes them willing to compromise when necessary, is the code’s forkability: the ability of anyone to take a copy of the source code and use it to start a competing project, known as a fork. The paradoxical thing is that the possibility of forks is usually a much greater force in free software projects than actual forks, which are very rare. Because a fork is bad for everyone, the more serious the threat of a fork becomes, the more willing people are to compromise to avoid it.

— Karl Fogel, Producing Open Source Software

Is Firefox actually forkable? In one sense, clearly, yes – there have been several pseudo-forks, from Beonex to Flock to Iceweasel. But Firefox is much more than just a codebase – it’s also a well-loved brand, a movement, and a connection with 400+ million users. Anyone taking the Firefox code and starting their own project doesn’t have that – as Flock discovered. “Firefox”, in its widest sense, is pretty much unforkable.

So if, as Karl suggests, the possibility of forking is actually a force which binds developers together and makes them willing to compromise when necessary, does the Firefox community actually lack that safety valve, leading to a lack of necessity to compromise from those with power within the project, and greater frustration for those without it?

Or, to look at it from another angle, does the lack of forkability actually give leaders (who have meritoriously risen to the top) the opportunity to execute on a single-focussed vision without the risk of fragmentation of their community?

As my accidentally-leaked scratchpad put it, “Discuss…”.

How I Got Involved With Mozilla (And Why That Might Not Work Today)

[Another response to David Boswell's post.]

I got involved with Mozilla in January 2000. The previous October, I had switched courses at university from Chemistry to Computation (now called Computer Science), straight into the second year of a 3-year course. (This is practically unheard-of; it was a real work of God that it was possible.) After taking a term to get up to speed, I decided I wanted to get involved in a real software project. As I was thinking this, I read this comment from Mozilla UX contributor ‘mpt’ on Slashdot, which said in part:

Join the Mozilla effort. Do it now. It doesn’t matter if you don’t know C++. It doesn’t matter if you’re stuck on Windows. It doesn’t matter if you only have two hours a week to spare. Just join in. Download binaries. Report bugs. Suggest enhancements.

I’d like to think that the Slashdot readership were actually interested in the future of both Linux and the Internet. I don’t want Linux to be a second-class end-user operating system, simply because it doesn’t have the world standard Web browser on it. And I don’t want Microsoft, or any company for that matter, to control the Internet.

Do you?

I decided I didn’t want Microsoft, or any other company, to control the Internet – so I followed the links and signed up to help. (And at the time, I was still ‘stuck on Windows’ – Windows 95 OSR 2, because I thought Windows 98 was too unstable. Not long after, I switched to Linux.)

My first point of contact was the BugAThon – which still lives on today, I believe. Why was it appealing? It was a simple idea – make reduced testcases for layout bugs – with clear instructions on what to do, and a reward at the end :-) I still have one of the two stuffed green Mozilla lizards (some lizards were green, way back then) that I earned. At a later point, I ended up running the BugAThon for a while.

After a month or two’s involvement, I felt part of a community – with Asa and Eli and others – and before long, I was recruiting people and running the daily smoketesting of the previous night’s build. This was way before automated testing – we ran through a list of 60 tests to check things like “pages load correctly”, “email downloads correctly” and so on. I felt part of something bigger than myself, something important, and I was hooked.

Asa got hired, and then arranged a post-university internship for me in the mozilla.org group at Netscape in the autumn of 2001. That’s when I became part of the mozilla.org ‘staff’, and the rest is history. Although apart from that internship, I didn’t start getting paid to be involved in Mozilla until 2004/2005 or so. As the Corporation and Foundation split, Mitchell asked me to be part of the Foundation side and be the watch-over-the-whole-community guy, while most other people focussed on Firefox.

Why wouldn’t this work today? Well, it might – but it seems unlikely in today’s setup that a new community member, after only a few weeks, could acquire such significant responsibility. And it’s trusting people and giving them responsibility which gives them a stake and binds them into a community. Also, I don’t think we are as good at loudly articulating publicly the threats to the Internet which might inspire people to participate. Mozilla itself as an organization has never been awesome at that, although various Mozillians have been.

On the other hand, until recently, we were short on ways to get involved as simple and as well-defined as the BugAThon – but the great work of Contributor Engagement seems to be changing that, which is awesome. I look forward to seeing what the Mozilla Stewards program achieves in this area.

State of the Browser Q & A

Paul Rouget and I represented Mozilla on the Q & A panel at “State of the Browser” in London last Saturday, along with representatives of Chrome, Opera and RIM (Blackberry browser). (The Microsoft guy was unable to attend at the last minute for entirely legitimate personal reasons.) The session is about 50 mins long.

Panel Q&A Discussion (State of the Browser) from London Web Standards on Vimeo.

You can watch it in higher definition if you click through. Sadly and ironically, it’s not using open video – Vimeo doesn’t support WebM or Theora, although they have an h.264-based HTML5 player in beta. And it’s a bit large to host myself.

If you hear me saying anything factually incorrect, let me know and I’ll try and get a corrective comment added to the Vimeo page.

Major Browsers: UI Language Coverage Stats

With the Firefox 4 release almost upon us, Google having quietly shipped Chrome 10 last week, and IE 9 released yesterday, it’s time for another comparison of how the different browser makers support language communities. Here’s the headlines:

Browser Language
Count
Percentage
Coverage
Firefox 4 (predicted) 73 93.7%
Firefox 3.6 68 95.1%
Chrome 10 45 91.6%
Opera 11.0 40 86.0%
IE 9 38 89.7%

For those just tuning in, these stats come from an large spreadsheet where I take the internet population of each country, divide it as best I can among that country’s language communities, and thereby try and predict what percentage of the world’s internet users have first language support in the UI of each browser. The standard disclaimer: I have adopted a possibly controversial and idiosyncratic definition of what is a language; please don’t beat me around the head with it, but focus on the big picture.

There’s a load of interesting stuff behind the headlines:

  • There are 37 languages whose speakers are out of luck if they go and see Microsoft, but who we cater for. Every single translation we have is done by volunteers in our community. The power of open source!
  • Firefox 4.0 has more languages than Firefox 3.6 but a lower percentage. That’s because, sadly, we were unable to get Serbian and Vietnamese on board for the Firefox 4.0 final release. Vietnamese accounts for 1.32% of the world’s internet population, and Serbian another 0.25%. These two languages account for the drop, and also mean that our language set is not a strict superset of those provided by IE (and why the figure above is 37, not 35).
  • However, since Firefox 3.6 we have gained Akan, Asturian, Breton, Bosnian, Gaelic, Armenian, Lugandan, Mailithi, Sepedi, Songhay, and Zulu. A strong African contingent there :-)
  • IE gets to a higher percentage than Opera with fewer languages primarily because Opera does not have an Arabic version (worth 3.2%).
  • Between Chrome 8 and 10, they seem to have lost Tagalog, Kazakh and Hebrew, which makes a big difference to their percentage (-2%). It could be that these languages will come along post-release; I don’t have a window into their process.
  • None of the browsers now has a Tagalog version, despite it being (as far as I can see) a very large market. Do Philippines computer users just use the English versions?

Feel free to look at the numbers and post about anything interesting you find :-) Updates to the data which splits a country’s internet population into language groups would be particularly welcome.