What is it like?

This question popped up on Quora recently and I offered a response (though, to be honest, I’m more curious about other people’s responses). Dave Dash, formerly of Mozilla web dev answered as well, and Jared Wein answered in blog form.

I’ve included my answer below even though, re-reading it a few days later, there’s so much more I want to add (I can’t believe I didn’t mention working with our worldwide community of employees and volunteers, or the impact of video conferencing, or the miracle of california tacos, or qdb, or mozillamemes…)

What’s your experience?
Continue reading “What is it like?”

The SSL Observatory

Oh ho, lookit what the EFF went and did!

The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded a dataset of all of the publicly-visible SSL certificates, and will be making that data available to the research community in the near future.

This is exciting. I knocked together a less ambitious version of this last year, but the EFF guys are doing it like grown-ups, and are getting some interesting data.

Numbers-wise, they’re in the right ballpark, as far as I can tell. Their numbers (1-2m CA-signed certs) coarsely match ones I’ve seen from private sources. I’ve heard from a few CAs that public-crawl estimates tend to err 50-80% low since they miss intranet dark matter, but at least the EFF is tracking other public-crawls. Given that their collection tools and data are going to be made public, that’s a really big deal. Previously, I haven’t been able to get this kind of data without paying for it or collecting it myself. If the database is actively maintained and updated, this will be a great resource for research.

Their analysis of CA certificate usage is also interesting. I’d like to see more work done, here, and in particular I’d like to see how CA usage breaks down between the Mozilla root store and others. We spend considerable effort managing our root store, and recently removed a whole pile of CA certificates that were idle. In some places, the paper seems to make the claim that fully half of trusted CAs are never used, but in other places, the number of active roots they count outnumbers our entire root program. I understand why they blurred the line for the initial analysis, but it would be swell to see it broken out.

As they mention, there are legit reasons for root certs to be idle, particularly for future-proofing. We have several elliptic curve roots, and some large-modulus RSA roots, which are waiting for technology to catch up before they become active issuers while giving CAs a panic switch in the case of an Interesting Mathematical Result — that feels okay to me. On the other hand, if there are certs which are just redundant, it would be great to know, so that we can have that conversation with the relevant CAs, and understand the need to keep the cert active.

This is exactly what I hoped would come of my crawler last year, but they’ve done a much more thorough job. We’ve seen an uptick in research interest in SSL over the last few years. Having a high quality data source to poke when testing a hunch is going to make it easier to spot trends, positive or otherwise. Interesting work, folks; keep it going!

Interview with a 419 Scammer

For those who haven’t seen it, scam-detectives.co.uk has a really interesting 3-part interview with a former Nigerian scammer.

Scam-Detective: A reader has asked me to talk to you about face to face scams. Were you ever involved in meeting a victim, or was all of your contact by email?

John: I never met a victim, but I was involved in a couple of Wash-Wash scams.

Scam-Detective: Wash Wash scams? What does that involve?

John: We would tell the victim that we had a trunk full of money, millions of dollars. One victim met some of my associates in a hotel in Amsterdam, where he was shown a box full of black paper. He was told that the money had been dyed black to get through customs, and that it could be cleaned with a special chemical that was very expensive. My associates showed him how this worked with a couple of $100 bills from the top of the box, which they rinsed with some liquid to remove the black dye. Of course the rest of the bills were only black paper, but the victim saw real money. He handed over $27,000 (about £17,000) to buy the chemicals and was told to return to the hotel later that day to pick up the cash. Of course when he came back, there was nobody there. He couldn’t report it to anybody because if it had been real it would have been illegal, so he would have gotten himself into trouble.

Part 1, Part 2, Part 3.

We build tools in Firefox like stale-plugin warnings and malware blocking to help protect our users, to neuter the technological attacks they may encounter on the web. But we also try, and need to keep trying, to build tools that inform our users so that they can make better decisions. Our phishing warnings and certificate errors try to do this, but mostly by scaring users away from specific attack situations. I hope we’ll continue to build tools like Larry which try to give people some affirmative context as well, to lend some nuance to their sense of place online. I want us to help our users know when they’re on Main Street, and when they’re in an alley.

I know: People get conned in the real world, too, and certainly no browser UI is going to save you from an email-based scam. Stories like this, though, are just specific instances of what I believe to be a more universal principle:

the biggest security risk most people face is misplaced trust

John: Some of the blame has to go to the victims. They wanted the money too because they were greedy. Lots of times I would get emails telling me that they wanted more money than I was offering because of the money they were having to send. They could afford to lose the money.

Scam-Detective: John, I think you have been basically honest with me so far. Please don’t stop that now. You know as well as I do that not all of your victims were motivated by greed. I have seen plenty of scam emails that talk about dying widows who want to give their money to charity, or young people who are in refugee camps and need help to get out. You targetted vulnerable, charitable people as well as greedy businessmen, didn’t you? You didn’t care whether they could afford it or not, did you?

John: Ok, you are right. I am not proud of it but I had to feed my family.

If you have ideas for how we can help users place their trust online more deliberately and carefully: please comment here, or build an addon, or file a bug.

Privacy Features in Firefox 3.5

While talking to press in North America and Europe about Firefox 3.5 (you’re already running it, right?) one topic that really resonated with people was the way we pushed on privacy in this release.

I think, initially, some people viewed our private browsing mode as a checklist feature. Even though we’d been working on it since before Firefox 3, it wasn’t strong enough for us to ship until 3.5 and in the interim other browsers have implemented versions of the same functionality. I really like the way we’ve done it, and there seem to be significant differences between the various browsers’ implementations, but regardless of all that I also don’t think that any private browsing mode is a complete solution.

Private browsing mode assumes that you will always know ahead of time that you’re about to do privacy-sensitive things. In Firefox 3.5, we tried to match more closely the way people actually use the browser, and sometimes that means they need to clean up after the fact – forgetting a slice of time, or a particular site. It also means that sometimes they want their browser to remember things, sensitive bookmarks for example, but not publicize those in the location bar. People’s use of a web browser in 2009 is more nuanced than:

Public Private

Alex Faaborg has done a fantastic job detailing many of the privacy features in the latest release of Firefox. I’d encourage you all to check it out.

Google Maps Geolocation Bookmarklet

I’ve been in Europe this week talking to French and German press about Firefox 3.5, and it’s been great to see all the excitement there is over here for the upcoming release.

One feature I’ve been talking a lot about is our support for Geolocation. I think that once Firefox 3.5 gets out there and sites realize they have a (privacy- and user-control-respecting) way to ask their users for their location in the world, all kinds of great services will show up. Flickr already has a photos-near-you feature, for instance, and I imagine mapping sites, restaurant reviews, and others are hot on their tails.

So I’m sure, in short order, that this won’t be necessary. In the meantime, if you’re running one of the Firefox 3.5 Release Candidates, you can use this bookmarklet to inject your current location into the google maps search box, so that you can base searches off your current location:

javascript:function sv(s){document.querySelector("#q_d").value=s};sv("Checking...");navigator.geolocation.getCurrentPosition(function(a){c=a.coords;sv(c.latitude+"%20"+c.longitude);document.forms.q_form.submit();},function(){sv("Rejected!")});

If you haven’t used a bookmarklet before, it’s easy. Open up your bookmark manager, decide where you want to put this (I like to have them on my bookmarks toolbar, since I use them a lot), and create a new bookmark. When it asks for a location, put in the code pasted above. Now, when you’re on the google maps site, click the bookmark to jump to your current location (after, of course, giving your consent).

This bookmarklet is specific to google maps (but I bet you can hack it!), and it certainly requires you to be using a modern browser with support for these features.  If you don’t have the latest Firefox yet, you can become part of our early testing community by downloading a copy now.

[Update: Changed the bookmarklet code a little to give some feedback immediately by letting you know it’s checking. I bet someone out there has already made a version of this that’s half as long, and twice as powerful. Comment!]

What’s a Few Months, Really?

I know.  It’s  been a few months since my last post.  But what’s a few months, in the grand scheme of things?

Stick that in your perspective and smoke it. It’s worth clicking through to the HD version.

Hello Vancouver! Briefly!

A quick note, to any Vancouverites that may be interested, that I will be in town on Wednesday to speak at the FIRST 2008 conference. The title of the talk is “The Most Important Thing – How Mozilla Does Security, and What You Can Steal.” If you’re attending the conference, I hope I’ll see you there. Once the conference is over, I’ll post my slides and a video of a presentation dry-run, in case anyone is interested.

I had a lot of help from several people, most notably Shaver, in putting this presentation together; my goal is to keep adapting it and ideally get other people giving it as well. Security is something that the Mozilla project has a lot of experience with, and a lot to be proud of. It is important to our mission that we share that expertise. Even when what we’re saying isn’t new (“have unit tests”), the fact that we have achieved the success we have lets us be a proof point for people trying to make change in their own projects (“Mozilla didn’t think code review was too time-intensive.”)

I may not be an official member of the evangelism team, but I will do whatever I can to encourage more people in our community to take their knowledge outbound. We are doing crazy awesome stuff here (how many IT people, on the planet, have dealt with what Justin‘s team has?) and we should consider it an obligation to spread that knowledge around. Heck, that’s actually sort of what my talk is about.

Firing Up Browser Security

Low Flying Dogs on FlickrWindow and I recently did a joint interview for Federico Biancuzzi at SecurityFocus about many of the security changes we’ve made in Firefox 3. It covers both front-end and back-end information, and mentions several changes that I haven’t had a chance to mention here in the past.

If you’re interested, check it out.

[PS – Full props to r80o on flickr – this is a pretty excellent photo for “caution”, and CC too!]

#4BC421 : Hulkcredible

Colour CloudThis is a pretty cool idea.

  1. Randomly generate a bunch of colours.
  2. Use Mechanical Turk to get names for them all
  3. Play

I really like the things that mechanical turk makes possible, now that people are getting more next-level experimental with it.

I also really like that the folks who did this one have an interactive explorer page for the data, and make the raw data set available as well.

In other “Graphics on the Web” news: heehee.