Mal-what? Firefox 3 vs. Bad People

A lot of the things I write here are for geeks.  That’s unsurprising, given my own wonkish leanings, but I appreciate that it makes me a tough guy to love, much less read, at times.  Sorry about that, and thanks for sticking with me.

With Firefox 3 on the cusp of the precipice of the knife’s edge of release, though, I wanted to stop pretending that everyone reads the same articles I do and talk about one of the many, really concrete things we’re doing to keep our users, like you, safe.  There will be graphs.

Continue reading “Mal-what? Firefox 3 vs. Bad People”

Security UI in Firefox 3plus1

We’ve made a lot of changes (and more importantly, a lot of positive progress) in security UI for Firefox 3.

We have built-in malware protection now, and better phishing protection.  We have a password manager that intelligently lets you see whether your login was successful before saving, instead of interrupting the page load.  We have gotten rid of several security dialogs that taught users to click OK automatically, unseeingly.  We have OCSP on by default.  We have a consistent place in the UI now where users can get information about the site they are visiting, including detailed secondary information about their history with the site; all of which are first steps in a long road towards equipping users with more sophisticated tools for browsing online, by taking advantage of habits they already have, and things we already know.  All the people who worked on this stuff know who they are, and I want to thank them, because it sure as hell wasn’t all me.

With Firefox 3 in full down-hunker for final release (and with conference silly season upon us) though, I’ve started to get serious about thinking through what comes next.

Here’s my initial list of the 3 things I care most about, what have I missed?

1. Key Continuity Management

Key continuity management is the name for an approach to SSL certificates that focuses more on “is this the same site I saw last time?” instead of “is this site presenting a cert from a trusted third party?”  Those approaches don’t have to be mutually exclusive, and shouldn’t in our case, but supporting some version of this would let us deal more intelligently with crypto environments that don’t use CA-issued certificates.

The exception mechanism in Firefox 3 is a very weak version of KCM, in that security exceptions, once manually added, do have “KCM-ish” properties (future visits are undisturbed, changes are detected).  But without the whole process being transparent to users, we miss the biggest advantage to this approach.

Why I care: KCM lets us eliminate the most-benign and most-frequently-occurring SSL error in Firefox 3.  Self-signed certs aren’t intrinsically dangerous, even if they do lack any identification information whatsoever.  The problem is that case-by-case, we don’t have a way to know if a given self-signed cert represents an attack in progress.  The probability of that event is low, but the risk is high, so we get in the way.  That’s not optimal, though.  When the risk is negligible, we should get out of the way, and save our warnings for the times when they can be most effective.

2. Secure Remote Passwords

Secure Remote Password protocol is a mechanism (have some math!) for allowing a username/password-style exchange to happen, without an actual password going out along the wire. Rob Sayre already has a patch.  That patch makes the technology available, but putting together a UI for it that resists spoofing (and is attractive enough that sites want to participate) will be interesting.

Why I care: SRP is not the solution to phishing, but it does make it harder to make use of stolen credentials, and that’s already a big deal.  It also has the happy side effect of authenticating the site to you while it’s authenticating you to the site.  I wouldn’t want this useful technology to get stuck in the chicken-egg quagmire of “you implement it first.”

3. Private Browsing Mode

This is the idea of a mode for Firefox which would protect their privacy more aggressively, and erase any trace of having been in that mode after the fact.  Ehsan Akhgari has done a bunch of work here, and in fact has a working patch.  While his version hooks into all the various places we might store personal data, I’ve also wondered about a mode where we just spawn a new profile on the spot (possibly with saved passwords intact) and then delete it once finished.

Why I care: Aside from awkward teenagers (and wandering fiancés), there are a lot of places in the world where the sites you choose to visit can be used as a weapon against you.  Private browsing mode is not some panacea for governmental oppression, but as the user’s agent, I think it is legitimately within our scope (and morally within our responsibility) to put users in control of their information.  We began this thinking with the “Clear Private Data” entry in the tools menu, but I think we can do better.

(And also…)

Outside of these 3, there are a couple things that I know will get some of my attention, but involve more work to understand before I can talk intelligently about how to solve them.

The first is for me to get a better understanding of user certificates. In North America (outside of the military, at least) client certificates are not a regular matter of course for most users, but in other parts of the world, they are becoming downright commonplace.  As I understand it, Belgium and Denmark already issue certs to their citizenry for government interaction, and I think Britain is considering its options as well.  We’ve fixed some bugs in that UI in Firefox 3, but I think it’s still a second-class UI in terms of the attention it has gotten, and making it awesome would probably help a lot of users in the countries that use them.  If you have experience and feedback here, I would welcome it.

The second is banging on the drum about our mixed content detection.  We have some very old bugs in the area, and mixed content has the ability to break all of our assumptions about secure connections.  I think it’s just a matter of getting the right people interested in the problem, so it may be that the best way for me to solve this is with bottles of single malt.  Whatever it takes.  If you can help here, name your price.

Obviously I’ve left out all the tactical fixup work on the UI we already have.  We all know that those things will need to happen, to be re-evaluated and evolved.  I wanted to get these bigger-topic thoughts out early, so that people like you can start thinking about whether they are interesting and relevant to the things you care about, and shouting angrily if they aren’t.

New Digs! (Correction)

After publication, I was made aware of some errors in my original post. I have included a corrected version below.

As of today, the Mozilla Toronto office has moved from our building at 20 Richmond to this little out-of-the-way place:

720 Spadina

The CN Tower! 720 Spadina Avenue!

We didn’t want to talk about it until everything was fully settled, but we are now residents of an architectural icon building with a pretty ridiculously excellent view door. Full props to beltzner for scouting out office space, and to ben for orchestrating the move; it’s been a crazy pretty smooth couple of weeks!

Some information about the new office, since it’s a little more noteworthy different than the old one. 🙂

Suite 12811

Q: What is the actual new address?

A: We’re now accepting mail at

Mozilla
301 Front Street, Suite 12811
Toronto, ON
M5V 2T6

Mozilla
720 Spadina Avenue, Suite 218
Toronto, ON
M5S 2T9

Q: Did that say 12811 218?

A: Yep. We’re a loooong way up.

Q: How do I get there?

A: There’s a stairwell. 🙂

Seriously, this can be a bit of a trick the first time is quite straightforward. If you come in through the usual entrance, you’ll be sort of pipelined into the “tourist” sections elevators of the tower. Those elevators won’t will go where you want them to, and the visit will end up costing you significantly more nothing.

Q. Do we get discounts for the tourist areas?

A. We do! As tenants we get basically a pad of discount coupons. Visit us first, and we’ll tear you off a few. No.

Q. What about the view?

A. Oh there’s a view. Of a brick wall. Unfortunately, we only have some cameraphone pictures from our move-in day right now, but we’ll get better ones up soon. In the meantime, here’s a taste.

Gavin checking out a conference room (and missing the view wall):

Closer view through some of the NorthSouth-facing windows (you’ll notice not care that these windows don’t open):

Ahh, April 1.  We really did move, and the new, second floor office in a normal office building really is a big improvement.  The rest though, is a big fat lie (and full credit to madhava for the photo work).  “720 Spadina”, “CN Tower” — the keys are right next to each other.

We regret the error.

New Digs!

[This post contained certain errors not caught at press time. Please see the corrected post here.]

As of today, the Mozilla Toronto office has moved from our building at 20 Richmond to this little out-of-the-way place:

CN Tower

The CN Tower!

We didn’t want to talk about it until everything was fully settled, but we are now residents of an architectural icon with a pretty ridiculously excellent view.  Full props to beltzner for scouting out office space, and to ben for orchestrating the move; it’s been a crazy couple of weeks!

Some information about the new office, since it’s a little more noteworthy than the old one.  🙂

Suite 12811

Q: What is the actual new address?

A: We’re now accepting mail at

Mozilla
301 Front Street, Suite 12811
Toronto, ON
M5V 2T6

Q: Did that say 12811?

A: Yep.  We’re a loooong way up.

Q: How do I get there?

A: There’s a stairwell.  🙂

Seriously, this can be a bit of a trick the first time.  If you come in through the usual entrance, you’ll be sort of pipelined into the “tourist” sections of the tower.  Those elevators won’t go where you want them to, and the visit will end up costing you significantly more.

Instead you want to take a hard left when you get in, and follow the signs for “Tower Offices.”  If you get lost, ask one of the tourist reps, they are (unsurprisingly) used to this confusion.  From the office elevators, it’s about a 70 second trip to 128, and we’re the 5th door on the right.

Q. Do we get discounts for the tourist areas?

A. We do!  As tenants we get basically a pad of discount coupons.  Visit us first, and we’ll tear you off a few.

Q. What about the view?

A. Oh there’s a view.  Unfortunately, we only have some cameraphone pictures from our move-in day right now, but we’ll get better ones up soon.  In the meantime, here’s a taste.

Gavin checking out a conference room (and missing the view):
New Office 1

Closer view through some of the North-facing window (you’ll notice these windows don’t open):
New Office 2

#4BC421 : Hulkcredible

Colour CloudThis is a pretty cool idea.

  1. Randomly generate a bunch of colours.
  2. Use Mechanical Turk to get names for them all
  3. Play

I really like the things that mechanical turk makes possible, now that people are getting more next-level experimental with it.

I also really like that the folks who did this one have an interactive explorer page for the data, and make the raw data set available as well.

In other “Graphics on the Web” news: heehee.

Should Malware Warnings have a Clickthrough?

In the latest nightly builds of FF3, and in the upcoming Beta 5, we let users choose to ignore our phishing warning, and click through to the site, just like they could in Firefox 2:

Ignore this Warning

But that same spot is empty in the malware case (unless you install my magic extension.)  Should it be?  It’s a harder question than it seems, on first blush.

Continue reading “Should Malware Warnings have a Clickthrough?”

Book Review 3 Pack

I used to write these massive, once a year posts, reviewing every book I’d finished in the course of a year.  It’s becoming clear to me that I had too much time on my hands, because the thought of doing that again with the meager 30 or so books I read last year is just far too daunting.  I like John’s approach, of just shooting out a couple reviews at a time, whenever the mood strikes him.  In that vein then, here are three.

Born on a Blue Day – Daniel Tammet

Daniel Tammet has got to be nearly unique in the world, for having an autistic spectrum disorder (Asperger’s Syndrome), being a mathematical savant, a synesthete, and for being able through all of it to write clear and moving prose about his own mental life.

His writing has a style which you quickly recognize as characteristic of his autism – he is very fixated on details, spending more time talking about the texture of carpet than about the features of the people in his life, but for all that, it is a really touching account of the difficulties he’s had, and the ways he’s found to cope with them.

If you have any interest in how the mind of an autistic person works, to say nothing of an autistic savant, this book is fascinating.  The chapter where he meets Kim Peek is particularly memorable.  Highly Recommended.

The Ghost Map – Steven Johnson

This book isn’t, I think, what most people expect it to be.  I kept hearing about this book from design folks because the titular map in question is a sort of object lesson in Tuftian information design.  The thing is, the book is mostly not about the map, or about information design at all.

The book is far more concerned with tracing the early days of what we now call epidemiology, and that’s not a bad thing at all.  For me, in fact, that’s more interesting.  I found the middle tended to drag on a bit, (Yes, I understand he was groundbreaking, yes, it was very brave to go back into a Cholera zone…) but for all that I found it a quick read, and one that nicely underscored a reality that is ever more true today: Science, without an ability to communicate it compellingly, is impotent.  Recommended.

The Wonga Coup – Adam Roberts

The Wonga Coup is a story about a bunch of wealthy British and South African guys who decide it would be fun to take over Equitorial Guinea.  Fun and lucrative, since oil deposits had been discovered off the coast.  Fun and plausible, since the country’s current leader is somewhere between despot and lunatic, and won’t be fiercely defended by the population, most of whom are too hungry to fight anyhow.  What makes the story interesting is that it’s non-fiction.  It all actually happened, about 15 years ago.

This book was a drive-by for me, just picked up in a bookstore with no particular advance recommendation, but it really is interesting to read about the machinations of a real-world movie-plot, and the things that end up making or breaking such a campaign.  I found the writing pretty slow moving at times, but I think that just says that Roberts is a better researcher than writer, because the details are scrupulously documented.  I don’t think I can give it a blanket recommendation, but if this is an area you are already passionate about, it’s certainly an important piece of modern mercenary history.

[Addendum: I’m not sure if I should tag these posts for inclusion on planet.mozilla.  They aren’t work-related, but I know a lot of people in the community are readers.  What do people think, stay or go?]

State of the Malware Nation

It’s a couple weeks old, I know, but for anyone who hasn’t seen it, Google’s Online Security Blog has linked to a draft article produced by some of their malware researchers about the trends they’ve observed in malware hosting and distribution.  Aside from a troubling pre-occupation with CDF graphs, it’s a really interesting look at the way malware networks are spread through the internet.

I found this snippet interesting:

We also examined the network location of the malware distribution servers and the landing sites linking to them. Figure 8 shows that the malware distribution sites are concentrated in a limited number of /8 prefixes. About 70% of the malware distribution sites have IP addresses within 58.* — 61.* and 209.* — 221.* network ranges.

Our results show that all the malware distribution sites’ IP addresses fall into only 500 ASes. Figure 9 shows the cumulative fraction of these sites across the 500 ASes hosting them (sorted in descending order by the number of sites in each AS).  The graph further shows the highly nonuniform concentration of the malware distribution sites— 95% of these sites map to only 210 ASes.

But I think this is the big takeaway:

Malware Landing Site Distribution

Because malware is being distributed via ad networks more and more, it’s no longer safe to assume that you’ll be okay if you just avoid the seedy parts of the net.  And because it’s no longer requiring user interaction in a lot of cases, the old-school “don’t run executables from random websites” best practice might not be enough either.  To stay on top of things, you are going to want to be running a browser that is as hardened as we can make it, and that also incorporates active checking of known malware sites.

And lookit, the Firefox 3 beta is right over here.