Trying out del.icio.us
My del.icio.us bookmarks. This may be the end of my link propogation posts.
Garey and Johnson
My copy of Garey and Johnson arrived the other day. I wonder if it will make good airplane reading while I'm heading to Mozilla Developer Day next week.
Firefox 1.0 RC1 renamed to Firefox 1.0 PR
Firefox 1.0 Preview Release (previously Firefox 1.0 Release Candidate 1 (previously Firefox 1.0 Beta (previously Firebird 1.0 Beta (previously Phoenix 1.0 Beta)))) is planned for the second or third week of August. I'm glad the Mozilla Foundation decided to move away from using misleading "Release Candidate" names for builds that aren't release candidates.
Adam Sacarny on the shell: hole
Adam Sacarny, author of the Mozilla shell: vulnerability timeline, discusses what Mozilla can do to work around future holes in programs that register themselves as protocol handlers.
A math joke involving Clinton
Steven Pinker, Listening Between the Lines:
In his grand jury testimony, Mr. Clinton expounded on the semantics of the present tense ("It depends on what the meaning of the word 'is' is") and of the words "alone," "cause" and, most notoriously, "sex."
Clinton's rebuttal to the Starr report:
Literally true statements cannot be the basis for a perjury prosecution, even if a witness intends to mislead the questioner. Likewise, answers to an inherently ambiguous question cannot constitute perjury.
A joke:
Have you ever touched Paula Jones or Monica Lewinsky?
It depends on your definition of "or".
No prices on SBC.com
Jakob Nielsen, Top Ten Web-Design Mistakes of 2002:
1. No prices. No B2C ecommerce site would make this mistake, but it's rife in B2B, where most "enterprise solutions" are presented so that you can't tell whether they are suited for 100 people or 100,000 people.
I also thought no B2C site would make that mistake, until I tried to purchase an SBC phone line for my apartment. After I clicked "Residential customers", clicked "Local > New Phone Service", and entered my address, the site asked me for billing and credit information. At no time did I see a price or even a link labelled "prices".
I decided not to purchase a phone line.
Browser stats from search referrals
For visitors who reach my site through Google searches, browser percentages vary widely depending on search terms. In general, geekier terms have a higher percentage of Mozilla users. I analyzed stats for 35 days in June and July 2004 using a hacky batch file.
| Search phrase | Total hits | IE | Mozilla | Safari | Opera | Other |
|---|---|---|---|---|---|---|
| burning edge | (946) | 170 | 731 (78%) | 26 | 15 | 4 |
| firefox nightly | (586) | 107 | 438 (75%) | 29 | 12 | 0 |
| bookmarklet | (2067) | 568 | 1296 (63%) | 123 | 68 | 12 |
| gmail | (1151) | 781 | 312 (27%) | 15 | 43 | 0 |
| jibjab mirror | (103) | 76 | 23 (22%) | 2 | 2 | 0 |
| best porn | (176) | 135 | 31 (18%) | 6 | 3 | 1 |
| good porn | (222) | 187 | 22 (12%) | 10 | 2 | 1 |
| google home page | (436) | 404 | 20 (5%) | 6 | 3 | 3 |
Stats for some of these search terms are skewed toward Mozilla not because the search terms themselves are geeky but because "Firefox" or "Mozilla" appears in the title of the result page on my site. Searches for "good porn" and "best porn" lead to a page on my site titled Why Mozilla Firefox is the best porn browser. Searches for "how to get a gmail" lead to my blog entry titled Help make Firefox better and get a Gmail invitation!.
By the way, over 50% of total hits to my site are Mozilla :)
Kerry beats Bush in Google
Kerry has an impressive PageRank 8 while Bush only has PageRank 7, like me. (Via curious on IRC.)
Kerry also beats Bush in a search for kerry | bush and even in a search for president.
Cookies are no longer delicious delicacies
<blake2> congratulations mconnor
<blake2> you just destroyed a legend!
Today Mike Connor replaced "Cookies are delicious delicacies." in Firefox's options with "Cookies are pieces of information stored by web pages on your computer. They are used to remember login information and other data."
Blake's famous placeholder text even appeared in a book, O'Reilly's Google: The Missing Manual:
As of this writing, Firefox is still in the testing, or beta, stage (version 0.8), which sounds dicey. But in fact, it's definitely far enough along that anyone can use it with confidence. The underlying technology is the same as Mozilla's, so problems tend to show up in things like the occasional misspelled menu item or a cookie setting that includes the observation, "Cookies are delicious delicacies," inserted by an engineer with a wacky sense of humor.
(O'Reilly sent me a free copy of the book because it dedicates several pages to my search bookmarklets. The authors of the book say several useful things about my bookmarklets that I didn't know!)
<blake2> how times have changed. I guess we really are shipping something.
Company blocks employees from using IE
mgaugusch's 70-person company not only prepared Firefox for network install, but it also used Squid to block Internet Explorer from accessing sites other than Windows Update and the company's own site. The company does not prevent employees from using other browsers, such as Opera, although Opera users may have to change their user-agent setting to make Opera stop making itself appear to be IE. (Via mgaugusch's post on MozillaZine.)
Uses for the Flash seek bar
Using the Flash seek bar bookmarklet, I found two hidden segments at the end of Strong Bad e-mail 87: Mile. They can't be reached by the usual method of clicking on things at the end of the cartoon. Burning Horizon has instructions for getting to the first hidden segment but not the second.
The bookmarklet allowed me to read all of the signs in the desert in This Land.
A co-worker pointed out that you can use the bookmarklet to reach minigames in Frank's Adventure 3. You have to pause before using the slider for it to work correctly.
Flash seek bar bookmarklet
I wrote a bookmarklet that adds a seek bar to flash movies. It works in Mozilla and IE. Read the script or grab the bookmarklet.
Political humor
- Keep your Jesus off my penis. Wow. NSFR.
- This Land (unframed). So funny, I didn't mind it letting Bush off easy.
- Bush in 41.2 seconds. Surprised me.
- Yet another edited State of the Union address. Not as good as the ones from previous years.
100 up-to-date Firefox extensions
update.mozilla.org now has 100 Firefox extensions that work in 0.9. Extensionroom has 195, but many of them only work in older versions.
History of my Mozilla involvement
Slashdot was responsible for my initial involvement in the Mozilla project. It might have been this article or it might have been a comment (such as mpt's) in another article.
The first Mozilla build I used was M13. I reported my first bug in February 2000, when I was a senior in high school.
At first, I only reported and triaged bugs. Then I started writing testcases for layout bugs, participating in user interface design, and finding security holes. Now I'm also writing patches for UI bugs.
Things that encouraged me to continue contributing when I was a newbie:
- Eli Goldberg's comment in my first bug report.
- My sixth bug report, which was about pop-up windows, getting forty votes. At the time, that was enough to put it in the top ten!
- Some of my bug reports getting fixed quickly.
- Asa's e-mail to me when he gave me Bugzilla permissions (confirm bugs, edit all fields).
- Communicating with other Mozilla community members not only through Bugzilla but also through IRC.
Character Encoding UI in Firefox
There seem to be five ways to set character encodings in Firefox.
- Options > General > Languages > Default character encoding
- View > Character Coding > Auto-Detect > (select a language or "Off" or "Universal")
- View > Character Coding > More > (select an encoding)
- View > Character Coding > Customize > Active character encodings
- View > Character Coding > (select an encoding)
What do these options do? How do they interact? How can the options and how they interact be made more clear in the UI, or even in Help? Note that I only have a vague idea of what a character encoding is and why a user would need to select one.
Google didn't get me far. Help in Firefox only says "View > Character Coding: Allows you to manually change the character encoding on a Web page. Firefox usually does this automatically." Bug 181541 comments 61 and 62 helped me understand a little.
I have another convert
Holy crap, Mozilla Firefox is awesome. I wish I had converted earlier.
He was this missionary who brought me out of darkness into the light of Firefox.
I installed Firefox on his computer in order to write a bookmarklet for him. And in order to convert him, of course.
Race conditions in security dialogs
I discovered arbitrary code execution holes in Firefox, Internet Explorer, and Opera that involve human reaction time. One version of the attack works like this:
The page contains a captcha displaying the word "only" and asks you to type the word to verify that you are a human. As soon as you type 'n', the site attempts to install software, resulting in a security dialog. When you type 'y' at the end of the word, you trigger the 'Yes' button in the dialog. I made a demo of this attack for Firefox and Mozilla.
Another form of the attack involves convincing the user to double-click a certain spot on the screen. This spot happens to be the location where the 'Yes' button will appear. The first click triggers the dialog; the second click lands on the 'Yes' button. I made a demo of this attack for Firefox and Mozilla.
These types of attack work on any security dialog that can be triggered by untrusted content. The attack is most useful in a dialog where one of the buttons means "Yes, let this untrusted content run arbitrary code". Firefox has such a dialog in the form of the extension installation (XPI) dialog. Similarly, Internet Explorer has the ActiveX installation dialog and Opera has an "Open" button for downloaded executables. Programs other than browsers might also be vulnerable.
Firefox's solution, from bug 162020, is to delay enabling the "Yes"/"Install" buttons until three seconds after the dialog appears. I believe that this is the only possible fix other than completely denying untrusted content the ability to pose the dialog. Unfortunately, this fix is frustrating for users who install extensions often.
Some users have been intentionally lowering the delay to 0 seconds, which frustrates me. These users think the delay was added merely to force everyone to read the dialog. I surprises me that these users were not able to figure out the security hole given the fix. Ironically, advanced users are the most susceptible to these attacks, because they type and double-click faster than they react to unexpected stimuli.
It might be possible to lower the delay to less than three seconds, making it less annoying, without jeopardizing security. Designing experiments to determine the minimum "safe" delay would be tricky. You would want to do everything an attacker could do to increase participants' reaction time: give them a complicated task, make new rectangles appear every second to make the dialog less unexpected, etc.
It might make sense to make the dialog appear only after the user clicks a statusbar indicator that means "This web site wants to install software". This would get rid of the problem of choosing a delay, and it wouldn't require users who want to install extensions to wait.
Firefox FAQ for Seamonkey users
- What's the difference between Firefox and Mozilla?
Mozilla (Application Suite, also known as SeaMonkey) is a complete suite of Internet applications, including a web browser, a mail/news client, and a chat client. Firefox is just a browser, which makes it a better choice if you already have a mail client for example. Also, since Firefox is smaller than the whole Mozilla suite, it's faster and easier to use.
Note, though, that Firefox is not just the standalone Mozilla browser. The user interface in Firefox differs from Mozilla in many ways. For example, Firefox has customizable toolbars.
[This question and answer are mostly from David Tenser's Firefox FAQ.]
- What do I gain by switching from Mozilla to Firefox?
-
- Speed. Firefox is much faster than Mozilla.
- Customizable toolbars.
- It's easier to browse with multiple windows and multiple tabs. Shift+click opens a link in a new window and Ctrl+click opens it in a new tab.
- Middle-click autoscroll.
- Form autocomplete.
- Extensions and themes. It's easier to develop extensions and themes for Firefox, so there are more available.
- Update notification.
- Will Firefox import my Mozilla settings?
Firefox will offer to import your Mozilla passwords, cookies, and options the first time you run it. You can also use File > Import to import them at any time.
- What happened to option XYZ?
The option you want to change might still exist in about:config, or there might be an extension that adds it.
- Will Firefox integrate with my default mail client like Mozilla integrated with Mozilla Mail?
You can still press Ctrl+M to open your mail client to compose a new message. The Ctrl+2 shortcut to open your mail client is gone; use your operating system to make a global shortcut instead. You can add a toolbar button to open your mail client using Customize Toolbars. The "Send Link" command still exists, but the "Send Page" command is gone (bug 216168).
If you use Mozilla Mail as your mail client, I recommend that you switch to Thunderbird after you switch to Firefox. Firefox can't integrate well with Mozilla Mail because Mozilla Mail assumes you use Mozilla as your browser. If you use another mail cilent, such as Eudora, you don't have to switch to Thunderbird.
- How do I create custom sidebars in Firefox?
To create a custom sidebar in Firefox, bookmark the URL you want to use as a sidebar, right-click the bookmark and select "Properties", and check "Load this bookmark in the sidebar".
Cross-browser security holes
Slashdot reports a "new" spoofing hole in many browsers, including older versions of Mozilla, discovered by Mark Laurence. The hole is that site A can load its own content into a frame on site B, and the content will appear to be from site B because the frameset is still from site B. This attack only works if site B is a framed site, so some banks are not affected.
A comment I posted on Slashdot:
Lorenzo Colitti and I found the same hole several weeks ago, independently of Mark Laurence. I reported it to mozilla.org on June 11 and to Microsoft and Opera on June 16. I got different results from each browser maker:
- Mozilla (bugzilla.mozilla.org 246448)
- Fixed on June 14. Firefox 0.9 released with the fix June 14. Mozilla 1.7 released with the fix June 17.
- Opera (bugs.opera.com 145283)
- No response.
- Microsoft
- On June 21, I received an e-mail containing the following: "... is by design. To prevent this behavior, set the 'Navigate sub-frames across different domains' zone option to Prompt or disable in the Internet zone. We are trying to get this fixed in Longhorn ... on getting this blocking on by default in XP SP2 but blocking these types of navigations is an app compatibility issue on many sites." I usually don't get any response from Microsoft when I report security holes to them; I think I only got a response this time because I used my employer's premier support contract with Microsoft.
Another cross-browser security hole I found (bugzilla.mozilla.org 162020) got similar responses from each browser maker: fixed in Mozilla 1.7 and Firefox 0.9; no response from Opera; confusing statement from Microsoft mentioning XP SP2. 162020 is an arbitrary code execution hole.
To be fair to Microsoft, the fix for the frame-spoofing hole did break a few sites. According to a bug filed today, the Charles Schwab brokerage site is one of the broken sites.
