February 2008 Archives

There's been a lot of coverage of the PayPal Safari kerfuffle over the last few days.

Dear PayPal, Safari Isn’t The Security Problem, Dear PayPal, Safari Isn’t The Security Problem, Paypal and Safari, PayPal excludes Safari from "Safer Browsers", PayPal is not making me feel safe, PayPal not an Apple fanboy, discourages use of Safari, PayPal On Security?, Paypal says avoid Safari, Paypal says avoid Safari browser, PayPal says NO to Safari, PayPal Says NO to Safari: We Say Take Responsibility for Your Actions, PayPal Says: Safari Is Not Secure, PayPal to Safari users: 'Ditch it', Paypal to Safari Users: Switch Browsers or You'll be a Victim of Fraud, Paypal warns buyers to avoid Safari browser from Apple, PayPal Warns Safari Users, PayPal: “Safari not safe” Huh?, PayPal: Safari is a little phishy, PayPal: Safari Open To Online Fraud, PayPal: Steer Clear of Apple's Safari, PayPal: Steer clear of Apple's Safari, Safari "lagging behind" on security, Safari browser does not get PayPal's stamp of approval, Safari Excluded from Paypal’s “Safer Browsers”, Safari Not Safe Enough For PayPal, Safari not secure against phishing, says PayPal, Safari unsafe for PayPal, Who's responsibility is security?, PayPal warns against using Safari because of its lack of anti-phishing technology

My take is that PayPal is just about right.

PayPal is probably the number one or number two target for phishing online (I'm basing this on the contents of my email spam folder) and so I can see where they'd want their users to have the best possible protection against phishing. Firefox 2 and IE 7 offer built-in, and in the case of Firefox, highly effective, phishing protection. Firefox 3 will offer major improvements in the usability and discoverability of site identity information, including but not limited to EV Certificate support. The combination of phishing protection and easier to discover and use site identity information is a powerful weapon against social engineering attacks like phishing.

Some folks have disputed the value of these tools to users. A few have even suggested that social engineering attacks like phishing aren't something a browser should attempt to thwart or mitigate -- that less sophisticated Web users deserve what they get. I couldn't disagree more with both of these points.

Jeremiah at his eponymous blog says "Phishing attacks are attacks on visitors, not technology. The solutions aren’t likely technical."

Brian Reilly at his "other" blog, says "I think you need to be more vigilant yourself rather than planning for Microsoft to save you by fixing their browser. Phishing is easy to spot if you pay attention. I don’t think I want to rely on my browser for that anyway."

Kevin Williams over at Almost Serious says, "I have to throw the sacred plaid Bullshit flag on this one. IE making the address bar turn green only serves to prove to me that IE developers can tell green from red or blue. Big flipping deal. Do they really expect me to believe that stupid IE users who blindly log in to anything that looks like a PayPal login page proves that IE is more secure? If anything, it tells me it is less secure, and used by idiots. Is there a web standard here, or is this a little bit of Tony Soprano at work?"

Mr. Mayor at Mactropolis said, "I think I can sum this whole argument up by simply saying… It’s time for all of us to take responsibility for our actions on the net. It’s true, unfortunately there are a lot of criminals out there ‘phishing’ for your paypal/bank logins out there… Gleaning private login info and stealing hoards of $$$ from the innocent. That’s awful and it sucks… But if we can step-up our own accountability and responsibility on this issue… There will be fewer victims and we’ll all be in a better place."

Jay Melton at his blog, scholar.jklmelton.net says, "Sorry PayPal, the problem lies in how people deal with email, not with the browser. Anyone clicking on any link in an email message is asking for trouble. If you need that link, copy it, paste it, and then read the URL carefully. If you don’t recognize the domain or the directories after it, don’t use it. You can get to the site using your bookmarks to be safe."

Tom Stovall at his blog, stovak.blogspot.com asks, "Who's responsibility is security? The expectation that a car manufacturer would build a car that would tell you when you're going to be car-jacked seems a bit far-fetched.... I understand too well how unreasonable the uneducated computer using hoards (READ 'windows users') can be.... If you're stupid enough to give your login information away, that's just darwinism in action. You are the slow antelope of the herd and as such, have been selected by nature for extinction."

The Phishing Protection feature in Firefox has already saved countless numbers from online fraudsters. I've seen this personally with friends and family and I've seen scores of blog posts from people thanking Firefox for saving them from scams -- many related to PayPal phishing.

To those who doubt the efficacy of EV certs based on a study of IE 7's current UI, are also pushing flawed information. Just because IE's implementation is less than ideal doesn't mean that Firefox's will be or that we won't see all browsers advancing the usefulness of EV cert features. And, in addition to the EV information, Firefox is also adding quite a bit more, easy to find and use, information about websites that will help people determine if they're at a legitimate or a phishing destination.

Finally, to those who say that less sophisticated users deserve what they get for not being more advanced, I say go jump in a lake. Not everyone out there spends the kind of time online that you do. Not everyone out there understands the details of the URI specification as well as you do. Not everyone out there is capable of understanding that even bad guys can buy a lock icon for less than $100 these days.

Just because you can spot a phishing attack doesn't mean that everyone else can or should and it is absolutely the job of the browser to correct the flawed "lock means you're safe" perception and the silly "learn how URIs are constucted" meme, with better site identity information and features like phishing and malware protection.

Now, back to PayPal. PayPal takes social engineered threats as seriosly as encryption or code flaws. It has to. Phishing is so much easier to pull off than cracking a browser or an encrypted client server session. Even lowering their exposure to these kinds of attacks by a fraction of a percent is a huge win for them, both financially and strategically. I think that PayPal is absolutely right to let its users know how to do the most they can to stay safe and secure online.

The Web has become a necessary part of the lives of more than a billion people worldwide. Web browser makers can and should be in the business of making the Web not just more "secure" but actually safer.

There's a great article in the Washington Post (via Jeremy Kirk, IDG News / PC World) covering Mozilla's plans for Firefox Mobile -- "With mobile browser, Mozilla hopes to shake up market". The article features some choice quotes from Mike and Christian and it's definitely worth a read.

Netscape as a maker of client software is no more.

If you know anyone still using some version of Netscape, now's the time to reach out and help them move to Firefox. It's no longer a matter of browser preference; it's a matter of keeping those people safe online. There will be no more security updates for Netscape and the safest and easiest place for those people to move is clearly Firefox.

After several days of me watching this amazing nest construction outside of my office window, the hummingbird has met some unknown fate and seems to be gone. I'll get some photos of the abandoned nest shortly.

While claiming the banner of open source with WebKit, Apple continues to disadvantage their competitors with undocumented APIs that only their apps can take full advantage of.

Despite this (somewhat expected) Apple perfidy, Firefox 3 on Mac is going to rock bigtime! It's fast as hell. It uses less RAM than the competition. It's gorgeous. And it's honestly open, unlike Safari and WebKit.

You want to build something on Mac with WebKit? I'd encourage you to re-evaluate. Apple isn't going to play fair with you. This isn't speculation. It's happening today.

I was on NPR yesterday talking with Allison Stewart about Mozilla and Firefox. It's less than 10 minutes if you want to listen.

Allison is a Peabody and Emmy Award winner and I'm a huge fan so it was cool to get to talk with her live on NPR.

After winning last year, Firefox has been nominated for the Webware 100 again. Webware is c|net's awards program where you can select your favorite Web products.

Head over to http://www.webware.com/100 and show your Firefox support.

Oh, and don't forget to vote for Miro in the video section.

A hummingbird has decided to nest right outside my window at work. I'll bring my camera in and try to get a photo tomorrow.

If you're not already well versed in the what and how, there's a really good article just published over at The Atlantic called "The Connection Has Been Reset".

Just to be clear, 500M downloads doesn't mean 500M users. Some users download more than once. Some users deploy multiple installs from a single download. And, many people who download don't become regular users.

Nevertheless, it is an impressive milestone. What does it say about our market share or actual user base? Not much. What does it say about our community? A lot. Over 80% of Firefox users were referred to Firefox by a friend, family member, or colleague. With a marketing budget that's a fraction of a percent of that of companies Mozilla competes with, we've managed to get more downloads of Firefox than any other piece of consumer software I'm aware of.

So, what are our user numbers actually and what is our market share? I estimate that with about 50 million active daily users, that our total user base is approximately 150 million people*. As far as market share, there are a lot of people out there measuring it and they all have different numbers. At the low end, we see Firefox usage at about 17%. At the high end, we see as much as 37%. In between those, there are a range of measures, all with their own biases.

Looking at all of this data, actually, kind of squinting at it with my head cocked at just the right angle, it seems to suggest that Firefox is at about 20% market share worldwide.

So, 500M downloads, 150M users, and 20% market share. Not a bad showing for the four year old Firefox.

* we've added nearly 10M daily active users since John's post in November.

Looking at visitors to NYTimes.com, a much larger share of our online readers, about 28 percent in February, were Firefox users.

That's pretty sweet!

update: and I just found these two posts:

boston.com at 22%
Seattle Post-Intelligencer at 27.4%

update2: PCWorld is at 34.36%

Do you love Firefox? Do you fancy yourself a creative type? Do you seek fame and fortune? (and are willing to settle for just the fame?) If you answered yes to all three of those questions, then I've got the opportunity for you.

Mozilla has just launched a design contest for the Firefox 3 t-shirts!. The winning design will become the official Firefox 3 t-shirts and the winning designer will be featured along with the t-shirt in the Mozilla Store.

Firefox is not just an award-winning browser, it's a world-renowned brand, making this a great opportunity for an aspiring designer, or even just a rabid Firefox fan. You can read more about the contest over at Slater's blog.

(Reposted from the Air Mozilla Backstage blog.)

This week's Air Mozilla Live broadcast will feature a discussion with David Ascher, CEO of Mozilla's new Mozilla Messaging organization. David will be talking about the launch of this new Mozilla Foundation subsidiary, upcoming Thunderbird releases, and the future of internet messaging. The program will also facilitate a community discussion about the new native look and feel for Firefox 3 on Mac, Windows, and Linux. Our guest for this segment of the show is Alex Faaborg, the User Experience Designer who has led much of this effort over the last year. Got thoughts, suggestions, rants about the new themes? Alex can't wait :-) You won't want to miss this exciting discussion.

So join us, this Thursday for our live community discussion and “call-in” show.

Who: The Mozilla community, host Asa Dotzler, and guests David Ascher, and Alex Faaborg.

When: Thursday, February 21, from 14:00:00 - 15:00:00 PST (UTC -8.)

Where: View the webcast at air.mozilla.com and participate on IRC, IM, or email.

• IRC: join the discussion on irc.mozilla.org #airmozilla


• IM: instant message your questions to the AIM/YIM/GTalk screenname airmozilla.


• email: send in your questions before and during the show to airmozilla@mozilla.com.

Air Mozilla is now streaming 24/7 with a new live show every month (or as close to that as makes sense.) If you’ve got ideas for shows, please email us and let us know. Even better, if you’re a part of the Mozilla community and you’d like to be interviewed or present on our live broadcast, let us know.

Mozilla Japan Marketing Rocks!!

Welcome to Mozilla Messaging

Firefox Marketshare still going up, up, up

Gandalf comes aboard

New Add-ons site

Firefox 3's third beta release is now available. Let us know what you think.

I've made my first real post at the For the Record blog. I hope that it gives you insight into the Firefox product cycle or the information you need to help others understand the Firefox product cycle.

When It's Ready

For some more background on the For the Record blog, check out the inaugural post.

Deanna and I visited Seoul not too long ago and toured the city with our good friends Channy and Jungshik. Seoul is a beautiful city and this is certainly a very sad occasion.

update: Early indications are that it was arson.

This news item on /. and making the rounds on some blogs is not real. It's not a flaw. This guy's found a way to read a file that doesn't contain any personal information and that's identical for every Firefox install on the planet. It's simply not a flaw.

More from shaver.

I've heard reports that the advanced Yahoo! mail interface is now working in Firefox 3 beta and nightly builds. Can anyone confirm?

I think that youtube makes me stupider.

update: Deanna reminds me, though, how much it makes me smile.

Mitchell Baker, our fearless leader at Mozilla, has moved her blog. You can find Mitchell's Blog at blog.lizardwrangler.com. If you subscribed to her feed, you'll want to update your reader with the new address, http://blog.lizardwrangler.com/?feed=atom.

I've been happy managing my feed reading in Thunderbird+Forumzilla and I don't have any intention of leaving that combo soon, but as I try to get involved in some collaborative feed reading efforts, I want to get a better picture of what it's like to use an online reader.

I'd normally jump right to Google Reader, but jumping to the Google product first is a habit I'm like to break. The other obvious choice seems to be Bloglines' beta reader. It's probably going to take me quite a while to try to replicate my setup in one of the online readers and I'd rather not do it twice if I can avoid it.

Do you have experience with both? What are the advantages and disadvantages? I mostly read search results feeds so I get lots of splogs and the overall volume is pretty high which makes quick skimming a real win for me.

For the first time since I reached voting age, I've got the opportunity to vote in a meaningful presidential primary election -- one for which the outcome has not already been established. Now, there's lots more to a democracy than voting, but voting sure is a lot cooler when it actually matters.

The Firefox add-on, Gladder (Great Ladder) gets some coverage in the ongoing discussion about China's Great Firewall.

If you don’t know what’s on top of you, than you won’t fight back against it.

Window has a great interview up at ComputerWorld.