Friday, November 20, 2009

update on HTTPS security

Version 2.0 of my Force-TLS add-on for Firefox was released by the AMO editors on Tuesday, and in incorporates a few important changes: It supports the Strict-Transport-Security header introduced by PayPal, and also has an improved UI that lets you add/remove sites from the forced list. For more information see my Force-TLS web site.

On a similar topic, I've been working to actually implement Strict-Transport-Security in Firefox. The core functionality is in there, and if you want to play with some demo builds, grab a custom built Firefox and play. These builds don't yet enforce certificate integrity as the spec requires, but aside from that, they implement STS properly.

The built-in version performs an internal redirect to upgrade channels -- before any request hits the wire. This is an improvement over the way the HTTP protocol handler was hacked up by version 1 of Force-TLS, and doesn't suffer from any subtle bugs that may pop up due to mutating a channel's URI through an nsIContentPolicy. I'm not sure that add-ons can completely trigger the proper internal redirect, since not all of the HTTP channel code is exposed to scripts, and add-ons would need to replicate some of the functions compiled into the nsHttpChannel, opening up a possibility of obscure side-effects if the add-on gets out of sync with the binary's version of those functions.

Edit: The newest version of NoScript does channel redirecting through setting up a replacement channel in a really clever way -- pretty much the same as my patch. It replicates some of the internal-only code in nsHttpChannel, though, and it would need to get updated in NoScript if for some reason we change it in Firefox.

Labels: , , , ,

Thursday, September 17, 2009


While discussing privacy and Firefox 3.5 with Chris a couple weeks ago, we stumbled upon the thought that people might want to be able to select which bookmarks show up when they're given automatic suggestions in Firefox 3's Awesome Bar. This discussion really started with a bit of public metrics and discussion in the blogosphere.

In mid August, Ken Kovash wrote about reasons users gave for not upgrading from Firefox 2 to Firefox 3.0. The number one reason was, surprisingly, the Awesome Bar. Without going into detail, the gist was that people didn't really want certain bookmarks to show up when they start typing URLs.

Perhaps the settings weren't obvious enough, but users can set the awesome bar to search only bookmarks, only history, both, or neither (Alex Faaborg discussed it in June, in fact).

Here's the use case: Bob bookmarks a couple porn sites, then during a public presentation, he starts typing "www" in the URL bar. His porn sites show up in the suggestion list, and everyone in the audience gasps.

The work-arounds for this I see are:

  1. Use a separate browser for "private" sites.
  2. Use a separate Firefox profile for browsing "private" sites.
  3. Use Private Browsing when browsing "private" sites (but then you can't bookmark the sites).
  4. Turn off bookmarks and/or history searching for awesome bar.

But maybe this isn't good enough for everyone. Some folks might want to just hide a couple of bookmarks from the awesome bar. We need a way to make certain bookmarks "not awesome" so they won't show up.

Enter bookmark tags... you can add tags to bookmarks to find them easily. Why not tag bookmarks with "notawesome", then somehow hide those from the awesome bar search?

On a whim, I hacked together a quick addon to do this: notawesome!

lifehacker picked up on this (dunno how they found it buried in AMO), and apparently some folks find it useful.

To those 800 people using it already: thanks for trying it out, and your comments! I'll see if I can find some time to make it better. If anyone else wants to hack on it, let me know...

Labels: , , ,