23
Nov 07

Security Tidbits

How am I going to find a blog pic that talks about 'security' and 'donuts'.  Oh, that was easy.Tidbits, mind you, not Timbits.  Every time I’m dealing with non-Canadians in Canada, and they refer to “donut holes” when they clearly mean “Timbits,” I have a moment where I feel sort of embarrassed for them. Like they just said they were going to nip up the old gorn and scumbles for some hennylummers. Like they are hopelessly antiquated.  And then I remember that “Timbit”, like “Kleenex”, “Xerox” and “100% Beef,” is just a corporatism, and truly it is I who should feel ashamed. And I do. On with the show.

SSL Error Pages

Yes, again.  But just a quickie.  When I land bug 402207 later today, it will slightly change the way adding a security override works.  You’ll still have the option to add an exception when you visit a site with unverified security, but whereas recently the dialog that popped up would auto-fetch the certificate for you, it will now pre-populate the url, but make you fetch the certificate yourself.

This isn’t just a stupid attempt to annoy users more, it’s an attempt to make it easier to understand what’s going on.  The behaviour of our exception adding is now controlled by a preference named:

browser.ssl_override_behavior

With three values:

  • 0 = Don’t pre-populate the site URL or pre-fetch the certificate
  • 1 = Pre-populate the URL, but don’t pre-fetch the certificate (New default)
  • 2 = Pre-populate and pre-fetch (Old default)

Doing this means that the dialog has less text when users first see it, meaning users might be more inclined to actually read it.  It also don’t have an obvious one-click path, the user needs to fetch the certificate (at which point the problems will show up) and then add the exception.

Users who want to fast track the process because they know what they’re doing can just switch that to “2″, and users (or possibly IT departments deploying Firefox internally) might also choose to set it to 0 to compel more user interaction before trust is given to an unverified site.

EV Support

For all the talk about Larry and EV certificates, people might be wondering when they’ll start seeing them.  In a funny sort of way, they’re already there – all the code to DO stuff is there, but we don’t yet have any authorities “blessed” as being EV issuers.  So that code is idle at the moment.

Kai has now finished up bug 404592 though, which means testers on nightlies can turn on EV trust by setting an environment variable.  To see EV treatment on your (post-beta1) nightly, just run with:

NSS_EV_TEST_HACK=USE_PKIX

I won’t go into detail about how to set environment variables, because this only matters in the very short term anyhow, but for those who are fluent in this underworld machination, doing so will prematurely bless the Verisign EV root.  This doesn’t mean anything about Mozilla and Verisign and what certs will be trusted in Firefox 3, it’s purely a testing contrivance.  Live sites with Verisign EV certs include Paypal and eBay. Once we have at least one EV root in the trusted list, this hack won’t be necessary, and Larry will truly be free to roam.

[Update: It took one minute - sixty terran seconds - for google to index this blog and give me sole possession of the googlerank for 'hennylummers.'  Spooky.]


20
Nov 07

It’s On.

Firefox RacerAs announced Very Early In The Morning (EST) today, Firefox 3 Beta 1 is now live.

There is some appropriately scary text there about not downloading it unless you are a developer or a tester, and that’s good text to have, because we wouldn’t want people treating this like a final release BUT it’s pretty awesome, and if you don’t mind living a little bit on the edge, you should check it out.

There are a ton of changes, and as I’ve said here before, a lot of them are subtle.  I want very much to point out a bunch of them, but I also don’t, because I want to know what unprimed minds think of it.  I’ll leave it up to you – if you want to see a (non-exhaustive) list of the kinds of changes we’ve made, you can check the release notes.  If you don’t, skip straight to the announcement and grab a copy.

Once you’re on the beta, you’ll get updates as new betas come out, just like you do with Firefox 2 when we release security and stability updates.  Running the betas and letting us know what you think is a great way to help the project, even if you’ve never tried programming.  You’re a human and a web user, that’s as much expertise as we need.


14
Nov 07

Self-documenting

I know I’m weird, but I’ve always really liked the way roads combine with badly maintained trucks to create emergent topographical self-documentation.  Pictures are easier:

self documenting road

Notice the dark spots?  That particular stretch of road always drives the point home for me – every time the trucks in front of me hit a bump or dip in the road, it shakes some grease loose from their chassis, and darkens the road a little bit.  Like ants finding efficient routings, it’s always just sort of made me happy.

[Note: The embedded google map got very very broken in RSS, so I've replaced it with a static graphic.  Still I suspect the RSS damage is done.]


04
Nov 07

Sleepy & Happy (WTB: 5 dwarves)

sleeping polar bearI want you to know that I’m sleeping again.

It’s not that I wasn’t before, I was.  But when you break the internet, you take on certain moral obligations vis a vis its restoration.  We landed bug 401575 today which gives our users a chance to override security warnings if they think they know what they’re doing.  There are people who will dislike this version just as much as the other people who disliked the first thing that landed, but that’s okay, because no one said we were finished yet.  Just like no one said we were finished last time.

I’d like to see us continuing to do better with giving users useful options when they run into a security problem.  Things that keep them away from the whatever button, whenever possible.  If we can redirect our users’ energies, judo-style, in directions that protect them from harm instead of stubbornly stopping them in their tracks, I think we can keep them safe, and happy, at the same time.  That why we’re still working on bugs like 402210 to help give users safe ways out, and bugs like 402207 to let us make safe choices for normal users without making power users cry.

These things, though, all of them: they are the birth pangs of something pretty amazing.

While I’ve been working on my stuff, everyone else has been working on theirs.  And I don’t know about my stuff, but their stuff is good.  We’re getting very very close to getting it all out to you; to knock on, and sniff, and generally assess, like a honeydew melon of awesomeness.  It’s really hard for me to go back to Firefox 2 now, and that’s not a knock against it – I still think it’s the best browser out there, but this new stuff?  Get ready for it.

Location bar auto-complete for example, like Jamaican blue mountain coffee, will change your world if you let it.  The new bookmarking system is an amazing platform for extension authors, and I’m pretty keen to see what happens there, but even the bits we ship in our own UI are changing the way I browse.  And the performance gains across the product are palpable.

When the beta comes out the door, if you’re brave enough to try it, don’t look for fireworks.  Our first, biggest job is to help you get to the web sites you want, so we’re not going to go to great lengths to jump up and down and grab your attention away.  But in a hundred subtle ways, things will just be nicer.

And we’re not done yet.

Postscript

I really should have just let the post end there, it was sort of a dramatic finish, but this needs saying:

I used the analogy “birth pangs” up there because it was what good analogies are: a way of situating facts or events which may be unfamiliar to readers within a context that is somehow more so.  “Honeydew melon of awesomeness” was maybe less apt, but nevertheless. Recently Tyla (and, in all fairness, Mike too) went through actual birth pangs.  The kind where you have an extra human at the end.  As analogies go, I’m not sure I do understand that context all that well.  Firefox 3 is going to be pretty awesome, but let me tell you, Claire is stiff competition for any would-be miracle.  Congratulations guys.  I promise never to mention my own sleep schedule  again.