browsers

Blogposts on blog.futtta.be about browsers (Firefox, Chrome, Safari, Opera and good ole Internet Explorer).

Firefox preferences for greater privacy

by

Although browser addons such as NoScript and Ghostery (which is cross-browser with some limitations) provide great protection against tracking, some people prefer not to have to install plugins. Firefox does have configuration options to somewhat limit what trackers can do. You can follow the knowledge base article here to learn how to disable 3rd party cookies (the default setting in Safari, which Google was caught circumventing).
If you’re up to it, you also simply open up the almighty “about:config” and tinker with the following settings (some of which aren’t available in the browser UI):

  • network.cookie.cookieBehavior with values:
    • “0”: allow all cookies (default)
    • “1”: don’t allow 3rd party cookies
    • “2”: don’t allow any cookies
  • network.cookie.thirdparty.lifetimePolicy with values:
    • “0”: keep cookies for as long as the server asks
    • “1”: ask the user on each and every cookie set (try it out if only for fun, you’d be surprise how much cookies are set)
    • “2”: cookie gets deleted when you close your browser (i.e. at the end of the session)
    • “3”: cookies have a lifetime as defined in the “network.cookie.lifetime.days ” preference
  • network.cookie.thirdparty.sessionOnly: set to “true” or “false”
  • privacy.donottrackheader.enabled: set to “false” (default) or “true”, which gently asks sites not to track you

Setting “network.cookie.thirdparty.sessionOnly” to “true” is a low-impact change which should stop tracking-companies (think Media6degrees or Quantcast) from following you around the web.
If you want to stop Facebook, Google & Co to stop tracking you around the web as well, the above setting will not suffice. You should either log out of their sites as soon as you’ve done your business there or set “network.cookie.cookieBehavior” to “1” (which will break their “social widgets”). Or you can install Ghostery or NoScript, off course.

While waiting for Firefox Mobile 11

by

I’m on the beta-release channel for both my desktop and mobile Firefox and my desktop has been running version 11 (with SPDY) for over a week now, but there hasn’t been an update for Firefox Mobile Beta in the Android Market yet. Apparently the Mozillians are working hard to finish the complete overhaul of the front-end, which integrates with Android UI (instead of using Mozilla’s own XUL) and services (synchronization in particular).
As I’m an impatient guy, I installed the Aurora version of Firefox Mobile, which is already at version 12 and that runs surprisingly well. Firefox Mobile already had the best HTML5-support and superior JavaScript-performance, but the new version (be it 11 or 12) adds a lower memory footprint and (much) faster start-up-time to that (and it has Flash, which I don’t care for really).
Mozilla is doing a great job in the mobile space, with the browser, but also with WebAPI and B2G. No, I don’t think I’ll switch to Chrome Mobile any time soon.

Chrome for Android finally arrives

by

Just in from Google Mobile Blog: Chrome for Android is out in beta for ICS (Android 4) devices. I won’t bore you with the marketing video, but this “Under the hood” video is a lot more interesting:

Chrome for Android Beta: Under the Hood
Watch this video on YouTube.

Looks like the superb Firefox for Android is (finally) getting some competition. I guess it really is time to upgrade my Galaxy SII to the recently leaked ICS rom!

Iframe sandboxing support coming soonish

by

Did you know you can limit the damage an iframe can do by adding the “sandbox” attribute? And that you can add a value to that attribute to loosen your grip if you choose to do so?
I remember reading about this a couple of years ago or so, but forgot as  support for this html5 spec was limited to Chrome (Apple added support in Safari as well). But while investigating a problem a WP DoNotTrack-user was facing, I re-discovered iframe sandboxing (it effectively stopped the javascript-based tracking inside the iframe) and noticed that support for it is to be included in Internet Explorer 10 and that Mozilla is finally working on an implementation as well.
So yeah, the option to sandbox iframe’s pointing to blacklisted (or non-whitelisted) hostnames will probably be in a future version of WP DoNotTrack. Stay tuned!

Firefox Mobile: the best mobile browser no-one uses

by

I’ve always enjoyed riding the Firefox-bandwagon and that hasn’t changed, even though Google Chrome seems to be the browser of choice amongst the cool kids nowadays. And if only because I’m a faithful guy, I’ve been running Firefox Mobile ever since I bought a Samsung Galaxy SII as well. Sure it doesn’t do Flash, but I’m not that Flash-inclined anyway.
Now, I haven’t met too many people that use Firefox Mobile and indeed when reading about mobile browsers, Firefox is rarely if ever mentioned. But what if I told you that Firefox Mobile is by far the best browser on mobile when taking performance, features and security into consideration?
I won’t beat around the bush, here’s the pretty objective data.

browserhardwareSunspiderv8 benchm.html5test score
Firefox Mobile 9bSamsung Galaxy SII1421.9ms832314
Android 2.3 browserSamsung Galaxy SII3454.4ms369177
Android 4 browserGoogle Galaxy Nexus1983ms1387230
Mobile SafariiPhone 4s2260.9ms368296
Opera Mobile 11.5Samsung Galaxy SII1699.9ms461285
Dolphin HD 7.2Samsung Galaxy sII3593.4ms318177

Some remarks:

  • the hardware is pretty comparable; all dual-core CPU’s and plenty of RAM.
  • higher is better, except for Sunspider which measures time (in microseconds).
  • I’ve got no screenshot or URL of the google v8 test results on my phone, but I’ll be glad to reproduce.
  • sunspider and v8 are javascript performance benchmarks.
  • html5test is an indication for support of “modern” browser features (html5, css3 and much more).
  • the features of the browser GUI arent’t measured byhtml5test, but I’m pretty pleased with Firefox Mobile in that respect as well; great tabbed browsing, plugins (including noscript!), sync-ing of all relevant data between desktops & mobile, …
  • I added Opera Mobile and Dolphin HD to the list. Opera’s not too shabby but not a winner either?

And last but not least; as Firefox Mobile isn’t native and since it’s on the same (crazy) rapid release cycle as the desktop-version, I consider it to be a lot more secure when compared to the slow evolving, rarely updated native browsers in Android and iOS.
My advice; if you’re an Android-user and you’ve got a recent handset or tablet, you really should consider switching to Firefox Mobile. It’s the best mobile browser no-one is using! Except for you?

Hey! Widgets! Leave our privacy alone!

by

After having NoScript disable the Facebook Like widget a couple of weeks ago, I felt really bad for Mark Zuckerberg who must have been feeling singled out by my actions. If only to make all widgets equal and as I don’t use them anyway, I’ve now told NoScript (only available in Firefox) to also block the Google+ and Twitter widgets with the following ABE User ruleset (under NoScript Advanced options):
# also stop google+ widget
Site plus.google.com
Accept from plus.google.com
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

# and twitter
Site platform.twitter.com
Accept from twitter.com
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)

Learning from my mistakes about TLS, certificates and browsers

by

Well, I guess that, for those who read my previous post about SSL/TLS error messages on Mac OS X browsers, it’s abundantly clear that I don’t really know SSL/ TLS and the way browsers handle the certificates. But hey, I blog to learn from my mistakes and Philip and Peter helped me understand a bit about TLS with their useful comments.
The summary for TLS-dummies like me:

  • According to the TLS spec the server should not only provide it’s own certificate, but also any intermediate certificate between it’s own & the CA’s root
  • Browsers (or the OS’es key stores that some browsers depend upon) don’t ship with any intermediate certificate, but can and in some cases will store (cache) them when they come across them. In Firefox, cached intermediate certificates are listed as being part of the “software security device”, whereas root certificates are in the “builtin object token”.

All in all, this means that whenever you’re implementing TLS (or SSL, if you’re old-fashioned) you have  to configure your webserver to provide all intermediate certificates in a “chainfile” as (for example) per Apache’s SSLCertificateChainFile directive.

How to fix SSL errors in Mac OS X browsers

by

So you know about SSL (or rather TLS) and you prefer things secure, so you request and pay for an officially signed certificate and configure your Apache to use it. The next days you’re feeling very Kevin Mitnicky, until some nitwit on Twitter trashes you for the ugly error-message he sees when trying to visit your supposedly “secure” site that is. What’s up with that?
Well, chances are that your disgruntled visitor was using a browser you didn’t test on, like Chrome on Mac for example? Because there is a small issue you have to take into account when “doing https”; both Chrome and Safari (but not Firefox) on Mac use OS X’s keychain, which does not have some of the intermediate certificates needed to establish the trust relationship between your signed certificate and the certificate authority’s root certificate.
As you can’t expect Apple to add intermediate certificates to their keychain by default (which Firefox does a pretty good job though) and you can’t ask all your OS X users to add the intermediate certificate by hand either,  you’ll have to solve this yourself. A good thing Apache can help you in that department with it’s SSLCertificateChainFile directive, which

sets the optional all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate. This starts with the issuing CA certificate of the server certificate and can range up to the root CA certificate.

If there’s only one intermediate certificate missing between your’s and the CA’s, you can export it in good old Firefox (as a pem-file), place it in the same directory as the actual certificate and use SSLCertificateChainFile to tell Apache where to find it and that should solve the nasty errors those Twittering Mac-heads get.

Firefox 6 on Ubuntu Linux swapping like crazy

by

Firefox 6 got pushed on my Ubuntu 11.04 netbook as an update a couple of days ago and things were badly broken; memory usage was skyrocketing, the kswapd was eating almost all CPU and the system was pretty much in a continuous wait-state.
After some cursing and a lot of Scroogling, I finally stumbled across this blogpost which described the exact same problem and advised to set  “layers.acceleration.force-enabled” (which tries to force hardware acceleration, which isn’t supported on Linux by default) back to “false” in about:config. And indeed this small rollback solved my memory-woes. Guess I shouldn’t have dismissed that silly about:config warning message after all.
And while we’re on the subject; Firefox 7 should see substantial improvements in memory usage, yay!

The Magic’s gone, enter Samsung Galaxy S II

by

Two years ago I bought a HTC Hero, my first Android handset. I lost that great device about half a year ago and -after trying a very basic Acer e110– replaced it with a 2nd hand Belgacom HTC Magic which I upgraded to Cyanogenmod 6.
Now don’t get me wrong; me and my Magic, we got along real fine. But my employer likes the smell of a fresh smartphone in the morning and subsidizes to make that happen and when I saw a colleague with a Samsung Galaxy S II, I knew me and my Magic HTC had to part ways.
The Galaxy S II sports a huge, bright screen with vivid colors (Samsung’s super AMOLED screens are simply stunning), a 1.2 GHz dual-core processor and 16Gb of internal storage (with an microSD-slot to be able to add up to 32Gb). There’s no hardware keyboard like on the HTC Desire Z I once was planning on buying, but the Galaxy does come with Swype, the virtual keyboard that takes most of the pain out of … not having a keyboard. I’ve installed all of the favorite apps from my HTC-days and as a bonus I can now finally also use Firefox Mobile (which is great, by the way).
So what’s not to like about it? Well, it’s huge, for starters. Big hands come in handy when using the S II, so I wouldn’t want to market it in China, except as a mini-tablet maybe. I’m not too thrilled about Samsung’s TouchWiz as seen on the homescreen. And battery-life isn’t that great, but that’s to be expected, with that humongous screen real estate I guess.
All in all my S II is a great smartphone. One probably doesn’t really need a dual-core handset with 16Gb of memory and a 800X480 screen, but it sure is nice little gadget to play around with for the next 2 years or so …