Browser choice, vacuming & security for father-in-laws

Being “the computer guy” in the family might be a pain in the ass sometimes, but trying to help out users that are not tech savvy can be very revealing. Yesterday my father-in-law asked me to take a look at his computer, there was something about the browser that was not right. Turned out he let Google lure him into downloading Chrome and making it the default browser. What bothered him most about Chrome was the lack of menu’s (file|edit|…|help), while a lot of the us (the in-crowd) consider the minimal use of chrome a plus. Usability is not only about clean, simple UI’s, but also about not breaking novice users’ expectations of how your application looks and behaves.
Anyway, I showed him IE8 and Firefox 3.5 (both were installed as well) and he recognized Firefox as the browser he was most familiar with. So I uninstalled Chrome, hid IE8, upgraded him to FF 3.6 and also installed the “Vacuum Places improved” and NoScript add-ons.
Vacuum Places improved” cleans up the places sqlite database where Firefox stores bookmarks and history and which can become very big over time.  When tweaking the options (“hide icon” and “auto-vacuum every 20 browser starts”) it was a great way to invisibly tune browser performance, but it turns out Firefox 3.6 vacuums places.sqlite automatically (when  idle, every 1 to 2 months). So Pierre, if you ever read this; remind me to uninstall “Vacuum Places improved” next time! 🙂
NoScript is a whole other beast; it is a add-on for the security-conscious tech-head, which by default disables javascript, flash, java, … It’s a great add-on, but it is very disruptive and as such totally unfit for novice users. Unless you change the configuration off course, because modifying these options makes NoScript a must-have addon for both you and your grandma;

  • General: check “Scripts Globally Allowed (dangerous)”
  • Embeddings: uncheck the 8 “Forbid” options, check both “untrusted” and “trusted” for Clearclick protection
  • Appearance: uncheck “Status bar icon”, “Status bar label” and “Contextual menu”
  • Advanced/XSS: check “Sanitize cross-site suspicious requests”

Although the first option specifically claims it is dangerous to do so, these changes render NoScript into an add-on that provides a lot of extra security (protecting against clickjacking, cross-site scripting and implementing support for x-frame-options and Strict Transport Security) without bothering users with new UI-elements containing incomprehensible questions, messages or options.
Because web security is not only about protecting against threats, but also about not breaking novice users’ expectations of how your secured browser (and the web) looks and behaves.

Browser enforced web application security; IE8 safest?

microsoft internet explorer 8 logoWith a notoriously bad reputation for security (or the lack thereof) in Internet Explorer, Microsoft claims to have invested a lot in IE8 security in general and specifically in browser enforced website security. Indeed, according to the product site, IE8:

[…] helps protect you from today’s threats, including malware and phishing, as well as emerging threats that can compromise your computer without your knowledge. Other browsers either don’t offer you this level of protection or require you to download and configure third-party add-ons to get it, but with Internet Explorer 8 you get it right out of the box, and turned on by default.

And in August Microsoft proudly pointed to results of a (MS commissioned) study by NSSLabs, which stated that IE8 blocked 81% of malware download attempts vs. 27% for FF3 (and even less for other browsers) and 83% of phishing attacks vs. 80% for FF3 (and 54% for Opera 10 and less for Chrome and Safari).
So there you have it, IE8 is the safest browser around, no? Well, that would be jumping to conclusions; IE8 still has it’s fair share of browser security issues (but don’t they all) and the dreaded security-hole called ActiveX is still supported as well. Let’s just focus at how IE8 tries to protect you from malicious websites and compare that functionality with what the competition has to offer.

Smartscreen Filter

Smartscreen filter is the name for the Microsoft technology that uses an “in-the-cloud reputation database” which is contacted by the browser to assess the trustworthiness of a URL. Using that information, access to dangerous sites and downloads of malware can be blocked. The system is very similar to Google Safe Browsing that is implemented in Firefox, Chrome and Safari, but Smartscreen seems to be better in stopping malware from being downloaded. On the other hand the 2nd NSSlabs-study deemed both as effective when it comes to blocking access to phishing sites. Based on these (MS sponsored) results one could conclude that IE8 might have an advantage over the competition, but I for one would be very interested in an updated version of these tests with cooperation from the other browser-makers.


IE8’s XSS-filter offers protection against type1 cross-site scripting attacks. Although it offers no protection against (less common) type0 and type2 xss-attacks, the mere fact that IE8 does offer out of the box XSS-protection is a big thing. Except … except apperantly there’s a serious bug in IE8’s XSS-filter, that can be abused to do cross-site scripting. Microsoft has not yet confirmed or fixed the bug,  leading some sites (e.g. Google) to disable the XSS-filter by adding “X-XSS-Protection: 0” to the http response header. Now isn’t that ironic?

Clickjacking defense

Microsoft also included clickjacking defense in IE8, by letting website owners define whether or not their pages are allowed to be included in (i)frames. This can be done by simply adding “x-frame-options” to the http response header with values “deny” to deny a page from being shown in any frame and “sameorigin” to limit framing to pages from the same domain. x-frame-options however does not protect against clickjacking with flash or other embeds.

But where’s the competition?

So what’s available in Firefox, Chrome and Safari apart from the Google Safe Browsing implementation? Nothing much up until now, I’m afraid …
At Mozilla smart guys are working on “Content security policy“. CSP is a declarative server-driven anti-XSS framework, with policies being pushed through HTTP headers. Although the policy may require non-trivial website changes because inline scripts will be disallowed by default, it certainly has potential (to the extend Microsoft is said to be interested). But CSP is not there yet, now is it?
Over at Google, engineers are including (type1) XSS-protection and support for the Strict Transport Security spec (forcing a browser to load a site only over HTTPS by issuing an http response header) in the dev-channel builds of Chrome 4. As some may have noticed while looking for Google Talk’s chatback badge last week, x-frame-options (as anti-clickjacking measure) has already been implemented in Safari4 and Chrome3 as well. So especially Google is trying to make some serious progress, but Chrome 4 can hardly be considered granny-ready, can it?
That leaves us Firefox with the NoScript extension, but I’ll come back to that combination in a minute.

IE8 the safest browser?

OK, this might hurt, but let’s give credit where credit is due; IE8 indeed seems to offer the best out of the box protection against malicious websites. It is the only browser to come with good phishing- and malware-blocking (Smartscreen) combined with (limited and currently broken) protection against some types of XSS and clickjacking-attacks. So thank you Redmond for setting the example!

The only alternative: Firefox + NoScript

Firefox does not offer the out of the box protection IE8 does, but when combined with the NoScript extension, it really is the only readily available alternative (Lynx not withstanding). NoScript offers superior protection against XSS, clickjacking and a host of other threats.
Even if you’re only vaguely security-conscious, installing Firefox and NoScript should really be your first choice. Depending on the level of protection you want, you can use the default but disruptive whitelist configuration (which blocks all javascript and flash) or switch to the less secure “Allow scripts globally” mode. But whatever configuration you choose, anti-XSS and clickjacking protection are always enabled.
It really is beyond me why NoScript’s Clearclick and anti-xss aren’t in Firefox by default, especially since they seem complementary to CSP, as they’re barely disruptive for a novice user and (last but not least) as Mozilla could easily one-up Microsoft this way? Anyone?

How to crash Firefox with FoxyProxy

FoxyProxy LogoIn this brief HOWTO I will describe the procedure to crash Firefox using the great FoxyProxy add-on.

  1. Check if your employer mandates the use of a filtering proxy for web-access
  2. Find a way to circumvent that proxy, regaining full-internet access
  3. Breach corporate IT-guidelines by installing Firefox
  4. Install FoxyProxy, add both proxies and enable “AutoAdd” (make sure to ignore the vague warning about “significant delays” in page loading times) to automatically use the alternative proxy for forbidden pages
  5. Open a new tab, go to and wait for Firefox to freeze completely (if your browser complains that some script is taking too long to finish, just click on “continue”)

(Disclaimer: I provide no guarantees that this will actually work, I never watch porn and I take no responsibility if your browser does (not) crash)

Chrome, Opera to support html5 webdb, FF & IE won’t

HTML5’s WebDB is one of the building blocks to create offline-enabled webapps. It allows web applications to store data in a local database and it is as such an important part in Google’s push for mobile webapps as an alternative for native mobile apps. The spec (although not finalized) is already implemented in Safari, Safari Mobile and in the Android 2.0 browser.
So WebDB will take the world by storm, won’t it? Well, pretend you didn’t read the title of this post and let’s look at some excerpts of the meeting minutes of the W3 Web Applications Working Group Teleconference of 02 Nov 2009 for more info on the state of WebDB. Charles McCathieNevile (Opera) had some good news to share:

At opera, we implemented web db […] it’s likely we will [ship it] as people have built on it

and Google’s Ian Fette joined in:

We’ve implemented WebDB … we’re about to ship it

So that’s great news, no? We can expect WebDB to arrive in Chrome and Opera! OK, so what about Firefox and MSIE? Microsoft, represented by Adrian Bateman, stated:

We don’t think we’ll reasonably be able to ship an interoperable version of WebDB

Well, that doesn’t really come as a surprise does it? No WebDB in MSIE, but surely Mozilla will support this great spec? But Jonas Sicking’s point of view might be slightly shocking to some:

We’ve talked to a lot of developers, the feedback we got is that we really don’t want SQL […] I don’t think mozilla plans to ship it.

Sorry, come again? Does that mean that Firefox will never support window.openDatabase()? Nope, they probably won’t and they provide some valid concerns (see also Vladimir Vukićević’s blogpost) in a mailinglist-discussion between Mozilla and Apple-engineers shortly after the meeting minutes were published. Summarized and simplified their objections boil down to two issues;

  • in order to have a webdb standard, you also have to specify (and standardize) the SQL-language to query that database, the question is what SQL-dialect to standardize on.
  • as the current implementations are all SQLite-based (including Google’s and Opera’s), the spec would have to describe the very specific SQL-dialect that SQLite uses (and maybe even of a specific version of SQLite)

Although I doubt that web-developers don’t want to do client-side SQL at all, writing a spec that almost mandates the use of a specific version of a specific product (even if it’s open source) can indeed be hardly considered the goal of’s standards creation process.
So back to the drawing-board for yet another spec? Based on the webapp group’s meeting minutes, Web SimpleDB (or  “Nikunj”, after the name of the Oracle-engineer behind the idea) is considered a worthy alternative by at least Mozilla, Opera and Microsoft. Let’s hope that a consensus, a finalized spec (it’s in draft now) and the first usable cross-browser implementations will arrive soon.

HTML5 offline webapps vs Google Gears Localserver

Google Gears is a fantastic browser plugin; it allows a developer to create applications that run while offline, syncing with a server when online. Two great examples of the power of that mechanism are Gmail (both the “desktop browser” and the mobile Android-version) and Mindmeister (only while in trial, for paying Mindmeister-accounts after that period). The problem with Gears however is that it’s a plugin and not a lot of people have it installed: only Chrome-users have it by default. And that’s where HTML5 comes in; one of the areas where the new spec offers vast improvements over html4/xhtml is the ability to take webapps offline by allowing a developer to store files for offline usage and to write data to a local, browser-embedded database. Both Safari 4 and Firefox 3.5 support these features, so maybe HTML5 makes Gears already redundant in those browsers with more to come?
I haven’t gotten around to experimenting with offline databases yet, but I did already look into offline files. At first sight, Gears Localserver and HTML5 Offline Webapps indeed seem very similar; your html-page points to a manifest-file which contains a list of assets (pages, images, css, js, …) that the browser has to store for offline usage. Easy enough, no?
To get a better feel of how offlining in HTML5 works, I decided to try to write a simple WordPress plugin to replace its ‘Gears Turbo’-option. Turbo (which you can find in the Options-menu) essentially stores 1Mb of files locally, to speed up delivery of the WP-admin pages. To make a long story short; my plugin didn’t work. For starters, by default requests for non-local data are blocked, but it’s easy enough to unblock network access by adding “NETWORK:*” (with a newline before the wildcard) to the manifest. But more fundamentally; HTML5 Offline Webapps not only stores the files specified in the manifest-file, but also every html-page which points to the manifest (see my test here). There’s no way you can exclude those “master entries” from being stored. So if pages are stored, that means they have to be static and that all dynamic parts should be handled by javascript (fetching data using ajax and updating your page with it). And that, my friends, is clearly not a use-case that is applicable to WordPress admin-pages.
So HTML5 Offline Webapps is no drop-in solution to speed up delivery of dynamic pages, you’ll still need Gears to take care of that (or rely on old-fashioned carefully configured expiry- and cache-headers). But, as Google proves with the iPhone-version of Gmail, Offline Webapps combined with a HTML5 offline database can work miracles if you use it the correct way.

Mozilla rethinking extensions with Jetpack

Show me a ‘Mozilla Labs’ page on Facebook and I’ll click on that ‘Become a fan’-button immediately. ‘Labs‘ is where new and often exciting browser-functionality is being prototyped (think Prism, Weave, Ubiquity, About:tab, Personas), and where the everyone can get involved in the process. How great is that?
Last week the omnipresent Aza Raskin introduced ‘Jetpack‘ to the community. To summarize; Jetpack aims to simplify extension development by requiring only html, css and -off course- javascript, with a simple API, jQuery and Firebug-integration built in. Publishing your Jetpack is as easy as referencing it in a link on a webpage and installing it is very straightforward as well as it requires no browser restart (and as a bonus Firefox upgrades won’t break Jetpack-extensions either).
Aza’s demo on Vimeo is a great introduction:
(This embedded video can be watched on
It’s still early days and some important features are not implemented yet (e.g. persistent storage, access to the browser’s chrome beyond notifications and the status bar, ajax when behind a proxy), so as far as I’m concerned Jetpack doesn’t outdo Greasemonkey just yet, but looking at the draft specs and at some of the functionality that they would like to introduce in the next milestone, Jetpack could indeed bring browser extensions to a whole new level.
But don’t take my word for it, just install the Jetpack extension and see for yourself.

Firefox 3.5 and do Ogg/Theora

theora.orgGoogle might be pushing back support for HTML5’s <audio> and <video>-tags in Chrome, but these certainly are one of the nicer features the upcoming version of Firefox will bring us. Version 3.5 (RC1 will probably be released the beginning of July) will indeed natively support ogg/vorbis, wav and ogg/theora. And this is important why? Well, apart from the open source (Theora) vs proprietary (Adobe Flash with VP6-codec) argument, using video will allow us to get rid of the memory (and cpu) hog Flash can be (or at least to replace it by another cpu-hog 😉 ).
Now having Ogg/Theora built right into your favorite browser might be great, but you’d need a place where you can use that as well, no? Well, there’s no support for Ogg on YouTube yet, but that void can be filled by TinyVid, an “experimental Ogg video uploading and converting site”. Especially the converting-part is handy; just enter the URL of a YouTube, Vimeo or Daily Motion-video and TinyVid will download and convert it for you a few minutes later (depending on the length of the conversion queue).
So you’re having big fun, uploading, converting and watching, but wouldn’t you want to show off those great vids on your open source blog as well? Easy-peasy;
<video src='' controls='controls'></video>
And if you’re in a partcilurly good mood and you want friends that are not running an Ogg-enabled browser to be able to see some disco, you could even try this;
<video src="" controls="controls">
<applet code="com.fluendo.player.Cortado.class" archive="" width="640" height="368">
<param name="url" value=""></param>
<param name="BufferSize" value="4096"></param>
<param name="BufferHigh" value="25"></param>
<param name="BufferLow" value="5"></param>
<param name="duration" value="257.369"></param>

And that’ll result in Thom Yorke doing this disco-version of “Everything In Its Right Place” in Theora;

While waiting for the new Firefox beta

While we”re waiting for the new Firefox 3.1 beta (which will probably be released on march 12th, after which 3.1 will become  3.5), the Mozilla Labs guys announced a prototype “about:tab” plugin. It builds on the ideas they put forward on the labs-blog last august and follows in the footsteps of what Opera and more recently Google Chrome and Safari 4 are doing, taking it up a notch.
about:tab in firefox3.1b by aza raskinAfter installing the plugin, a new tab will show you:

  • the title and favicon of the most recently closed tab, allowing you to reopen it
  • a button containing the text in your copy/paste-buffer with contextual actions;
    • if URL: go to that site
    • if physical address: put it on a map
    • else: search for that text on google
    • more actions might be added and the system will be extensible, taking from Ubiquity
  • a list of six of your most visited sites, with thumbnail and title and with the most recent rss-items of that site

Although the developers claim that it’s “a rough-cut prototype” and that “the visual design isn’t right”, I already prefer this sober and functionally rich new-tab-behavior over the shiny “top sites” implementation in Apple’s Safari4. I sure hope this will slip into Firefox 3.5 in the next few months!

Firefox3 honouring MSIE security zones, downloads blocked

A few weeks ago my wife complained she couldn’t install software on her WindowsXP-laptop any more. When doubleclicking the downloaded application, she got the errormessage “This is not a valid win32 application”.
Earlier today I had the same problem when trying to install Putty, so I tried downloading the file again and noticed the following error in my FF download manager:

This download has been blocked by your Security Zone Policy

(or “deze download is geblokkeerd door uw beleid voor beveiligingszones” in Dutch)
After having frantically searched for “Security Zones” in FF own configuration-screens, I turned to Google only to find out that this setting is actually managed in the MSIE configuration UI. So to enable Firefox to download executables, I have to change MSIE-configuration (which I did)? Weird to say the least.

Voorspellingen 2009: browser-oorlog, ook mobiel

ballmer vs jobs: mobile (and/or) browser war (from aanleiding van de publicatie van de voorspellingen van 20 online experts door Netlash, zijn dit enkele van mijn verwachtingen voor het web in 2009;

  • Uw job als (front-end) webdeveloper (of tester) wordt er door de grotere concurrentie tussen browsers niet eenvoudiger op. Ge zult niet alleen moeten ontwikkelen voor Internet Explorer (het nieuwe IE8, maar ook nog altijd voor het verwenste MSIE6 en voor versie 7 natuurlijk) en Firefox, maar ook voor Safari en Google Chrome. Samen zullen deze Webkit-gebaseerde browsers eind 2009 immers tot 15% van de browsermarkt pakken (nu al 9%), tegenover 25% voor Firefox (nu 21%) en pakweg 60% voor (MS)IE (nu nog 68%). Gelukkig zult ge wel iets meer kunnen terugvallen op standaarden (MSIE6 buiten beschouwing gelaten) en zullen componenten als JQuery, YUI of Dojo uw cross-browser inspanningen blijvend verlichten.
  • Bling-developers mogen die dure cursussen Silverlight en JavaFX annuleren, Adobe blijft immers oppermachtig met Flash en -ondanks de gigantische hype in 2008 in veel mindere mate- met het nauw verwante Flex. 2009 zal overigens niet het jaar van Flash op mobile zijn. Een volwaardige versie van Flash voor GSM’s zal immers pas op het einde van het jaar uitkomen en zal dan nog enkel vlot werken op smartphones met ARM Cortex gebaseerde processoren, die nu ook nog niet te koop zijn.
  • Webagencies staan voor een belangrijke uitdaging; “mobiel internet” groeit (mede dankzij krachtige Webkit-gebaseerde mobile browsers) zowel aan vraag- als aanbodkant en kosten-bewuste klanten zullen convergentie tussen hun mobiele en hun “gewone” website hoog op het verlanglijstje hebben staan. Mobiel web wordt dé groeipool, ge kunt dus maar beter mee zijn, zowel functioneel (“mobile usability“) als technisch (er is meer dan Mobile Safari, niet iedereen heeft een uitgebreid toetsenbord en device-dependant rendering is een moving target).

En voor een recessie tenslotte, heb ik in 2009 echt geen tijd. U ook niet, toch?