April 2008 Archives

If you were holding off on using the Firefox 3 betas or nightly builds because your extensions weren't compatible, another one just fell off that list. Today, over at the Delicious Blog, Nick says,

Firefox 3 users, rejoice! Today I’m pleased to announce a beta release of an enhanced version of our Firefox Add-on for del.icio.us that now has full Firefox 3 support while retaining Firefox 2 compatibility. While it is largely similar to the release version of our Firefox Add-on, there are a few nifty new features:

• Jump to Tag feature (press F2) allows you to quickly access tags and bookmarks using the keyboard
• New layout for saving bookmarks
• Preferences now in a separate dialog under Tools (which also can be invoked via the prefs button on the FF Add-ons pane)
• Status bar indicators for network activity, new links for you, and the del.icio.us website
• Classic mode for users who just want simple buttons without the overhead of sync

Stuart J. Johnston, over at PC World's Bugs and Fixes column, does a fabulous job confusing and unnecessarily alarming Firefox users, while at the same time conflating the valuable contributions being made by the ethical security researcher community with the malicious activities of "bad guy" hackers.

That's quite an accomplishment in just 500 words.

Getting those column inches hammered out every month can be hard work, but when the obvious result of an article is that readers will walk away less informed than before they read it, it's time to consider a different approach or a different topic.

This particular piece should never have made it off of the author's laptop and definitely shouldn't have made it past an editor's desk. PC World, IDG, and Stuart Johnston are all better than this, and their readers deserve more.

Many people are switching from Internet Explorer to alternative browsers such as Firefox and Safari. Though that might make them feel more secure, the shift has also opened new doors for bad guys.

More users may make a particular program a more inviting attack target for the bad guys, but in the case of Mozilla's Firefox, more users and our open and responsive process also makes it a more inviting research target for the good guys. Yep, there are good guy hackers too, and it's those good guys working in concert with Mozilla developers that are finding and fixing the vast majority of Firefox security issues.

So, in the case of Mozilla's Firefox, more users may actually be helping to shut the door on bad guys, rather than, as Mr. Johnston claims, opening new doors for them.

Case in point: We have no IE bugs to report this month, but both Firefox and Safari have been hit hard.

If by "hit hard" the article means to communicate something like "this month security researchers and developers contributing to Mozilla's open source Firefox project have found and deployed fixes for several new potential vulnerabilities, shoring up Firefox's defense against malicious hackers and denying them new attack vectors," then sure, Firefox was "hit hard."

Unfortunately, I don't think that's what the article was implying.

So forget the idea that just because you've switched to a new browser, you're magically safer.

There's no magic here at all. Firefox has a long track record of being more secure by design, more responsive to security issues, and less often targeted by bad guys than I.E. Taken together, those factors really do mean that because you've switched from I.E. to Firefox, you are safer -- no "magically" about it.

You may be for a time, but to stay safe with any software, you need to keep current with fixes.

And here we have the only line in this entire article that could conceivably help users. Unfortunately, it's not in a context where it's likely to be taken that way.

This is one more area where just a bit more research would have resulted in an entirely different article or no article at all -- depending on the author's motivations.

With Firefox, users don't have to worry nearly as much about keeping current with fixes as they do with other browsers, I.E. in particular.

Firefox has the best record in the industry, not just for finding and fixing issues quicker, but for getting those fixes in the hands of users faster.

Thanks to Firefox's well designed update mechanism, 95% or more of our users are automatically updated to the latest secure version in less than a week.

That kind of information could have provided the context to make that one informative point actually useful to readers.

In a somewhat dubious recognition of Firefox's growing popularity, hackers have focused their attention on it, leading to a rash of newly discovered holes.

If by "hackers" the article is referring to Mozilla developers and ethical security researchers who work together to keep Firefox users safe, then sure, "hackers focused their attention on Firefox."

If, however, as it appears from the overall tone of the article, it means to suggest that Firefox users should be alarmed and worried that bad guys have discovered a bunch of new Firefox holes and users are in great danger, then no, not so much.

In an actual attack--neither the Safari nor the Firefox bugs have elicited one so far--a bad guy could take over your PC or steal your navigation history.

In an actual attack, Firefox users would be protected because the vulnerabilities were discovered and fixed by the good guys and rapidly deployed to virtually all Firefox users weeks before Mr. Johnston's article hit the Web.

With this paragraph, we also finally get the buried lede and the admission that should have killed this entire story. Bad guys are not attacking Firefox (nor, apparently Safari,) and all of the FUD from the previous four paragraphs falls apart by the author's own admission.

A month ago, with the help of some amazing security researchers, Mozilla found and fixed half a dozen problems and deployed those fixes to pretty much every Firefox user out there. In the time between those discoveries and the appearance of Mr Johnston's article, there have been no reports of any of those flaws being used to attempt attacks against Firefox users -- attacks that would fail thanks to the Mozilla developers and the security researchers that Mr. Johnston calls "bad guys" and "hackers."

What a waste and what a shame for those people who, having read this article, are now more alarmed and less informed about security than they were before.

Security is a complex area and it takes real effort to learn about all of the factors that interact in determining security outcomes. It simply doesn't lend itself to quick bean counting analysis or casual headline-skimming research.

It's also a critically important topic because a fundamental necessity of a safer Internet is that users have a clear understanding of how it actually works.

Security-related articles and headlines constructed with over-simplicifcations, fear-mongering, and out-right misrepresentations, not only don't inform readers, they actually slow the progress to a more secure Internet.

Paul Kim, the architect of Mozilla's global marketing and PR program, explains the foundations of the upcoming Firefox 3 launch.

Best part? Yeah, the parties!

Actually, I shouldn't risk trivializing it. There's just an amazing amount of work that goes into a product launch of this scale. It's really so much more than anyone imagines it to be and there's always so much more that we could do with more community participation.

So head over to Paul's blog, read up on what's in the pipe, and then find a way to get involved. We're going to fly past the 200 million users mark this year and Firefox 3 is gonna be the vehicle. Climb aboard!

One of my very favorite sources for Mozilla news and reviews, MozillaLinks, just got a facelift and it looks great.

Keep up the awesome work, Percy!

The AwesomeBar keeps getting awesomer all the time.

Here's a another great example of why it's not only really important to identify, diagnose, and fix security issues quickly, but equally important to get those fixes into the hands of users quickly.

I predict that if it's not already the case today, that it will soon be the case that unpatched holes in mainstream browsers (where a fix does exist but isn't installed) will be responsible for more real-world security problems than holes that remain unfixed.

The number of browsers out there has gotten to be so huge that you don't need to exploit a large percentage of them to do real damage. With about a billion IE installs out there, and probably a similar number of flash plug-in installs, you only need a few percent that haven't yet updated to compromise a whole lot of machines.

Even worse, the time it takes to develop an attack for a patched flaw is approaching zero much faster than Microsoft's or Adobe's time to deploy is.

This is an area where Firefox really excels. Our update mechanism can move the majority of Firefox users from an insecure version to the new secured version in just a few days. At last measure, I calculated that it took us just 5 days to get over 90% of our users updated.

While that's pretty amazing for updating hundreds of millions of users, I think that we're going to have to find ways to make it even more efficient. Right now, for example, the update check only happens when Firefox is active and it only happens once per day. Those might need to change if we're going to make dramatic improvements on the already fast turnover.

A couple of days ago, while looking at the WebWare 100 winners, I noticed that the editor called out Maxthon for sort of cheating, they were driving traffic to the voting by incorporating a pop-up advertising the contest right in the Maxthon browser. Today there's a post up at the Maxthon blog bragging about how effective it was.

That got me thinking about what would have happened if Mozilla used that kind of tactic. Can you imagine the hardware meltdown at c|net that would have resulted from 170 million Firefox users all being directed to hit their WebWare voting site?

I don't really know much about internet loads, but I've seen pretty decent sites get taken down by the digg or slashdot effect which probably only amounts to hundreds, maybe a thousand hits per minute? Now, c|net's not some shared hosting $10/mo solution, but what happens when it's tens of thousands or hundreds of thousands of hits per minute?

Then again, that's all hypothetical for a couple of reasons. First, we wouldn't get in our users face like that for anything less than a critical security update (where we do actually throw a pop-up advertising the availability of the update.) Rallying the community that opts in to visiting Spread Firefox is completely reasonable. Interrupting 170 million Firefox users for a web poll is not. Second, I think most people would consider that cheating and I think we'd mostly all agree.

What do you think? Should Firefox win online polls at all costs ;-)

(Just kidding. I don't actually expect an answer there.)

Finally, while I think it's cool that Firefox got enough votes to be listed as a top 100 application (and apparently registered in the top total 10 vote-getters,) does it really say anything interesting when pretty much all of the browsers made it into the same top 100. It's pretty awesome that c|net was able to get nearly 2 million people to vote and to narrow down from many thousands of apps and sites to 100, but without some kind of public ranking within that 100 or at least within the various categories, it doesn't really inform people as much as it lets all the top players claim "winning" status.

I've linked to several great blog posts on Firefox 3 features lately, but there's one piece of an older feature that doesn't get enough credit. I got a reminder this morning when Firefox crashed (a flash bug that may have just been fixed,) while I was composing a rather long webmail message and just this evening read this blog post.

If you haven't needed to experience Firefox's crash recovery because you're never crashing, great. If you have, though, it sure is nice that it saves your work.

Wow.

About half a dozen vocal advocates of the Firefox 2 status quo, out of a pool of more than 3 million people using the improved feature in Firefox 3 betas, managed to stall a pretty cool step forward for how the Download Manager presents its much improved value to users. Maybe we can make that progress in 3.next.

Reminds me of some of the dysfunction of pre-Firefox days.

Bonus points to the several seriously f'n rude commenters in the bug. You do us all so proud. (And, to continue the sarcasm, it's great to see that our Bugzilla etiquette guidelines are being so well enforced.

It's a good thing for several of those folks that I'm not living in Bugzilla any more or they'd have been zeroed out of the system pretty f'n fast.)

Somewhat related, I'm sure glad the AwesomeBar and the bulk of places survived their time in Bugzilla. It's sobering to be reminded by what a thin thread feature progress actually hangs.

Hot off the success of her recent AwesomeBar is awesome post, Deb's got even more reason to love (or anticipate) Firefox 3.

I won't spoil it with any of my own commentary this time. Just head over to dria.org and read her latest post, Firefox 3 Bookmarks (My god, it’s full of stars…).

OK. I can't not say something :-) . I'll keep it short.

It would be an understatement to say that, like Deb, I've never been a big fan of traditional browser bookmarks. To be more blunt, I've always hated them. They fail in just about every way at helping me accomplish what I want to accomplish -- quickly and easily getting back to a page I've visited before.

With the exception of a few bookmarks on my bookmarks toolbar and a couple others called up by their typed shortcut (bookmark keyword,) I just stopped using bookmarks. If it didn't fit in my toolbar or the limited space I have in the part of my brain that stores shortcut names, I just didn't save it. I found it more convenient to keep a super-long browsing history and just search through there when I wanted to return to any of the sites that didn't fit in those two very finite spaces.

That was before Firefox 3.

Thanks to all the great new features that Deb describes, now I'm bookmarking the hell out of the Web and I'm never more than a couple of clicks or keystrokes away from all the content I want to revisit.

Deanna and I are about to move into the 20th 21st century and purchase our first flat-panel television.

We're looking for something in the 36" or greater and less than 50" (since it's going to be for our bedroom and not our still-unplanned "home theater,") and we're more concerned about cable television watching (through TiVo) -- a mix of standard and HD programming, than we are about movies and boxed sets on disk (presumably that's all going to blue-ray where 1080p makes a big difference?)

I think the format of the programming and the size of the screen we're interested in means that we shouldn't care too much about full 1080p and that 1080i (720p) would be just fine. I think that combination also means that we don't need the most expansive set of inputs either.

What we do care about is picture quality and decent built-in sound. From what I've read, the screen size we're looking for is right at the overlap where LCD and Plasma are competitive price-wise and so we can focus on the desired set of features rather than the cost.

What I'm hoping some of you all can help with are some recommendations for specific models, your experience with LCD or Plasma flat-panels, or any suggestions of where we should look first in terms of honest reviews and comparisons.

Thanks in advance.

Despite IE's near omnipresence we still find Firefox running on nearly half (47%) of the systems sampled. This would seem to bolster our above theory about ancillary IE use: Chances are, if you're running Firefox, it's because you chose to do so and simply prefer it to IE. Within our small community, at least, Firefox is sporting "market" share that's better than half of IE's on the same sample group.

more...

The new www.mozilla.com website design is coming along really nicely and we're starting to look for a broader beta testing audience. If you'd like to get a sneak peek and help us out with some feedback and bug reporting, head over to John Slater's blog and sign up.

Will you be the 50th follower of my never-been-used Twitter account?

Someone's gonna be it, might as well be you :-) And who knows, maybe one day I'll post something there and you'll know before everyone else. Well, before the world minus fifty.

Well, there's no reason I can't celebrate a bit late.

This blog turned 6 years old one week ago. I didn't even notice until I was responding to a comment in an earlier post that prompted me to count up my posts.

Under the roof of a gracious host for most of those six years, MozillaZine, I've made 2,700+ posts and typed 504,000+ words (though many of them links and other markup, so the real "word" total is almost exactly 100,000 words fewer than that.)

That's a lot of typing.

I haven't kept consistent categorization but by a rough count, 1200 were un-tagged, (mostly Mozilla related stuff,) 1360 were categorized under "Internet Technology," (also, mostly Mozilla stuff,) 77 were from the "Space and Astronomy" category, 76 were tagged as "Personal" and 7 were labeled "Nature and Photography".

That's a lot of typing about computer software.

Maybe it's time I start thinking about writing a book.

Firefox is the most prevalent Open Source software package

Deb's posted on one of the features that alone would make Firefox 3 a major upgrade from Firefox 2. We've affectionately been calling it the Awesome Bar -- not because that name's great branding but because it really is just awesome.

"In Firefox 3, however, the staid and plain URL bar has been transformed into a much, much more powerful and useful tool. Dubbed the "AwesomeBar", it lets you use the URL field of your browser to do a keyword search of your history and bookmarks."

Head over to dria.org and read her awesome post, AwesomeBar is awesome

Design competitions for t-shirts or stickers are one thing. Holding a contest for your organization's logo or primary visual identity is just an awful idea. Proof.

It appears that the latest update from Apple for the Apple Software Update service (v2.1) has made an important, though not sufficient improvement. Now the updater has discrete sections for "Updates" and "New Software".

This is a good first step. Now Apple needs to stop checking the box for "New Software" items by default. With that change, I think I'd be pretty happy to let the Apple Software Update service back on my Windows machine.

update: Looks like others agree. InformationWeek » Apple Ends Stealth Safari Installs Via Software Update For Windows   GameShout » After the sneaky way that Apple slipped its software...   PC World » Stop QuickTime Nagging About Safari,   U.S.News and World Report » Apple Still Pestering Us About Safari,   Marketing Pilgrim » Does Mozilla Control Apple’s Reputation?,   Compiler from Wired.com » Apple Backs Off Slightly on Aggressive Software Update Tactics,   Computer World » Apple makes minor concession on pushing Safari to Windows users,   PC Pro News » Apple alters updater following Safari protest,   Today @ PC World » Apple Bows to PC Users' Concerns Over Safari Update,   Macworld » Apple alters Windows software update tool,   Ars Technica » Apple updates Software Update for Windows, Safari optional,   The Unofficial Apple Weblog (TUAW) » Apple changes Software Update GUI for Windows,   Channel Register » Apple gets (slightly) less sneaky with Windows Safari play,   AppleInsider » Apple tweaks Software Update for Windows following uproar,   Techwhack » Apple updates Apple Software Update to support new software installation,   ZDNet.com's Hardware 2.0 » Apple tweaks Software Updater following criticism,   CNET News.com's Tech news blog » After complaints, Apple tweaks Software Update for Safari,   Ryan Naraine's Security Watch » After Criticism, Apple Software Updater Gets UI Makeover

If you're considering building a XUL application, do have a look at this post and the articles linked from it.

I've just posted another For the Record, this time on better browser security metrics.

Wow. I have 32 people following me on Twitter.

I know that's nothing compared to the big guys. But there's an amusing (I think it's amusing) difference. In the months since I created the account I haven't made a single entry, yet, every couple of days a new follower.

For all you eager Firefox 3 beta 5 testers that bailed because you just couldn't deal with the flashing banners, skyscrapers, and billboards, your prayers have been answered.

Adblock Plus 0.7.5.4 released

As Mark Finkle says so well, disabling add-ons compatibility checks does not magically make your extensions compatible.

Disabling this check for anything other than participating in add-ons testing and development is not a good thing. You risk your browser stability, and potentially your computer's security. Just don't do it.

If you're not an add-on developer or tester and you can't use Firefox without your favorite extensions, just wait it out for a few more weeks until we can get the final release out. It's not worth the instability and other very real problems that do result from truly incompatible extensions.

Thanks for your patience.

Could Apple's pushy updater cost them iTunes users? Seems possible.

Chris Beard can tell you.

If you're a Firefox extension developer looking for an extremely cool project with far-reaching positive consequences for the whole world, I'd encourage you to look into helping out with this project.

Flying penguins found by BBC programme

Over the last few days I've read at least a dozen blog posts and tweets from people who are confused by one of the changes at AMO.

No, Mozilla has not switched from anonymous add-on installation to requiring a login.

What's new is that we now expose sandboxed (not ready for prime-time) add-ons in search results along with fully released add-ons.

The experimental, sandboxed add-ons have always required a login. There's no change here regarding when a login is required. We're just making the sandboxed extensions more visible.

Regular users do not need an AMO login to install release version, Firefox compatible extensions.