23
Nov 07

Security Tidbits

How am I going to find a blog pic that talks about 'security' and 'donuts'.  Oh, that was easy.Tidbits, mind you, not Timbits.  Every time I’m dealing with non-Canadians in Canada, and they refer to “donut holes” when they clearly mean “Timbits,” I have a moment where I feel sort of embarrassed for them. Like they just said they were going to nip up the old gorn and scumbles for some hennylummers. Like they are hopelessly antiquated.  And then I remember that “Timbit”, like “Kleenex”, “Xerox” and “100% Beef,” is just a corporatism, and truly it is I who should feel ashamed. And I do. On with the show.

SSL Error Pages

Yes, again.  But just a quickie.  When I land bug 402207 later today, it will slightly change the way adding a security override works.  You’ll still have the option to add an exception when you visit a site with unverified security, but whereas recently the dialog that popped up would auto-fetch the certificate for you, it will now pre-populate the url, but make you fetch the certificate yourself.

This isn’t just a stupid attempt to annoy users more, it’s an attempt to make it easier to understand what’s going on.  The behaviour of our exception adding is now controlled by a preference named:

browser.ssl_override_behavior

With three values:

  • 0 = Don’t pre-populate the site URL or pre-fetch the certificate
  • 1 = Pre-populate the URL, but don’t pre-fetch the certificate (New default)
  • 2 = Pre-populate and pre-fetch (Old default)

Doing this means that the dialog has less text when users first see it, meaning users might be more inclined to actually read it.  It also don’t have an obvious one-click path, the user needs to fetch the certificate (at which point the problems will show up) and then add the exception.

Users who want to fast track the process because they know what they’re doing can just switch that to “2”, and users (or possibly IT departments deploying Firefox internally) might also choose to set it to 0 to compel more user interaction before trust is given to an unverified site.

EV Support

For all the talk about Larry and EV certificates, people might be wondering when they’ll start seeing them.  In a funny sort of way, they’re already there – all the code to DO stuff is there, but we don’t yet have any authorities “blessed” as being EV issuers.  So that code is idle at the moment.

Kai has now finished up bug 404592 though, which means testers on nightlies can turn on EV trust by setting an environment variable.  To see EV treatment on your (post-beta1) nightly, just run with:

NSS_EV_TEST_HACK=USE_PKIX

I won’t go into detail about how to set environment variables, because this only matters in the very short term anyhow, but for those who are fluent in this underworld machination, doing so will prematurely bless the Verisign EV root.  This doesn’t mean anything about Mozilla and Verisign and what certs will be trusted in Firefox 3, it’s purely a testing contrivance.  Live sites with Verisign EV certs include Paypal and eBay. Once we have at least one EV root in the trusted list, this hack won’t be necessary, and Larry will truly be free to roam.

[Update: It took one minute – sixty terran seconds – for google to index this blog and give me sole possession of the googlerank for ‘hennylummers.’  Spooky.]


04
Nov 07

Sleepy & Happy (WTB: 5 dwarves)

sleeping polar bearI want you to know that I’m sleeping again.

It’s not that I wasn’t before, I was.  But when you break the internet, you take on certain moral obligations vis a vis its restoration.  We landed bug 401575 today which gives our users a chance to override security warnings if they think they know what they’re doing.  There are people who will dislike this version just as much as the other people who disliked the first thing that landed, but that’s okay, because no one said we were finished yet.  Just like no one said we were finished last time.

I’d like to see us continuing to do better with giving users useful options when they run into a security problem.  Things that keep them away from the whatever button, whenever possible.  If we can redirect our users’ energies, judo-style, in directions that protect them from harm instead of stubbornly stopping them in their tracks, I think we can keep them safe, and happy, at the same time.  That why we’re still working on bugs like 402210 to help give users safe ways out, and bugs like 402207 to let us make safe choices for normal users without making power users cry.

These things, though, all of them: they are the birth pangs of something pretty amazing.

While I’ve been working on my stuff, everyone else has been working on theirs.  And I don’t know about my stuff, but their stuff is good.  We’re getting very very close to getting it all out to you; to knock on, and sniff, and generally assess, like a honeydew melon of awesomeness.  It’s really hard for me to go back to Firefox 2 now, and that’s not a knock against it – I still think it’s the best browser out there, but this new stuff?  Get ready for it.

Location bar auto-complete for example, like Jamaican blue mountain coffee, will change your world if you let it.  The new bookmarking system is an amazing platform for extension authors, and I’m pretty keen to see what happens there, but even the bits we ship in our own UI are changing the way I browse.  And the performance gains across the product are palpable.

When the beta comes out the door, if you’re brave enough to try it, don’t look for fireworks.  Our first, biggest job is to help you get to the web sites you want, so we’re not going to go to great lengths to jump up and down and grab your attention away.  But in a hundred subtle ways, things will just be nicer.

And we’re not done yet.

Postscript

I really should have just let the post end there, it was sort of a dramatic finish, but this needs saying:

I used the analogy “birth pangs” up there because it was what good analogies are: a way of situating facts or events which may be unfamiliar to readers within a context that is somehow more so.  “Honeydew melon of awesomeness” was maybe less apt, but nevertheless. Recently Tyla (and, in all fairness, Mike too) went through actual birth pangs.  The kind where you have an extra human at the end.  As analogies go, I’m not sure I do understand that context all that well.  Firefox 3 is going to be pretty awesome, but let me tell you, Claire is stiff competition for any would-be miracle.  Congratulations guys.  I promise never to mention my own sleep schedule  again.


11
Oct 07

TODO: Break Internet

So there’s this thing at Mozilla where we try not to break the internet.  Call us wacky, but it seems like a bad play.  And so Rob Sayre is right to be a little miffed when it looks like we’ve done exactly that.  Sayre is often right, in fact, it’s his thing that he does.

Backstory
The web has this technology called SSL that lets you do two important things:

  1. Know who you’re talking to (because companies exist which verify this information, we’ve been over this)
  2. Talk to them in an encrypted, validated way so that no one can eavesdrop or tamper with the message
  3. Show a little padlock on your browser window

As I said, only two of them are important.

Because SSL makes these relatively useful promises, it is sort of a popular technology.  Because it’s generally important to get security things *precisely right* though, and because humans are people, there’s a lot of broken SSL out there too.

What’s “broken”?  Sometimes it means using the identification for one site on another site (because it’s cheapereasierfaster than getting a second one).  Sometimes it means using it after it has expired.  Sometimes “broken” isn’t actually broken at all, it’s just that the site is using SSL with identification they wrote themselves, so that they’re getting promise 2 (encrypted, validated), but not promise 1 (knowing who you’re talking to).

In the past, most browsers did a very dumb thing here:

FF2 Domain Mismatch Error

This dialog, in the hands of normal people, feels like it basically amounts to:

Snotweasel omegaforce warning

Why change such a fun and exciting system, I hear you ask?  The real problem here is that once in a while, when this kind of dialog appears, it actually might represent an actual attack.  Most of the time it’s site administrator laziness, but it’s hard to tell, and it could be a real problem; it could mean that someone has hacked your internet connection (or more likely totally controls it because you connected in some public WiFi spot like a coffee shop) and is redirecting you from your bank’s web site to their own.  When that happens, the fact that we’ve taught everyone to click OK blindly is a really bad thing, because we need you to stop and ask yourself what’s going on.

That’s a lot of backstory, if it was new to you, take a break here.  Have a cookie.

The State of Things
In Firefox 3, one of the things a lot of people were really pushing on was that we dump these dialogs, and we have.   Rob has a screenshot of what the current code does, and in case you missed it the first time, here’s another link.

Before we start talking about changing it, I want to give the crypto dudes, and particular Kai Engert from RedHat a shout-out here, because (believe it or not) I think this is actually a good first step, and was a lot of work to get implemented.

So now instead of a little, cryptic dialog box with an OK button, there’s a big, cryptic error page with no OK button.   Hmm.

Firefox 3 Control Panel

People are seeing that error page, and making a couple really important points:

  1. Everything needs to be less cryptic.  Human readable would be a good start.  Bug 398718
  2. There needs to be a way to get past it so that it’s not a dead-end. (There is, of course. There’s the Add Exception dialog added in bug 387480, which people generally seem to like, but it’s buried in the bowels of advanced prefs, so bugs like 399275 argue for making it much more directly accessible).
  3. You’re (excuse me) batshit fucking loco.

Security and ease of use are not intrinsically a tradeoff. Indeed, a lot of the time, good security comes from a better understanding of how people naturally work.  But there are times, and this feels like one of them, where doing the safer thing for users means annoying them more, and annoying them less means failing to honour our obligation to keep them safe.  Boo.

Walking and Chewing Gum

The thing is, we don’t get to just throw up our hands and say “well, better safe than sorry” nor do I think we get to say “Too annoying, let’s revert.”   That slider has middle positions, where annoyance and safety are in better balance, let’s get there.

Fixing the text is important.  It needs to speak in human terms about why this is a problem, and about what you can do to fix it.  I do think, though, that we need to consider giving people a path from the error page to the override UI.  I can already hear the furious head-smashing of anyone who understands PKI and has read the relevant literature.   Click-throughs beget bad security habits, which is why I think it should still be a multi-step process that hammers home the fact that you’re doing something aggressive.   But full-stop blocking our users is something that’s contentious even for known malware sites; here it feels like too much.

IE7 does this.  I think they win big points for human readability there – even though they still have a click-through.  I don’t know how much the red shield scares users off, maybe it does, but one-click override still turns my stomach a little.  What I’d like to see from us is an action like that, but which, rather than automatically extending trust, simply shortcuts you to the exception adding dialog.  The argument will be made that it’s just a longer click-through, I understand that, but my feeling is that it’s long enough, and scary enough, to get more of users’ attention.  My feeling is also that we might have to eat that possibility anyhow, because if we make it sufficiently annoying for users to browse the web, they really will decide it’s a Firefox problem, since other browsers let them through.  At that point we not only fail our users on the security front, we also go back to the bad old days of “only works on IE.”

Why Don’t You Just…

I love it when people have alternate suggestions, but some of the frequently recurring ones have pretty big problems.  I’ll call out a few here to save re-treading (unless I’m getting them wrong, in which case we should totally retread, since they’re often held up as much simpler than this other thing we’re doing).

“Why don’t you just let the connections through quietly, and just remove any indicators of security, like the padlock, yellow address bar, verified identity, etc?”   The argument here being that rather than blocking the load, why not serve the content, but not let users think it’s a secure site?  Compelling, no?

Approaches like this have the really unpleasant side effect of subverting whatever good security practices our users have developed.  Banks tell their customers to go to the website via a saved bookmark, rather than clicking on links in email or other web pages.  That’s a good practice.  Some even tell users to look for the “https” in the URL.  In the case where you’re being attacked, where the cert presented is a forgery (since only the legit site can present the real one) all of these habits will tell you you’re safe. The URL says https, and you clicked on the same bookmark you always click on to get to your bank.  This would be a present gift-wrapped for attackers.

“Why don’t you treat self-signed certs, which legitimate sites use when they want encryption but not identity, differently from actual breakages?”

The thing is that self-signed is no more or less trustworthy than, say, a domain-mismatched cert.  Likewise for the argument about treating a self-signed cert differently from one that is signed, but by an unknown signer.  I did open bug 398721 about the idea of using “Key Continuity Management” as a way to mitigate the hurt in the self-signed case while still getting the basics right, but in any event that wouldn’t make it in for Firefox 3.

Closing
To my friends and family using Firefox, don’t panic, none of this is happening in the currently released browser, you’re not going to see this debate enacting itself on a desktop near you anytime soon.  We are extremely cautious about changing the experience in released products after shipping.  This is happening purely among those running the up-to-the-minute versions under active development.

It will get better.  Bug 398718 (my fingers have already learned how to type that one automatically) will land, and the error pages will be things that make sense, and explain your options.  Bug 399275 will morph into a general discussion of what kind of path we want to create to add exceptions, or if it doesn’t, I’ll create a new one which does.  We’re not going to ship a browser you can’t use.  Even on sites that are doing it wrong, we put the choice in your hands, because it’s your browser.  And we like you very much.


11
Sep 07

Mozilla24

FoxKeh!  On the world!I don’t normally blog about my work travel here, because what are you gonna do, come with me?  This one’s different though.

I’m flying out to SFO tomorrow morning (oh AC757, we’ve really gotten to know each other, haven’t we?) in anticipation of Mozilla24, a 24-hour all-mozilla, all-the-time conference at which I will be speaking amongst a group of shockinglymoreawesome people.  I will be talking about security UI, natch, and I would love to see all your smiling faces (though I’ll forgive the folks who saw the OSCON version for having their laptops open).

One of the many cool things about Mozilla24 is that it’s global – California, Tokyo, Thailand, and Paris, sure, but also online – so that if you are interested in the open web, and the directions we can take it, or if you’re just getting your feet wet, you can get involved.

Go sign up!  Why not get into the thick of it?  I’ll wait here.

PS – The blog photo here, Foxkeh, and indeed the whole Mozilla24 shebang, comes from Mozilla Japan.  They’re trying to make the rest of us look bad, bringing their A game.  Their A++++ OMG WOULD DO BUSINESS AGAIN WOW game.


28
Aug 07

Airport Security 2 for 1!

nedrichards' playmobil photoTwo interesting (if longish) articles lately on airport/airplane security:

1. A pilot on airline security

2. An interview between Bruce Schneier (Security Dude) and Kip Hawley (Head TSA Dude)

Both are, I think, interesting reading; and both avoid the Designated Stupid Zones (“Airport security is useless” and “Whatever it takes to Fight Terror”) at the polar ends of the debate.

Neither of these articles is directly related to Mozilla, but enough of my co-workers travel regularly that I’m gonna tag it that way anyhow, so that it shows up on planet – where our blogs all hang out and play together while we’re at work.

[Special thanks to nedrichards for the photo – I’m keeping this one around.]


20
Aug 07

SSL Infoporn

mac_steve infoporn600,000.  According to Netcraft, there are about 600,000 SSL sites out there on the public internet, and we just recently tipped over that arbitrary, but pleasantly round, number.

I’m not sure why, but when I tell people this (people, that is, who have any hope of being interested in such things; a small, biased, statistically indefensible sample,) they are surprised.  I think mostly they expect the number to be higher.  And in actual fact, it probably is, at least a little bit.  I am reasonably certain, without even looking into them, that Netcraft’s methods are more prone to type-2 errors – false negatives – than they are to false positives.  Nevertheless, it’s probably the right order of magnitude.  There are almost certainly less than a million, for instance.

Netcraft doesn’t publish any numbers it may gather about the ratio, in that group, between DV, OV, and EV certs, but the informal vibe I get leads me to believe that there are around 2000 EV certs out there at the moment.  Given that several of these have gone to extremely high traffic domains, though, that number probably under-represents their network significance.

I bring these numbers up here because they seem to surprise people, and surprises are generally more instructive than confirmations.  In the last couple weeks, a fair number of surprising numbers have flitted across my radar, so I figured I would rehash a couple here, with no particular (conscious) effort to weave a narrative into them beyond, “hey look, infoporn!” Continue reading →


09
Aug 07

There goes that analogy?

So Medeco Locks, often cited as the unpickable-in-practice lock, can be picked.  Not just picked, bump keyed.  I guess that’s sad if you’re Medeco, though I suspect that in their heart of hearts, they know as well as I do that lockpicking thieves are rarely the high-probability threat.

I don’t know if there are vendors out there calling their solution the “Medeco of internet security” but I suppose they’ll want to stop, if so.  The nice thing, though, is that the whole fracas is a delicious example of General Security Maxim #6:

If your product is unbreakable, you are wrong.  Also, here comes the breaking.

If you suffer from this tendency to overstate security claims, I’ve created a motivational poster to help you remember.

(Thank you johpan for the ostrich, and flickr toys for the insta-motivate.)


25
Jul 07

Beyond the Padlock: OSCON Talk Slides

PadlockI’m about to go on at OSCON. My talk is titled “Beyond the Padlock: Security UI for the Distracted.”  Meanwhile, behind me in the speakers’ lounge, people are teaching one another to juggle.  So all in all, so far so good.

For those who couldn’t be here, or for those who could, and want another chance to critique my slides, or for those who just like babies with tinfoil on their heads, I’ve uploaded a copy in PDF format.

Wish me luck!  And if you were one of the extremely helpful people who provided reviews and suggestions, thankyouthankyou.  I attribute 95% of any success I may enjoy to your help.