Data theft with CSS

Mozilla has released security updates to Firefox 3.5 and 3.6 that include defenses for an old, little-known, but serious security hole: cross-site data theft using CSS. These defenses have a small but significant chance of breaking websites that rely on quirks mode rendering and use a server in another DNS domain (e.g. a CDN) for their style sheets.

In this article I’ll describe the attack, what we’re doing about it, how you can ensure that your site will continue to work, and how you can protect your users who have not upgraded their browsers yet.

Continued…

the great 2010 ceramic objects giveaway

a bunch of pottery more pottery

My SO and I are moving. We have a whole lot of ceramic objects that we made. We would like to send them to people rather than find a new home for a giant stack of pottery in our new apartment. Please let us know what you want and we’ll send it to you!

Hers: https://www.flickr.com/photos/pamgriffith/sets/72157624185501258/
Mine: http://www.flickr.com/photos/zackw/sets/72157624186453266/

(Please post requests on the Flickr pages for the objects you want, if at all possible.)

EDIT 23 Jun 2010: This offer is no longer open. We have donated what hadn’t already been claimed to the San Jose chapter of Empty Bowls.

More on SSL errors

I got some great responses to my ideas for SSL errors and I thought I’d make a new post to talk about them, since that post is old enough that you can’t comment on it anymore. I should probably emphasize up front that I’m not on Firefox’s UX team, I don’t know if they’re listening to my suggestions, and anyway they were meant as a starting point rather than completely finished designs.

David Bolton wanted to know why some of the error screens asked the user to visit other sites manually, rather than doing checks behind the scenes. The main reason, honestly, is that that made a good example thing the user could do next. In practice we probably would want to do at least some checks in the background. Right now, another reason would be that error pages do not have chrome privileges so they can’t do anything of the sort (this is part of why the certificate error screen pops up a separate dialog box if you say you want to add an exception) but we may be able to get around that in a real implementation.

John Barton, in email, points out that SSL errors often come up in practice because of server-side configuration changes that ought to have been transparent to users, but a sysadmin goofed. I’ve been using the Certificate Patrol extension, which brings up warnings when a site’s cert changes in any way; this reveals that cert handling mistakes happen even on very popular and well-staffed sites (recently, for instance, mail.google.com flipped back and forth between its own cert and the generic *.google.com cert several times in one day). Of course that would have been invisible to most people, but it’s not much harder to make mistakes that do trigger warnings in a stock browser.

My general feeling on that is, yes, it is way too hard to administer an SSL-encrypted web site, and I would wholeheartedly support an initiative to make it easier, especially for sites that carry information of only moderate sensitivity (e.g. the plethora of Bugzilla instances with self-signed certs out there in the wild). I don’t think that should stop us from raising the visibility of SSL administration mistakes, as long as we improve the presentation and advice on those mistakes so we are not just training people to click through the errors.

John also points out that most people won’t have any idea what Herdict is or why they are trustworthy. The explicit mention of Herdict was mainly because I was riffing off Boriss’ earlier proposal to use Herdict information to improve page not found errors. Indeed, we should probably put it more like Other people who try to visit this website get (something) which (is/isn’t) what you got. We should credit whatever service we use for that information, but it doesn’t have to be as prominent as I made it.

Someone else (whose name I have lost; sorry, whoever you were!) pointed me at the Perspectives extension, which is said to do more or less exactly what I proposed, as far as comparing certificates seen by the user with those seen by notaries at other network locations. I like the use of the term notary and the proof of concept; unfortunately, Perspectives seems not to be actively maintained at the moment, and doesn’t work with Firefox 3.6. Also, for privacy, we want to make the queries to the notaries as uninformative as possible to an adversary that can observe network traffic. Reusing the same system that is used for is this site down? requests would help there. (Ideally, the notaries would also be unable to tell which users are asking what about which sites, but that might not be tractable.)

Another site redesign

This site is now running on Wordpress rather than the creaky combination of Ikiwiki and comment software of my own invention. Things generally look nicer, in my opinion, and should also be more reliable.

I apologize in advance if this causes the RSS feed to spew old posts all over Planet Mozilla or your feed reader. I hope it won’t, but you never know with RSS.

The Twit Cleaner

(notes on behavioral categorization of Twitter accounts)

I don’t follow a lot of people on Twitter, but I still sometimes have trouble deciding whether the accounts I’m following are worth it. Folks with much longer follow lists presumably have even harder going.

Enter The Twit Cleaner, a (sadly, as of late 2013, defunct) service that scans your follow list and automatically categorizes the behavior of everyone on it. They have some straightforward heuristics for deciding whether someone is worth following, mostly documented in their FAQ:

Q. How are the (potential) bad guys broken down?

A. The possible categories are:
Dodgy - spam phrases, @ spamming, duplicate links etc
Absent - No updates in a month, or fewer than 10 tweets.
Repetitive - High numbers of duplicate tweets or links
Flooding - So high volume you can’t see anyone else
Non-Responsive - No interaction & those that follow back < 10%
Little New Content - Retweeting lots or just posting quotes

This is generally a good scheme, but its focus on conversational use of Twitter means that it misidentifies a few types of legitimate account as unsavory. I think a few special case categories would go a long way to making the service’s advice more useful.

Announcement channels

These are the Twitter equivalent of a news ticker—they broadcast announcements related to something, but they don’t converse with people (as a general rule). The Cleaner dings them as dodgy behavior: tweeting the same links all the time and/or not interactional: hardly follow anyone. Examples include @NBCOlympics, @CDCemergency, @asym, @Astro_Soichi, and (ironically) @TwitCleaner itself (the problem here appears to be public @somebody, your report is ready at directed tweets when direct messages fail).

These can probably be machine-identified as extreme outliers in follower-to-followed ratio. @asym and @Astro_Soichi don’t follow anyone; @NBCOlympics and @CDCemergency follow less than 0.1% of their follower numbers. @TwitCleaner likes to follow users of the service, though; maybe they should just whitelist themselves? Also, if Twitter-verified users are not already whitelisted (I wasn’t able to tell from my own report), perhaps they should be.

Lurkers

Lurkers are the opposite of announcement channels: they just read Twitter, they never post anything. Lurking is a time-honored tradition on the Internet and people shouldn’t be penalized for it. I have several lurkers on my follow list just on the off chance that they might start posting in the future.

Accounts that have never posted at all should be distinguished from accounts that post rarely. (The latter are often spammers. Lately Twitter itself has gotten a lot better about finding and banning spammers, but they still turn up now and then.)

Fictional character accounts

There are any number of fictional characters who regularly use Twitter—that is, their authors write and post tweets under their names, usually to provide a bonus story line, or to implement the fourth wall mail slot. Examples include @Othar of Girl Genius and the entire cast (caution: mildly NSFW; @pintsize0101 consistently links to egregiously NSFW images of the where’s my brain bleach variety) of Questionable Content. Fictional characters may absent themselves for long periods because the bonus story line is on hold (Othar recently didn’t post anything for four months but is now back) and might not follow anyone but other characters from the same fictional world (the QC cast does this); both things get them unfairly dinged by the Cleaner.

It probably isn’t possible to identify fictional accounts in a mechanical way. However, you could pick out cliques in the follow graph, sets of accounts that are followed by many but that follow no one but each other, as deserving human attention. If Twitter implemented some sort of account-labeling scheme that would let the people behind the curtain mark accounts as fictional characters, that would be awesome.

Review of Brütal Legend

Here we go with another entry in the occasional series of reviews of games that everyone has already played (because I refuse to pay more than US$20 for a game, and new releases cost $60 these days). This time, it’s Brütal Legend, Tim Schafer’s epic about love, justice, and the power of rock and roll, set in the land of all album covers, starring Jack Black and a whole bunch of heavy metal musicians as themselves.

This game is worth playing just for the chance to drive the protagonist’s hot rod around and see all the epic scenery. The art department had fun with this game. So did the character modelers. They licensed about a hundred classic metal tracks for the background music, which means it’s thematically appropriate, and never gets repetitive enough to earworm you. (The magical guitar solos, on the other hand, I got a bit tired of.) The gameplay itself is a little spotty, but I think that’s been well covered elsewhere. My main beef was with poor integration of the side quests into the story line—you don’t benefit much from doing them, even though they could have added quite a bit of interest and strategic ramification. The up side of that, though, is that I never felt like I was being forced to level-grind. There was one infuriating point where me and Pam spent three hours losing one stage battle over and over again, but that was because we were doing it wrong.

So that’s all good, but now I want to complain, at length, about the storyline.

Continued…

Mozilla Co. conference rooms

The Mozilla Corporation’s new(ish) office in downtown Mountain View has all its third-floor conference rooms named after Internet memes, except those that are named after rooms aboard the starship Enterprise. I’d like to share them with you now.

Small conference rooms (memes)

Large conference rooms (Star Trek)

Switching comment systems

I’m switching Owl’s Portfolio over to a new comment system of my own invention, which will allow me to turn comments back on without (I hope) immediately being inundated with spam. For the next few hours, though, all of the comments made with the old system will temporarily vanish.

The management hopes this is not a horrible inconvenience for the two or three people still reading this site.

Better SSL error screens

Right now, when you visit a website that uses encryption in Firefox and there’s anything at all wrong with the encrypted connection, you get a big block of jargon which doesn’t do anything to tell the user how big the risk actually is, or help them distinguish a minor problem from a major one.

Continued…

Print-on-demand mugs are not dishwasher safe

Photo of faded print-on-demand
      mug

This mug was designed by Steven Frank and printed by Zazzle. The top part of the design was much darker six months ago. Zazzle’s process appears to involve shrink-wrapping a layer of plastic over the mug and then printing on that; you can’t see it in the photo, but the plastic has started to peel off near the top of the handle. I have another such mug, printed using a different process in 2003 for the Stanford Film Society’s Film Our Way festival; it didn’t fade nearly as fast, and there wasn’t any plastic to peel off, but after seven years of use the design is almost gone.

The problem with these mugs is, the design is printed on top of the glaze. Truly permanent decorations on ceramic are either done with the glaze itself, or are inked directly on the unglazed piece and then covered by transparent glaze. Either way, the decoration happens before the glaze firing. Unfortunately, glaze kilns are typically designed to process hundreds of pieces per batch, and take several days to go through a complete cycle. That’s not practical for a print-on-demand outfit.

I think you could design a much smaller kiln, with space for just a few mugs, though. It’d be lined with fiberglass instead of firebrick, to reduce the thermal mass; since there’s no need for a reduction phase with clear glazes, it could use electric heat. It’s not possible to do a stoneware firing in less than about 24 hours start to finish, because the clay will crack if you heat or cool it too fast (this is why raku-glaze pieces are often fragile) but there would be no need for several days’ worth of cooling time as is typical for large batch kilns.