I have just checked in Bug 378216, and wanted to give a quick heads up on it.
What this means is that we are now enforcing a security restriction on all add-ons. To be specific, if an add-on does not provide a secure method of auto-updating then by default Firefox will refuse to install the add-on. If you have add-ons already installed that are insecure in this way then they will be automatically disabled.
The good news is that addons.mozilla.org already uses SSL for it’s updates, so any add-ons you have installed from there will be unaffected by this change. Equally any add-on authors who use SSL on their site, their add-ons will be unaffected. Personally I found 2 of my add-ons were disabled by it, that’s 2 out of nearly 20, so hopefully you won’t see a major impact.
For add-on authors there is an alternate way to provide secure updates without investing in an SSL key involving digital signatures, unfortunately we’ve had to hold off on providing the software to make that possible until the backend changes were complete and reviewed. I hope to have something usable available not too long after M8 is released. Keep an eye on this blog for an update on that.
If you want to see more of the specifics the best place to look is probably at the wiki page. This is all based around the discussions I started on various forums and newsgroups. Hopefully it’s not too much of a surprise to the add-on authors out there, if it is then I apologise, I tried to get the word out as best I could.
One of the main parts of my work for Mozilla at the moment is about securing add-on updates. The spec is now pretty near complete and the implementation is also pretty much complete so hopefully we can start pushing out the necessary tools to add-on authors real soon then land the work shortly after.
Of course it wouldn’t be right for me to push this out without first making my own extensions comply with the new requirements. So today I am rolling out updates to all of them, mostly just changing the update url to an SSL one, though a couple of the extensions (Nightly Tester Tools and /Find Bar/) have some additional updates.
Using SSL really will be the easiest way of hosting secure updates for your extensions and I urge you to use it. Assuming you have a sensible hosting package, adding SSL is really not as expensive as many expect. Godaddy offer SSL certificates for $18 per year (minimum of 2 years) and if you are like me and hosting open source extensions then you can get the first year for free (though that seems to take a few weeks longer than if you pay). It’s also pretty simple to set up assuming you have a decent webhost, Dreamhost just has one form to fill in.
It turns out that the hardest part of getting SSL was fixing the bugs in my CMS since it’s current version had never been used in an SSL environment before 😉
After a fair bit of work (feels like longer than 2 months) I’ve finally managed to get bug 382752 landed. What this gives us in simple terms is a set of functions that we can use in order to do unit testing on the extension manager. Alongside I have checked in the first unit test. Now if anything regresses bug 257155 we should know about it immediately.
Ignoring the regression detection, I’ve always found unit tests to be fantastically useful when developing new code or fixing bugs. Zipwriter is a prime example, with a large number of tests that I can run by typing a single command I can test whether the changes I have made have solved the problem and not introduced any other errors.
The next step of course is to start adding unit tests for the extension manager. I have some already in progress and hopefully soon some of the key parts of the EM should be getting checked on a daily basis.
For some time now I’ve promised myself that I’d sort out a simple system to view stats about how many people are using my extensions. The idea is a simple one, on a daily basis Firefox (or whatever app) will ping my site checking for an update for the extension. Counting the number of checks in a day gives you a rough idea of the number of users. You can’t take the numbers literally of course but as ballpark figures go it’s probably not bad.
Finally I have got around to doing it and there have been some interesting results. Not surprisingly Nightly Tester Tools is my most popular extension. However it’s distressing to see how many updated to the broken 1.3b1 and still haven’t gone to 1.3b2. Not surprising of course,Â but it makes me wonder when these 30,000 people or so will update again.
Then of course you get the freaky results. Who’d have though that people on Solaris are using my extensions. And even more bizarre, why has someone installed Tab Sidebar into Thunderbird?
You can peruse the stats yourself if you like, there’s a few different views to play with. Some of the old data isn’t highly accurate, my back-filling script needs some work, and many of the extensions simply aren’t reporting the more detailed information about OS and version so some of those graphs are a little misleading, still there it is.
I understand that AMO are planning on rolling out some stats for add-on authors based on the same update pings that I use. I urge all authors to take a good look at them when they do, you never know what you might find that surprises you and makes you re-evaluate your priorities for your extensions.
I don’t normally do announcements of new versions of my extensions here but unfortunately there was a problem with the packaging of the last version of Nightly Tester Tools so if you want to get the latest and greatest version then you’ll have to download it manually.
Sorry, I’ll try not to let it happen again.
Since the disclosure of potential vulnerabilities in the way Firefox (and other Mozilla applications) automatically update your add-ons we have been discussing how to tighten up the system in a way that is hopefully unnoticeable to users and not much extra work for add-on authors.
After a process of listening to authors on the newsgroups, forums and by email we now have a rough proposal of what changes we are looking to make. There’s still a few minor details to be ironed out of course. This is mainly of interest to add-on authors since there is an impact depending on how you host your updates. I’ve started threads on the newsgroup and forums so if you want to discuss the proposal there then that’d be good. I’d prefer it if you didn’t edit the main page of the wiki but feel free to stick small comments onto the discussion page.
Spam is one of those evils of the modern age. It looks less and less likely that a real 100% effective solution will be found which is a little sad but not a major deal to my mind. I’ve managed to turn off my old junk email accounts and train my filter to clear out 90% of the junk I receive. Surprisingly I’ve had more problems with spam comments on this site than I have in my email lately. Even with comment moderation turned on the Tab Sidebar extension was receiving a silly amount of junk comments. It probably still is but I’m now using a simple blacklist to catch it all.
I tend to think of spam in two categories. You have your normal junk, you know offers to help someone transfer $1,000,000 (ONE MILLION US DOLLARS) out of Nigeria and to enlarge various of my body parts. Then you have the stuff which is from reputable companies which have generally got your email legitimately, maybe I filled in something to download some trial software or maybe I was even interested at one point. Perhaps surprisingly it’s the latter of these types that irritate me more . In particular when I attempt to unsubscribe and I still keep receiving mails.
Take this example. When I left my last job (about a month ago) I cancelled my small business mailings from Microsoft as they weren’t relevant to me anymore. What do I find in my inbox today:
Dear Mr Dave Townsend
As part of a routine data inspection we have noticed you have elected to stop receiving communications from Microsoft.
So umm let me get this straight, you recognise that I have asked to not receive any more mails from you and as such you have decided to email me?
As Microsoft launches exciting new solutions and initiatives, there’s no better time to register for information that will give your business a critical technological advantage. We invite you to consider receiving communications from us again.
Oh well if you are wanting me to start receiving mails again then of course it’s acceptable for you to mail to ask me.
if you still choose not to receive communications from Microsoft, simply do nothing and we will not contact you again
Oh well that’s ok. Of course I haven’t done anything since I opted out and you still mailed me.
Really large organisations should know better. If I tell you that I don’t want to hear from you again, what I mean is “I DON’T WANT TO HEAR FROM YOU AGAIN”.
Last night (or I should say early this morning) I got a chance to watch some of the webcasts from the Firefox Developer Conference in Tokyo. I had been wanting to attend one of the previous developer days but had to pull out due to accomodation problems so it was really great that webcasts were available, I believe this is the first developer day to do so.
I managed to catch most of the sessions on FUEL and XULRunner and some of the presentations on the development environments that extension authors use. The first two were good to watch, simple overviews of topics that can often get too bogged down in details. I won’t say I learned a great deal new from them, but then given my background I wouldn’t expect to. I really hope they make the recordings available so when the next person comes onto IRC asking what XULRunner is we can point them to it.
The presentations on development environments were somewhat more challenging to watch remotely, the webcast didn’t really have the resolution to bring out the detail of what the authors were doing and there was some time lagging on the video so what was being described didn’t correlate with what you could vaguely see on screen. Plus it was nearly 9am here so I had to call it a day at that point and get some sleep.
All in all what I saw of the event looked excellent. Top work by the translators, I don’t know if they were volunteers or hired in but they did a great job of handling all the technical terms that were flying about. I hope to make a dev day soon but till then lets keep up this theme of webcasting them so those who can’t be there still get a chance to be involved. One thought from the future, how about taking questions from the remote viewers over IRC?
We’re looking at the situation of automatic updates for add-ons and whether or not tightening up the security of such updates is a good idea or not (this is one good reason why it could be). After some initial talking I would like to get a little feedback from the add-on authors out there who host their add-ons on their own websites and not on addons.mozilla.org. Are you such a person? If so then please take a few moments to check out the thread in the forums or on the newsgroup and take a few moments to answer my questions.
Of course nothing is a foregone conclusion at this point and you might have noticed that I host my own extensions, not on addons.mozilla.org so I totally have the self-hoster’s needs at heart 🙂
I guess it goes without saying that I’m fairly technically literate and as such I’m pretty well versed in both what makes a strong password and actually using them. I actually have a pair of passwords, one that I use for what I consider my more important logins (company accounts, servers and the like), and another that is for lesser services that if I lost or it got hacked then it wouldn’t be a major compromise of anything.
Given this it’s always particularly disappointing when I find something that I really want to use a strong password for but can’t, because the service in question can’t handle how strong my password is.
Take my new bank account with Lloyds TSB. The password for the internet banking is 6-15 characters, must contains letters and numbers, but cannot contain any spaces or anything non-alphanumeric. Bang goes about 4 characters from my strong password.
Lloyds aren’t alone either. I also have a savings account with Citibank. To log in to their online banking I am not allowed to type in my password by hand, instead I must use an onscreen keyboard with my mouse. Now I’m not quite sure what this is meant to serve, all it does is enter the characters into a regular html input box, you know, easily readable from an add-on or other form of spyware. And even worse the keyboard gives me just 51 possible characters to choose. At least Lloyds let me use both upper and lower case!
Maybe all these places having quite different restrictions on what characters I can use in my password is a cunning ploy to make me use a different password everywhere, but I find it a little disturbing that I’m able to use a stronger password with my online pizza delivery place than with my bank accounts holding thousands of pounds of savings.