Firesheep Demonstrates The Need For SSL

There’s been a storm of discussion over the past 72 hours about Eric Butler’s Firefox extension Firesheep. To summarize, it’s a Firefox extension that facilitates session hijacking by packet sniffing for data from certain websites. As far as software goes, it’s more evolutionary than revolutionary, at its core it’s a packet sniffer. The evolution is the pretty UI which makes it trivial to hijack someone’s session (he really did do a good job on the UI, it’s so easy a child could use it).

It’s actually surprising to me that so many people are shocked by what this demonstrates. Even those who claim to be technically literate seem taken back. Insecure sites by definition are insecure. Anyone can read what’s going across the wire (that includes WiFi) when it is sent unencrypted. If your browser can interpret and use the information to let you browse Facebook, Twitter, etc. so can any browser, on any computer. It’s that simple. Firesheep only supports a handful of sites, but adding support for more sites isn’t difficult. If your favorite website hasn’t been done yet, I expect it will be soon enough.

How Do You Protect Yourself?

The best way to protect yourself is to demand that websites that hold private information use HTTPS from the moment you log in until you log out. Short of that, the best you can do is use a Firefox extension like EFF’s HTTPS Everywhere to force your browser to use HTTPS. This won’t work everywhere as not every web server even has HTTPS working, but many secretly do. They sometimes use HTTPS for certain things like login, then use insecure HTTP for the rest of your visit. That’s so your password isn’t transmitted in plain text. Protecting a password is important, but if the session is insecure anyone can intercept what you do. HTTPS Everywhere works by rewriting all requests to many popular sites to use HTTPS ensuring your privacy and security through the length of your visit. Some websites will have minor issues. For example Facebook Chat is impossible to support right now due to it not working via HTTPS. The rest of Facebook however works.

For more advanced users, HTTPS Everywhere lets you write your own rulesets for sites it doesn’t support.

How Do Websites Protect Their Users?

It’s very simple. Use HTTPS for the period a user is logged in, not just when authenticating and submitting sensitive data. Sure it’s a little slower and requires more hardware, but scaling HTTPS these days isn’t nearly as difficult as it was just 5 years ago. In 2 years it will be even easier. Google went as far as forcing HTTPS upon all of Gmail users. Binding a session to an IP address is fussy and largely ineffective due to NAT, WiFi hotspots and mobile services that can cause an IP to just change with little/no notice. It’s not effective security. It’s better than nothing, but it’s not a fix.

Google could make a huge difference by supporting SSL in Google AdSense, something I’ve called for since 2008. Google has supported SSL with Google Analytics for some time, but they have lagged with rolling out support in other services. Lots of websites monetize with AdSense and this is just another reason websites put off supporting SSL. Other ad networks should do the same. Google AdSense has the least barrier to entry since they serve their text ads off of their own infrastructure, vs. creatives hosted by other parties like some smaller ad networks. One could argue having third-party code inserted on a page mitigates security but it would still be a major improvement over the current state of affairs and would prevent simple session jacking.

EV SSL Support in Firefox 2.0

Many by now has heard about Extended Validation (EV) Certificates. This technology lets sites that meet a higher standard of verification appear differently in a browser (typically with a green background behind the url). IE 7 has supported this technology, and Firefox has been planning this for 3.0. VeriSign (the very expensive SSL Cert guys) created an extension to add UI support to Firefox.

Very interesting to see features like this added to Firefox by an extension. I haven’t seen many security related extensions before.

[Hat tip: InfoWorld]

Firefox Tip: Remove Addons

So you know about addons aka extensions/themes and tried them. You may have found one you no longer want or need. You can either disable or completely uninstall them easily. Just go to the “Tools” menu and select “Addons”. From there browse to the one you no longer want, click on it and press the “Disable” or “Uninstall” button.

I’ve seen complaints that it doesn’t appear in “Add Programs” on Windows. That’s because it’s not installed on Windows, but in Firefox. Uninstalls are still easy and painless.

mozPod 0.2a1

mozPod 0.2a1 is available. It’s alpha because it hasn’t been as well tested as of yet. I wanted to get it out before Thunderbird 2.0 ships, and I’ve been getting a fair number of requests for it lately.

I’ve released MozPod 0.2a1 as an interim release for Thunderbird 2.0 users who want to use mozPod and see some new features. I decided to not support mozPod 0.1 on Thunderbird 2.0 to keep things easier to manage.

This is an alpha release and likely has some bugs. I wanted to get it out for those who want to start testing. This would be an ideal time as people want to move to Thunderbird 2.0.

Here’s the changes that matter:

  • Feature – Preliminary support for Lightning (if installed).
  • Enhancement – Thunderbird 2.0 support.
  • Enhancement – Some performance tweaks.
  • Fix – Sync all available AB’s.
  • Fix – Correctly handle notes that are more than one line.
  • Fix – Skip over LDAP servers in Address Book without failing.
  • Fix – Try to not hold lock on disks.

As usual, if you like it and want to encourage me to spend a little more time on it, feel free to do so. I do request some feedback. Let me know how it works for you.

I’ve got more extension goodness on the way. I’m planning to get to a real mozPod 0.2 release in the next few weeks. There may be a new extension on the way as well…

You download it from this link: mozPod 0.2

raccettura’s Picks

I use a few extensions on a routine basis, so I thought I’d spend a moment just listing what I use, briefly explain them for anyone curious. I do quite a bit of web related work (hence the developer slant) as well as some Firefox/Thunderbird and extension hacking. For now I’ll just stick with Firefox extensions, and save Thunderbird Extensions for another post.

These are taken from my Addon Manager (formerly Extension Manager) window and ordered in a way I thought made most sense. No bribes were taken (though welcome ;-)). This is literally the stuff I personally use and recommend.

Web Development

Web Developer

If you don’t know this one yet and do web development, you should be ashamed of yourself. I’ve yet to see a developer not go crazy over this. The Web Developer extension doesn’t do anything, it does everything. By that I mean it has a whole bunch of small tools to make a web developers life easier. From fine control over cookies, to outlining block level elements, to submitting a page (even local) to the W3C validator to disabling JavaScript. No function on it’s own is truly groundbreaking but the extension as a whole is. If you do web development you need it. I couldn’t imagine developing without it. [Get it]

Firebug

Imagine viewing behind the scenes of a webpage. No, not the source code, but how javascript really executes. Debug, view XMLHttpRequests, add breakpoints, and view more DOM info. Again an absolute must have. This extension also has saved me hours of debugging time. One thing noteworthy is the design of the tool is really fantastic, it’s well organized and implemented to make it rather easy to use, despite the overwhelming amount of info it can provide. [Get it]

LiveHTTPHeaders

Viewing HTTP Headers is insanely useful when debugging web applications. Of course you can use telnet on port 80 and be a geek, but that’s way to much effort. WebDeveloper has similar functionality, but I like how this is integrated into the Page Info window, rather than opening into a new tab. I just find it easier to read, hence more usable. It’s been a staple for me for a few years now. [Get it]

Dom Inspector

As it says on the homepage: “DOM Inspector is a tool that can be used to inspect and edit the live DOM of any web document or XUL application.” This little gem is must have for any JavaScript, Firefox, or Firefox Extension development. It’s saved my butt a few times. It’s interface isn’t the best, but it does have it’s perks. [Get it]

IE Tab

This extension lets you view pages in IE’s rendering engine, but in a Firefox tab. I use this for checking how a page loads in IE (much quicker to right click then to open IE and copy/paste the URL). Again simplicity rules! [Get it]

Small Screen Renderer

Glazou thou art my hero for this one. Simply put it takes your webpage and smushes it up so you can see what it would look like on a small screen device like a handheld. With things like MiniMo, this is very worthwhile. He’s done to many cool things (Composer, CaScadeS) to mention here. [Get it]

ColorZilla

Being that I’m not graphically inclined I don’t need this much, but every so often it’s very useful. This extension lets you see exactly what the color is, pretty much anywhere on the site your viewing. Yea, that is awesome. A big timesaver, and pretty clever design.[Get it]

Everyday Browsing

downTHEMall

Every so often you run across something where you want to download everything in site. Either a series of zip files, images, or something else. You can click on each one… or you can use this awesome extension which will find them and download them all for you. [Get it]

ReloadEvery

This is just a cool way to reload a page on an interval. Great for monitoring a page. When not working on my computer I sometimes use this to just keep refreshing a page so I can glance at my display and see what’s going on. Simple and helpful. [Reload Every]

Resizeable Textarea

Asa pointed this one out. Resizing textareas is a must. If it were up to me, this would be included in Firefox 3.0. It’s awesome and infinitely useful. I personally think it qualifies as a killer feature. [Get it]

Screen Grab

I don’t use this one every day, but sometimes you don’t want to print a webpage, but want to save it. This is especially true because printing, or making a PDF sometimes distorts the page from it’s original appearance. Well the solution is to save a screenshot (another thing IMHO should be an option in Firefox as an alternative “type” in the “Save Page As” option. [Get it

GeoLocateFox

Yes, I eat my own dogfood. Seeing where websites are located is fun. Nuff said. [Get it]

User Agent Switcher

Sometimes sites kick you out because you don’t use IE. That’s not cool (go to the help menu and select “Report Broken Website” if you encounter that). A workaround is to fake being IE. This extension allows you to do just that. Though if you do that, remember to change it back to Firefox. Partially for compatibility reasons on sites that serve specific code, and so that webmasters realize how many Firefox users actually visit their site. [Get it]

Mozilla Development

TinderStatus

Tinderstatus is simple but cool. Just lets me know if the tree is one fire. [Tinderstatus]

Obviously DOM Inspector is some help here as well.

I was debating if I should throw some screenshots in here, but I decided against it since most screenshots of extensions stink (at best) since they don’t capture the value of it.

So there you have it, the extensions I use the most. Check them out.

Lightning Strikes The iPod

I started working to implement support for Lighting (project to integrate Calendar into Thunderbird) to sync with Apple iPods via mozPod. Didn’t take to long before I had a successful sync. It’s not done yet, and likely some big evil bugs (read: including but not limited to loss of data or first born child), but it’s well on the way!

That’s right, we now have the ability to sync contacts and calendar to the iPod on Mac/Windows (Linux still on the todo list, though it’s mostly there). It will require Thunderbird 1.5 or later. No release date just yet.

How cool is that? 😀

GeoLocateFox 0.2 Released

Last night I pushed the bits for GeoLocateFox 0.2. The changes aren’t very many but it’s pretty cool.

  • Add HostIP look up (disabled by default)
  • Add support for newer Flock, and Firefox through 3.0 alpha

Go to the options window (open up the extension manager, right click on GeoLocateFox, and select options) and check the HostIP box. This will send the IP address of the website you visit to the HostIP.info website, and get coordinates if available. This is only used if the site provides no GeoLocation data on it’s own. It’s off by default for privacy reasons. It’s pretty cool.

Next up is a bug fix release for mozPod, no date on that just yet. It’s overdue.

GeoLocateFox 0.1.2 Released

I released a small update to GeoLocateFox that contains the following changes:

  • Update to use Yahoo Map API v. 3.0 (Yahoo now supports more non-North American Locations!!!).
  • Add support for newer Flock.
  • Slightly better compressed images.
  • Updated some url’s to project page.

I should also note that Yahoo’s maps are a improved (a TON).

You can find the latest release here.

And in even bigger news…
I have a new beta release available (here) that contains support for Host IP lookup using the Hostip.info database. This will find tons more locations (and the database improves all the time).

To enable the Hostip feature, open the extensions manager (Tools Menu –> Extensions) and right click on GeoLocateFox and select “Options”. There is checkbox on the right side to enable this feature. It’s off by default because it requires sending the IP address of the website you visit to the Hostip.info server.

This is a beta, though I’d love to know how it works for people.

mozPod 0.2 Status

I have slowly been working on a new mozPod release, it’s just not going very fast, as it’s still a lower priority project. So far, it seems to be pretty well accepted. Here are a few of the changes planned, or already completed:

  • Preliminary Lightning Support
  • Having an LDAP server setup in your Address Book won’t cause the sync to fail
  • Some code cleanup, optimization, and bug fixes

For the record, I will be dropping support for Thunderbird 1.0.x in mozPod 0.2. Most people seem to be upgrading, and it’s just not worth the hassle. Many (or most) seem to have had problems with MozPod and Thunderbird 1.0 anyway.

Yes, development is a little slow, but it’s free (unless you feel like saying thanks), so don’t complain ;-).

Update: It’s out.

AOL Toolbar for Firefox

I had this in mind for a few days, but haven’t gotten to it AOL has a beta of their new AOL Toolbar for Firefox (1.0.6 Beta II). I decided to give it a quick go (it’s available to non-AOL members). While I’ve never seen the use of these toolbars (AOL, Google, Yahoo), for a purpose than blocking popups in older versions of IE, I won’t get into that discussion any further, instead looking at it from a more technical point of view.

It’s actually rather well done, it has a settings window that lets you add/remove (and reorder) items from the toolbar, which appear as soon as you close the window (very cool to see that smoothly happen). Overall it looks like a very complete offering with AOL artwork, and everything. That’s what impressed me the most. I don’t see mail notification, though I don’t know if their IE toolbar offers that either (it does offer the ability to go to mail, and compose message. Also interesting is when you select text, it automatically populates the search bar’s query box, literally as you highlight (it grows as your selection covers more characters).

Very cool to see AOL supporting Firefox users with an AOL toolbar.

We now have a Google Toolbar, Yahoo Toolbar and now AOL Toolbar!

Super job AOL employees! Great to see your ensuring your users have access to your services from the browser of their choice. For those wondering (and I’m sure would comment), I’m still not fond of their new email policy, but I do feel it’s important to give them criticism and praise where they deserve it. Remember it’s feedback that lets companies gauge how their policies/products/services are perceived by the public.

If anyone from AOL wants to let me know if there are plans to integrate login based services at all (for example mail so users can tell if they get new messages), feel free to leave a comment or contact.