futtta's blog

You probably read that  Steve Jobs officially declared Flash a stability nightmare and that Adobe’s CEO responded that OS X is to blame. Hard to take sides in this blame-game, especially without access to Apple’s crash reports data. We do, however, have access to Mozilla’s crash-stats.mozilla.com. Could those figures provide us with at least some relevant statistics about Flash’s reliability?

I imported this csv-file with the top 300 crashers for Firefox 3.6.3 for the last 50 days (3.6.3 was released on April 1th) into a Google Docs spreadsheet and counted the number of crashes for each line where “Flash” or “NPSWF32″ is in the signature (SUMIF without wildcard characters, seriously Google!?). You can find the spreadsheet here, but these are the results:

That’s right; almost 1/3 of the Firefox 3.6.3 “top crashers” are clearly related to Flash! So yes, there is good reason to consider plugins in general and Flash in particular a stability risk for Firefox. And for the record, the numbers for Mac seem to indicate that the problem is even (much) worse there! So hurray for Firefox 3.6.4 with Out of Process Plugins! And hey Adobe, get your Flash together!

A couple of days ago I installed Lorentz, a beta version of Firefox. Lorentz is virtually identical to Firefox 3.6.3, except that it incorporates part of the work of the Electrolysis team. Their “Out-of-process plugins”-code lets Firefox-plugins (on Windows & Linux, they’re still working on Mac OSX according to the release notes) run in a separate process from the browser, meaning Flash (but also Silverlight or Quicktime) can’t crash Firefox any more.

This feature actually is long overdue, a substantial amount of Firefox crashes are indeed caused by Flash failing and Mozilla’s competitors (MS IE, Apple Safari and Google Chrome) already have similar (or even more exhaustive) crash-protection.

Once you’ve installed Lorentz (or Chrome or IE8 or Safari off course) you can safely visit http://flashcrash.dempsky.org/, which exploits a bug that was reported 19 months ago and which may still cause the most recent Flash-version (10.0.45.2) to crash. And if flashcrash doesn’t bring up the plugin-crash-dialog, you can always kill the “mozilla-runtime” process that hosts the plugins, just for kicks!

Microsoft IE8 introduced it, Apple Safari4 has it, Google Chrome4 does it and now somewhere in the not too distant future, Firefox will ship it too; support for X-FRAME-OPTIONS.

X-cuse-me? Well, X-FRAME-OPTIONS is the HTTP response header that broke Google Talk chat badge a few months ago, remember? It allows you to specify whether your site or page can be (i)framed or not, by setting it to “DENY” (not allowed to be framed) or “SAMEORIGIN” (allowed if the framing site is on the exact same domain). The most important reason for this functionality is as a prevention-mechanism for “clickjacking” (a.k.a. UI redressing), a type of web attack that tries to trick victims into clicking a framed site by hiding it behind another innocent element.

So now that feature is finally coming to Firefox as well; Mozilla’s Brendan Sterne, one of the driving forces behind Mozilla’s much broader content security policy, grabbed the bug by the balls and came up with a first patch. If all goes well, this would be an ideal candidate to get pushed out with a minor version update as per the new release process, no?

Being “the computer guy” in the family might be a pain in the ass sometimes, but trying to help out users that are not tech savvy can be very revealing. Yesterday my father-in-law asked me to take a look at his computer, there was something about the browser that was not right. Turned out he let Google lure him into downloading Chrome and making it the default browser. What bothered him most about Chrome was the lack of menu’s (file|edit|…|help), while a lot of the us (the in-crowd) consider the minimal use of chrome a plus. Usability is not only about clean, simple UI’s, but also about not breaking novice users’ expectations of how your application looks and behaves.

Anyway, I showed him IE8 and Firefox 3.5 (both were installed as well) and he recognized Firefox as the browser he was most familiar with. So I uninstalled Chrome, hid IE8, upgraded him to FF 3.6 and also installed the “Vacuum Places improved” and NoScript add-ons.

“Vacuum Places improved” cleans up the places sqlite database where Firefox stores bookmarks and history and which can become very big over time.  When tweaking the options (“hide icon” and “auto-vacuum every 20 browser starts”) it was a great way to invisibly tune browser performance, but it turns out Firefox 3.6 vacuums places.sqlite automatically (when  idle, every 1 to 2 months). So Pierre, if you ever read this; remind me to uninstall “Vacuum Places improved” next time!

NoScript is a whole other beast; it is a add-on for the security-conscious tech-head, which by default disables javascript, flash, java, … It’s a great add-on, but it is very disruptive and as such totally unfit for novice users. Unless you change the configuration off course, because modifying these options makes NoScript a must-have addon for both you and your grandma;

• General: check “Scripts Globally Allowed (dangerous)”
• Embeddings: uncheck the 8 “Forbid” options, check both “untrusted” and “trusted” for Clearclick protection
• Appearance: uncheck “Status bar icon”, “Status bar label” and “Contextual menu”
• Advanced/XSS: check “Sanitize cross-site suspicious requests”

Although the first option specifically claims it is dangerous to do so, these changes render NoScript into an add-on that provides a lot of extra security (protecting against clickjacking, cross-site scripting and implementing support for x-frame-options and Strict Transport Security) without bothering users with new UI-elements containing incomprehensible questions, messages or options.

Because web security is not only about protecting against threats, but also about not breaking novice users’ expectations of how your secured browser (and the web) looks and behaves.

With a notoriously bad reputation for security (or the lack thereof) in Internet Explorer, Microsoft claims to have invested a lot in IE8 security in general and specifically in browser enforced website security. Indeed, according to the product site, IE8:

[...] helps protect you from today’s threats, including malware and phishing, as well as emerging threats that can compromise your computer without your knowledge. Other browsers either don’t offer you this level of protection or require you to download and configure third-party add-ons to get it, but with Internet Explorer 8 you get it right out of the box, and turned on by default.

And in August Microsoft proudly pointed to results of a (MS commissioned) study by NSSLabs, which stated that IE8 blocked 81% of malware download attempts vs. 27% for FF3 (and even less for other browsers) and 83% of phishing attacks vs. 80% for FF3 (and 54% for Opera 10 and less for Chrome and Safari).

So there you have it, IE8 is the safest browser around, no? Well, that would be jumping to conclusions; IE8 still has it’s fair share of browser security issues (but don’t they all) and the dreaded security-hole called ActiveX is still supported as well. Let’s just focus at how IE8 tries to protect you from malicious websites and compare that functionality with what the competition has to offer.

Smartscreen Filter

Smartscreen filter is the name for the Microsoft technology that uses an “in-the-cloud reputation database” which is contacted by the browser to assess the trustworthiness of a URL. Using that information, access to dangerous sites and downloads of malware can be blocked. The system is very similar to Google Safe Browsing that is implemented in Firefox, Chrome and Safari, but Smartscreen seems to be better in stopping malware from being downloaded. On the other hand the 2nd NSSlabs-study deemed both as effective when it comes to blocking access to phishing sites. Based on these (MS sponsored) results one could conclude that IE8 might have an advantage over the competition, but I for one would be very interested in an updated version of these tests with cooperation from the other browser-makers.

XSS-filter

IE8′s XSS-filter offers protection against type1 cross-site scripting attacks. Although it offers no protection against (less common) type0 and type2 xss-attacks, the mere fact that IE8 does offer out of the box XSS-protection is a big thing. Except … except apperantly there’s a serious bug in IE8′s XSS-filter, that can be abused to do cross-site scripting. Microsoft has not yet confirmed or fixed the bug,  leading some sites (e.g. Google) to disable the XSS-filter by adding “X-XSS-Protection: 0” to the http response header. Now isn’t that ironic?

Clickjacking defense

Microsoft also included clickjacking defense in IE8, by letting website owners define whether or not their pages are allowed to be included in (i)frames. This can be done by simply adding “x-frame-options” to the http response header with values “deny” to deny a page from being shown in any frame and “sameorigin” to limit framing to pages from the same domain. x-frame-options however does not protect against clickjacking with flash or other embeds.

But where’s the competition?

So what’s available in Firefox, Chrome and Safari apart from the Google Safe Browsing implementation? Nothing much up until now, I’m afraid …

At Mozilla smart guys are working on “Content security policy“. CSP is a declarative server-driven anti-XSS framework, with policies being pushed through HTTP headers. Although the policy may require non-trivial website changes because inline scripts will be disallowed by default, it certainly has potential (to the extend Microsoft is said to be interested). But CSP is not there yet, now is it?

Over at Google, engineers are including (type1) XSS-protection and support for the Strict Transport Security spec (forcing a browser to load a site only over HTTPS by issuing an http response header) in the dev-channel builds of Chrome 4. As some may have noticed while looking for Google Talk’s chatback badge last week, x-frame-options (as anti-clickjacking measure) has already been implemented in Safari4 and Chrome3 as well. So especially Google is trying to make some serious progress, but Chrome 4 can hardly be considered granny-ready, can it?

That leaves us Firefox with the NoScript extension, but I’ll come back to that combination in a minute.

IE8 the safest browser?

OK, this might hurt, but let’s give credit where credit is due; IE8 indeed seems to offer the best out of the box protection against malicious websites. It is the only browser to come with good phishing- and malware-blocking (Smartscreen) combined with (limited and currently broken) protection against some types of XSS and clickjacking-attacks. So thank you Redmond for setting the example!

The only alternative: Firefox + NoScript

Firefox does not offer the out of the box protection IE8 does, but when combined with the NoScript extension, it really is the only readily available alternative (Lynx not withstanding). NoScript offers superior protection against XSS, clickjacking and a host of other threats.

Even if you’re only vaguely security-conscious, installing Firefox and NoScript should really be your first choice. Depending on the level of protection you want, you can use the default but disruptive whitelist configuration (which blocks all javascript and flash) or switch to the less secure “Allow scripts globally” mode. But whatever configuration you choose, anti-XSS and clickjacking protection are always enabled.

It really is beyond me why NoScript’s Clearclick and anti-xss aren’t in Firefox by default, especially since they seem complementary to CSP, as they’re barely disruptive for a novice user and (last but not least) as Mozilla could easily one-up Microsoft this way? Anyone?

In this brief HOWTO I will describe the procedure to crash Firefox using the great FoxyProxy add-on.

1. Check if your employer mandates the use of a filtering proxy for web-access
2. Find a way to circumvent that proxy, regaining full-internet access
3. Breach corporate IT-guidelines by installing Firefox
4. Install FoxyProxy, add both proxies and enable “AutoAdd” (make sure to ignore the vague warning about “significant delays” in page loading times) to automatically use the alternative proxy for forbidden pages
5. Open a new tab, go to gmail.com and wait for Firefox to freeze completely (if your browser complains that some script is taking too long to finish, just click on “continue”)

(Disclaimer: I provide no guarantees that this will actually work, I never watch porn and I take no responsibility if your browser does (not) crash)

HTML5′s WebDB is one of the building blocks to create offline-enabled webapps. It allows web applications to store data in a local database and it is as such an important part in Google’s push for mobile webapps as an alternative for native mobile apps. The spec (although not finalized) is already implemented in Safari, Safari Mobile and in the Android 2.0 browser.

So WebDB will take the world by storm, won’t it? Well, pretend you didn’t read the title of this post and let’s look at some excerpts of the meeting minutes of the W3 Web Applications Working Group Teleconference of 02 Nov 2009 for more info on the state of WebDB. Charles McCathieNevile (Opera) had some good news to share:

At opera, we implemented web db [...] it’s likely we will [ship it] as people have built on it

and Google’s Ian Fette joined in:

We’ve implemented WebDB … we’re about to ship it

So that’s great news, no? We can expect WebDB to arrive in Chrome and Opera! OK, so what about Firefox and MSIE? Microsoft, represented by Adrian Bateman, stated:

We don’t think we’ll reasonably be able to ship an interoperable version of WebDB

Well, that doesn’t really come as a surprise does it? No WebDB in MSIE, but surely Mozilla will support this great spec? But Jonas Sicking’s point of view might be slightly shocking to some:

We’ve talked to a lot of developers, the feedback we got is that we really don’t want SQL [...] I don’t think mozilla plans to ship it.

Sorry, come again? Does that mean that Firefox will never support window.openDatabase()? Nope, they probably won’t and they provide some valid concerns (see also Vladimir Vukićević’s blogpost) in a mailinglist-discussion between Mozilla and Apple-engineers shortly after the meeting minutes were published. Summarized and simplified their objections boil down to two issues;

• in order to have a webdb standard, you also have to specify (and standardize) the SQL-language to query that database, the question is what SQL-dialect to standardize on.
• as the current implementations are all SQLite-based (including Google’s and Opera’s), the spec would have to describe the very specific SQL-dialect that SQLite uses (and maybe even of a specific version of SQLite)

Although I doubt that web-developers don’t want to do client-side SQL at all, writing a spec that almost mandates the use of a specific version of a specific product (even if it’s open source) can indeed be hardly considered the goal of w3.org’s standards creation process.

So back to the drawing-board for yet another spec? Based on the webapp group’s meeting minutes, Web SimpleDB (or  “Nikunj”, after the name of the Oracle-engineer behind the idea) is considered a worthy alternative by at least Mozilla, Opera and Microsoft. Let’s hope that a consensus, a finalized spec (it’s in draft now) and the first usable cross-browser implementations will arrive soon.