20
Aug 07

SSL Infoporn

mac_steve infoporn600,000.  According to Netcraft, there are about 600,000 SSL sites out there on the public internet, and we just recently tipped over that arbitrary, but pleasantly round, number.

I’m not sure why, but when I tell people this (people, that is, who have any hope of being interested in such things; a small, biased, statistically indefensible sample,) they are surprised.  I think mostly they expect the number to be higher.  And in actual fact, it probably is, at least a little bit.  I am reasonably certain, without even looking into them, that Netcraft’s methods are more prone to type-2 errors – false negatives – than they are to false positives.  Nevertheless, it’s probably the right order of magnitude.  There are almost certainly less than a million, for instance.

Netcraft doesn’t publish any numbers it may gather about the ratio, in that group, between DV, OV, and EV certs, but the informal vibe I get leads me to believe that there are around 2000 EV certs out there at the moment.  Given that several of these have gone to extremely high traffic domains, though, that number probably under-represents their network significance.

I bring these numbers up here because they seem to surprise people, and surprises are generally more instructive than confirmations.  In the last couple weeks, a fair number of surprising numbers have flitted across my radar, so I figured I would rehash a couple here, with no particular (conscious) effort to weave a narrative into them beyond, “hey look, infoporn!” Continue reading →


25
Jul 07

Beyond the Padlock: OSCON Talk Slides

PadlockI’m about to go on at OSCON. My talk is titled “Beyond the Padlock: Security UI for the Distracted.”  Meanwhile, behind me in the speakers’ lounge, people are teaching one another to juggle.  So all in all, so far so good.

For those who couldn’t be here, or for those who could, and want another chance to critique my slides, or for those who just like babies with tinfoil on their heads, I’ve uploaded a copy in PDF format.

Wish me luck!  And if you were one of the extremely helpful people who provided reviews and suggestions, thankyouthankyou.  I attribute 95% of any success I may enjoy to your help.


04
Jun 07

Will Firefox have a Green Bar?

Green Bar (Ha!) - From flickrThe number one question I get asked, in my capacity as Human Shield at Mozilla, is how we make any money.  People ask it with a sort of knowing grin, as though they already know we get it from leprechauns, but they want to hear me admit it.  That’s not what this blog post is about.

The second most frequent question I get asked, and the one I’m more directly positioned to answer, is whether Firefox 3 will have an IE7-style Green Bar.  I’m going to try to answer that here by offering my opinion on the matter, and an update on my coding progress to that end.

The short answer to that question is: no.

Continue reading →


21
Mar 07

Revisiting Security UI – Part 2

So we need to get better. We need to start fixing our messages to users so that we are more accurately communicating security information, while being mindful to not bury them in technicalities they neither want nor need. We need cues that are persistent (not relying on people to notice their absence), that are difficult to spoof, and that don’t mix metaphors.

We also, difficult as it is, need to get out of the “safety” game. We can’t tell users “this site is safe” because we don’t know that. Even ignoring the liabilities that might come with such a claim, there isn’t a good technological way to tell, right now, whether a particular site is safe in the way users care about. Do they handle credit card information properly? Do they ignore angry customers? Are they a front for stolen goods? These kinds of naughty people could get SSL certificates (and accompanying padlocks) and even the extended validation practices being discussed wouldn’t really stop them.

What we can do is equip people to make the safety decision for themselves, just as they often have to in the physical world, because we do have some information. It’s like putting ingredients labels on food. What we can do is change the conversation to be about identity instead of safety. This is important, so pay attention:

We need to change the conversation to be one about identity, not safety.

Identity is something we can verify. The padlock conflated identity with other things like encryption status and security, and while that conflation is almost natural to PKI-veterans, it has proven misleading for users.

So what might identity look like?

Continue reading →


13
Mar 07

Revisiting Security UI – Part 1 of 2

I tend to get excited about things. I’d say one of the key problems I have when writing – blogs, articles, books will probably be even worse here – is that, since I tend to be excited about things, my writing tends to wander to whichever dog has a puffy tail at the moment, and I sometimes look back and end up wishing each piece was tighter and more single-minded.

Take my post last week. Right now I’m excited about Firefox security UI, and about how to do a better job with the way we give users information. This is a good thing for me to be excited about, since it pays my bills. But I want to engender conversation about it, and to build context around my thoughts on the matter, and meandering isn’t necessarily the best way to do that.

So. This is the first of two posts I will write in the next week or so about this stuff. The goal is to outline:

  1. The way things are, and why we need to change them
  2. My thoughts on where we need to be looking to go

This is the first. What are we, as browser builders, doing for the user today when it comes to security UI?

Continue reading →


26
Feb 07

2.8 Billion Reasons to Do Better

Padlock by JohnathSo PC World is running an article by Robert McMillan about phishing. It’s not a bad article or anything, it cites the antiphishing workgroup and various Gartner research in non-inflammatory ways (phishing is up 700% year over year, losses for 2006 estimated at $2.8B USD), and basically concludes that the current state of the internet, vis a vis your[1] financial information, is somewhere towards the “festering cesspool of thievery from which no good thing can escape unscathed” end of the spectrum. Pretty standard stuff.

If Robert McMillan should be chastised for any part of it, it is his closing sentence, wherein he takes the too-obvious way out, no doubt because he was reaching his wordcount ceiling, and what the hell else is he going to say:

But to combat ever-adapting phishers, your best protection remains…you.

It’s not Bob’s fault, but this is a pretty awful way to leave things. How on earth are people supposed to do what he asks, particularly when all the evidence he’s just cited points to how profoundly they can’t?

Continue reading →


19
Feb 07

Day 2

I have officially begun. Friday was my first day of paid work with the Mozilla Corporation, and it was tiring. As expected, it mostly revolved around logistical stuff, though I did find some time with beltzner in the afternoon to watch an hour-long introduction to how Mozilla builds a DOM tree (thanks Johnny!)

Basically, what Friday allowed me to do was get my feet sufficiently under myself to come up with this:

bubbl.us Mindmap

I haven’t, historically, done much with mindmapping and other “thinking aids” but right now there is too much bubbling around to keep track of, so it seemed like a useful exercise. Attentive readers will note that the current list of thoughts is both incomplete and horribly short-sighted, stretching out a month at most. This is deliberate – I think it relatively stupid to hop on board on day 1 and to start making long term plans on day 2. I suppose someone will tell me that this makes me an “analytic” personality type, or some such, obsessed with having all the information before making a decision. I would suggest that this is grossly overgeneralized (as personality-classification schemes always, perforce, are) though I will confess to a preference for having some information before making any momentous statements of direction. I have always been nutty that way.

On a personal note, the first day (and, indeed, those leading up to it) has been grand. People at Mozilla are welcoming and congratulatory, people at IBM are well-wishing and congratulatory and, on balance, my LinkedIn profile has never been happier (though it is notably wanting for some more 1-degree-of-separation Mozilla love).

I really do think this was the right move to make, I’m pretty excited to be getting going. I’ll be heading to New York in early March with beltzner to talk to some of the people in the CA/Browser forum, and then later in March I’ll be in Mountain View to meet with some more of my newfound comrades-in-arms. In the meantime I’ll be trying to knock down that web of questions while simultaneously, no doubt, adding whole new subtrees. If anyone reading this wants to point out answers to some of the leaf nodes in that web, or alert me to obvious swaths of unmapped work, I can now officially be reached at johnath@mozilla.com. Huzzah! (Yes, my home email still works just fine, too).

[Update: Yes, the map was made with bubbl.us, mea culpa for not providing tasty linkage. ]

[Update2: Yes, the Johnny Stenback video is available online here. ]


08
Feb 07

Transition

Butterfly in CocoonAs intimated earlier, things have been afoot. Just one thing, really, but that thing sets into motion such a panoply of downstream consequence that I feel truly justified in my flagrant use of the plural form. To wit, then, and without terribly much further ado:

I am leaving IBM.
I am joining Mozilla.

This is momentous, so I will give you a minute to recover.

Continue reading →