Tag Archives: Firefox

My Firefox Add-ons

I simply need to have this list somewhere so that I can find out my own add-ons again when I'm running Firefox away from home!

Adblock Plus - since ads are too annoying these days

DownThemAll - because I like to be able to get whole batches of images or similar at times

Fission - just a silly eye-candy thing

Forecastfox - I like weather forecasts!

FoxClocks - helps me keep track of the time my friends around the world have at different moments.

It's All Text - makes web based editing/posting a more pleasurable experience by allowing me to edit such contents with emacs!

Live HTTP Headers is a must when you want to figure out how to repeat your browser's actions with a set of curl commands.

Open in Browser allows me to open more stuff within the browser itself, even when the Content-Type is bad.

Right-Click-Link is great when you quickly want to browse to links you find in plain text sections.

Torbutton lets me quickly switch to anonymous browsing.

User Agent Switcher lets me trick stupid server-side scripts into beleiving I use a different browser or even operating system.

What great add-ons did I miss?

(Some nitpickers would say that I don't run Firefox since I use Debian and then it is called Iceweasel, but while that is entirely true, Iceweasel is still the Firefox source code and the Add-ons are in fact still Firefox Add-ons even if they also run perfectly fine on Iceweasel.)

In the middle there is a man

The other day an interesting bug report was posted against the Firefox browser, and it caused some interesting discussions and blog posts on the subject of Man-In-The-Middle attacks and how current browsers etc make it (too?) easy to accept self-signed certificates and thus users are easily mislead. (Peter Burkholder wrote a great piece on SSL MITMing already back in 2002 which goes into detail on how this can be done.).

The entire issue essentially boils down to this:

To be able to really know that you're communicating with the true remote site (and not an impostor), you must have some kind of verification system.

In SSL land we have this system with CA certs for verifying certs and it works pretty good in most cases (I think). However, so many sites on the internet use HTTPS today without having the certificate signed by a party that is known to the browser already - most of them are so called self-signed which means there's nobody else that guarantees that they are who they claim to be, just themselves.

All current modern browsers want to give the users easy access to HTTP sites, to HTTPS sites with valid properly-signed certs but also allow users to connect to and browse on HTTPS sites with self-signed certs. And here comes the problem: how to tell users that HTTPS with self-signed certs is very insecure but still let them proceed? How do we tell them that the user may proceed but if this is a known popular site you really should expect a true and valid certificate as otherwise it is quite possibly a MITM you're seeing?

People are so used to just accept exceptions and click away nagging pop-ups so the warnings and alerts that are explicit and implied by the prompts you have to go through to accept the self-signed certificate. They don't seem to have much effect. As can be seen in this bug report, accepting an impostor's certificate for a large known site is far too easy.

In the SSH land however, we don't have the ca cert system and top-down trust hierarchy that SSL/TLS imposes. But does this matter? I'd say no, as most if not all users still don't reflect much over the fact when a server's host key is reported different than what you used before. Or when you connect to a host the first time you accept the host key without trying to verify it using a different channel. Thus you're subject to pretty much the same MITM risk. The difference is perhaps that less "mere end users" are using SSH this way.

Let me just put emphasis on this: SSL and SSH are secure. The insecureness here is not due to how the protocols work, but rather they are flaws that appear when we mix in real world users and UIs and so.

I don't have any sensible solutions to these problems myself. I'm crap at designing things for mere humans and UIs etc and I make no claims of understanding end users.

It seems there's a nice tool called ettercap that's supposedly a fine thing to use when you want to run your own MITM attacks on your LAN! And on the other side: an interesting take at improving the "accept this certificate" UI is offered by the Firefox's Perspectives plugin which basically also checks with N other sources' view to help you decide whether to trust a certificate.

I want to round off my rant with a little quote:

"I have little, and decreasing, desire to continue to invest in strong security for a product that discards that security for the masses" [*] / Nelson B Bolyard - prominent NSS hacker

Download (Yester)Day

I won't be joining the attempted world record of Firefox downloads on the release day June 17th 2008 since I dist-upgraded my Debian unstable just a few days ago and I got my Firef... eh Iceweasel version 3 then.

Of course, others have also noted that Firefox will miss a few Linux users downloading that version as Linux users all over will prefer to get it using their distros' ordinary means of getting packages and updates...

Firefox 3

Open Source Accessibility

SRF (synskadades riksförbund - the Swedish Association of the Visually Impaired) is a Swedish organization that recently expressed concerns about open source (in Swedish), since as they say "open source in itself is no guarantee for accessibility to disabled persons" (my translation).blind person symbol

The argument came up because Mats Odell, a minister in the Swedish government, expressed a positive attitude towards open source within governments (link in Swedish).

I find it disturbing that these visually impaired guys immediately bounce back and seem to imply and think that open source automatically somehow is less useful, less quality, less fitting or less accessible. But sure, open source is not a guarantee for better accessibility, but then nobody claimed it either and I don't see how any software can be guaranteed to be better. A very weird statement it was I must say.

One perfect example showing how open source adds accessibility is how Rockbox works. By providing innovative functionality, it makes devices suddenly a whole lot more usable to blind or visually impaired persons. There's simply no commercial alternatives coming close.

Other fine example on how open source makes software more accessible than any closed-source competitor, is in how translations can be done even to very small languages spoken by economically not so wealthy population groups. Like how closed-source programs fail to deliver software translated to the 11 official languages of South Africa and a lot of other ones.

To round off, the orca project makes openoffice, Firefox, gnome apps and Java-based apps accessible. I'm not saying I know all about being visually impaired and how they use open source, but I do know that open source is accessible to a far extent at some places and at others there's room left for improvement. But open source gives everyone the ability to join in and make it happen.