Tag : firefox

Announcing the Certificate Watch (CertWatch) Firefox addon

CertWatch is a Firefox add-on that helps you control how digital certificates are used when you visit secure websites. While there exist tools that help control how, for example, scripts like Javascript are executed (NoScript addon), there has not been a tool for digital certificates.

The closest Firefox addon to the functionality of CertWatch is Certificate Patrol, which keeps track of website certificates and notifies when a revisited website has a different website certificate. CertWatch collects more information than Certificate Patrol and keeps track of root, intermediate and website certificates, plus visit details.

Once you install CertWatch and restart Firefox, CertWatch will take up to 30 seconds to parse all root certificates that your Firefox comes with. Every secure website that you visit is vouched for by some root certificate that pre-exists in Firefox. Your Firefox has about 150 of those root certificates, and you can traditionally view them in Edit»Preferences»Advanced»Encryption»View Certificates»Authorities.

Screenshot of CertWatch 1.0 running for the first-time

Screenshot of CertWatch 1.0 running for the first-time

This is Firefox 4 (beta1) with a new profile. Both Firefox 4 and Firefox 3.6.8 (as found in Ubuntu 10.04) come with 149 root certificates. If you have more than 149, then you accepted yourself extra root certificates which are fully enabled and can vouch for secure websites. As you browse, your Firefox collects intermediate certificates (I plan to explain all these in future posts at certwatch.simos.info). These are added to Firefox without user interaction, as long as the respective root certificate is in Firefox as well.

Screenshot of CertWatch 1.0 Preferences

Screenshot of CertWatch 1.0 Preferences

These are the preferences, accessible from Tools » CertWatch Preferences. When you visit a secure website, there is a process where the website certificate is vouched by the root certificate that Firefox already knows. Between the website and root certificates there could be intermediate certificates, creating what is called a certificate chain.

What the preferences do is specify when you should get a notification while you visit a secure website. The default preferences say that for the certificate chain of a secure website, show the certificate details if any of the website, intermediate or root certificates are encountered for the first time.

Let’s visit https://addons.mozilla.org/ with CertWatch installed.

Screenshot of CertWatch 1.0 - certificates at addons.mozilla.org (animated GIF)

Screenshot of CertWatch 1.0 - certificates at addons.mozilla.org (animated GIF)

Each tab correspond to a certificate. All these three certificates are the certificate chain that verifies the secure website https://addons.mozilla.org/. The numbers at the tab names indicate how many times CertWatch encountered these certificates. It’s the first time, so they all show 1. The black star ★ indicates whether the CertWatch Preferences apply for each certificate. Since the preferences indicate first time only, then all tabs get a star.

From the list of root certificates, only a handful of them will be ever used during your browsing and with CertWatch you now have the facility to figure out which ones are actually being used. At this stage I would consider this as the first most important use of CertWatch; keeping track on how many times certificates are used. If you encounter a new certificate when you visit a revisited website, then this is something to investigate.

CertWatch keeps its copy of certificates in an SQLite database in your Firefox profile. For Linux, the path is ~/.mozilla/firefox/YOURPROFILENAME/CertWatchDB3.sqlite. You can read the database with any SQLite client such as the Firefox Addon SQLite Manager or sqlitebrowser (Packaged in Debian and Ubuntu as sqlitebrowser). In the SQLite database you can view the root/intermediate certificate table, the website certificate table, and the website visits table. In all cases the full certificate is stored in case you want to contribute to the EFF SSL Observatory.

CertWatch is developed on Ubuntu Linux 10.04, with Eclipse 3.6 (Helios) and the JSDT environment.

Install the latest version of CertWatch, which is available from the addons.mozilla.org (AMO) CertWatch page.

Follow the progress of CertWatch at the http://certwatch.simos.info/ CertWatch blog.

Here are some secure websites for testing, https://www.google.com/, https://www.paypal.com/, https://www.facebook.com/, https://twitter.com/

Three facts about Firefox in Greece

Firefox statistics in Greece since March 1st 2010 (BrowserChoice day)

Since the start of 2010, Firefox and Internet Explorer were more or less head to head in Greece at about 44% each.

Since the start of March 2010, Firefox increased the gains compared to Internet Explorer.

The peak half-way in the graph corresponds to the Greek Orthodox Easter vacation period.

The graph depicts the weekly browser statistics in Greece from February 2010 up to the end of May 2010.

Daily browser statistics in Greece for 2010

The daily statistics have a peculiar pattern. During weekends, the usage stats for Firefox are shot up while Internet Explorer shows a significant dip.

However, during the weekdays the stats for the two main browsers are balanced out. This pattern (which is replicated in most European countries), shows that a significant number of people at work are forced to use Internet Explorer. It is easy to identify country-wide strikes through the disruptions in this pattern.

The graph depicts the daily browser statistics in Greece for May 2010.

Browser statistics for Greece, during the first half of 2010.

Firefox increased the market share to almost 2% since the start of 2010.

At the same time, Internet Explorer lost close to 5% of market share.

Apart from Firefox, Chrome was a big benefactor of market share, increasing to almost 9%.

The graph depicts the monthly browser statistics for Greece, for the first five months of 2010.

The Greek localisation of Mozilla Firefox is maintained by Kostas Papadimas.

What is the case with other countries? Did BrowserChoice have an effect to other European countries?

Επιλέξτε πρώτο το Firefox!

Από την πρώτη Μαρτίου 2010, οι χρήστες Windows στην Ευρωπαϊκή Ένωση έχουν την επιλογή για το λογισμικό του περιηγητή (web browser). Η επιλογή θα ενεργοποιηθεί μέσω του συστήματος WindowsUpdate.

Σελίδα BrowserChoice.eu

Μπορείτε να δείτε πως φαίνεται η ελληνική σελίδα από το σύνδεσμο επιλογής λογισμικού περιήγησης για την Ευρωπαϊκή Ένωση.

BrowserChoice.eu επιλέξτε πρώτο το Firefox

Επιλέξτε πρώτο το Mozilla Firefox διότι πρώτο μέλημα του λογισμικού είναι η ασφάλειά σας.

Η δικτυακός τόπος browserchoice.eu παρέχεται από τη Microsoft. Τη λειτουργία του browserchoice.eu την έχει επιβάλει η Ευρωπαϊκή Ένωση όταν καταδίκασε τη Microsoft σε πρόσφατη δίκη περί μονοπωλίου.

Στους όρους χρήσης του browserchoice.eu η Microsoft αναφέρει για το θέμα αυτό

ΚΟΙΝΟΠΟΙΗΣΕΙΣ

Η τοποθεσία BrowserChoice.eu σχεδιάστηκε σύμφωνα με μια απόφαση της νομοθεσίας περί ανταγωνισμού της Ευρωπαϊκής Επιτροπής τον Δεκέμβριο του 2009.

© 2009 Microsoft Corporation. Με επιφύλαξη κάθε νόμιμου δικαιώματος.

ΝΑΙ! Mozilla Firefox No1 στην Ελλάδα!

Μιλήσαμε πρόσφατα για τα στατιστικά χρήσης του Firefox στην Ελλάδα. Αυτή τη στιγμή έχουμε νέα στατιστικά που συμπεριλαμβάνουν και τον Ιανουάριο 2010.

Firefox vs IE (τέλος 2009 - Ιανουάριος 2010)

Με βάση τα στατιστικά στοιχεία από την υπηρεσία statcounter.com, ο Firefox στην Ελλάδα έχει φθάσει για πρώτη φορά το 45% στο μερίδιο αγοράς λογισμικού περιήγησης του διαδικτύου, ξεπερνώντας τον Internet Explorer.

Είναι εξαιρετικό νέο, και συμβαδίζουμε με άλλες χώρες όπως τη Γερμανία με το να χρησιμοποιούμε ελεύθερο λογισμικό και Firefox.

Firefox και Ελλάδα

Στατιστικά χρήσης λογισμικού περιήγησης ιστοσελίδων για την Ελλάδα (2008-2009)

Τα πιο πρόσφατα στατιστικά χρήσης λογισμικού περιήγησης ιστοσελίδων (web browser) για την Ελλάδα δείχνουν το Firefox να προσεγγίζει το μερίδιο αγοράς του Internet Explorer.

Η πηγή των στατιστικών είναι η υπηρεσία StatCounter.

Σε Γερμανία, Ουγγαρία και Σλοβακία, οι χρήστες Firefox έχουν ξεπεράσει αυτούς από IE. Στην Ελλάδα πότε θα φθάσουμε στο σημείο αυτό;

Try Firefox 3.5 (pre), with in-built video support (+subtitles)

You can try out Firefox 3.5 (not final yet) now and have a sneak preview of the new features.
Among the new features is the in-built support for video (there is a new video tag you can add to your (X)HTML pages)).

With some extra Javascript, it is possible to top up the video playback with subtitles, in your language!

1. Therefore, grab a copy of Firefox 3.5 (pre).

2. When you run it, it is advised to run it as

./firefox -ProfileManager -no-remote

This asks you to select a different profile, so you can create a special profile just for testing Firefox 3.5. The -no-remote option helps you to have independent Firefox sessions from your normal Firefox you may be running.

3. Visit the Firefox 3.5 video demonstration page with subtitles.

4. Here is a version with translated subtitles for Greek.

Mozilla 3.5 demonstrating video with Greek subtitles

Note that Firefox supports the OGV video container format. Therefore, you may need to convert your videos to OGV.

GMail J2ME application for your mobile phone

We talked a couple of years ago about the Google J2ME (Java for Mobile devices such as mobile phones) application that you can download and install on your phone. With this application, you can run GMail on you mobile phone, and access your e-mails with your data plan (GPRS, EDGE or 3G).

https://i1.wp.com/www.google.com/xhtml/images/screenshots/gmail.gif

To install the J2ME application, visit (with your mobile phone) the URL

gmail.com/app

If GMail recognises that you are using a compatible mobile phone, it will direct you to download and install the application to your phone. The current version of the application is about 260KB.

If you want to save some of your data bandwidth, you can change the User-Agent string of your Firefox (use the User Agent Switcher Firefox Extension) to one of a mobile phone, then visit with your browser. In this case, you can get the application from googlemail-nokia.jar (version 2.0.6/L2). If you can afford it however, it is better to install from gmail.com/app, because this would set a list of reasonable defaults.

Rendering bug in Firefox, threat level: annoyance

There is this rendering bug in Firefox that currently can be classified as an annoyance.

It was discovered during a discussion at the Ubuntu-GR mailing list and reported in June 2008, and at that time it would cause Firefox to crash. Therefore, it was deemed as a security issue, and the bug report was not made public. Just recently, the issue was revisited, current versions of Firefox do not crash, and the security tag was removed. It is quite possible that there is some existing report on the issue, and not being classified as a security bug, it will be easier sort out. Thus, have a look at bug report #441307.

The source of the rendering bug is the HTML code

<HR WIDTH=143165425 ALIGN=RIGHT>

So, you send an HTML e-mail and you add the above code. The code says to show a Horizontal line, with some huge width (here, you simply put 143165425).

If you received such an annoying e-mail, here is how it may look like (Yahoo WebMail)

If you received such an annoying e-mail, here is how it may look like (Yahoo WebMail)

How GMail might look like when you receive such an HTML email.

How GMail might look like when you receive such an HTML email.

Some versions of Firefox respond differently to this rendering bug, which probably relates to a different set of linked libraries. For example, the Firefox 3 found in Ubuntu Linux 8.10 is able to show the e-mail in GMail just fine (though it messes up with other pages). The above screenshots are by Minefield 3.1b2pre (64-bit). The Windows version of Firefox is also affected.

To try out yourself, create a file /tmp/mypoc.html with contents

<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
<HTML>
<HEAD>
</HEAD>
<BODY BGCOLOR=”#ffffff”>
<TABLE WIDTH=100% BORDER=0 CELLPADDING=2 CELLSPACING=2 BGCOLOR=”#e0e0e0″>
<TR>
<TD>
<HR WIDTH=143165425 ALIGN=RIGHT>
</TD>
</TR>
</TABLE>
This is a test.
<HR WIDTH=143165425 ALIGN=RIGHT>
Some more text.
</BODY>
</HTML>

Load it up in Firefox. Click to Select All, then Copy. You can then paste in your mailer, when you compose as HTML (for example, with Thunderbird).

Just to reiterate, this issue is currently at level annoyance, unless someone manages to produce an HTML file that can crash Firefox. If you manage to do so, please file a bug report at http://bugzilla.mozilla.org/ and specify the security settting so that the bug gets high priority.

Firefox 3 statistics, and the Greek language

Firefox 3 was released on the 17th June, 2008 and up to now, an impressive 22 million copies have been downloaded.

kkovash had a peek at the stats and produced a nice post with diagram for the downloads of the localised versions of Firefox 3 (that is, excluding en-US).

Firefox 3 Downloads; part of EMEA region, focus on Greece

Downloads at [Release+3] days (20th June 2008)

Dark red signifies that there have been more than 100,000 downloads originating from the respective country. It is quite visible that most European countries managed to surpass the 100,000 threshold. Greece at that point was hovering to about 50,000 downloads. In the Balkan region, Turkey was the first country to grab the red badge.

It is interesting to see that Iran has been No 2 in the whole of Asia (No 1 has been Japan). Only now China managed to reach the second place, and pushed Iran in the third place. When taking into account the population gap and the political situation, Iran achieved a amazing feat.

In the first few days, a few countries only managed to jump fast over the 100K mark. It appears that these countries have strong social network communities, that urged friends to grab a copy of Firefox 3.

Firefox 3 downloads, showing Greece, with Red status

This is a recent screenshow (26th June 2008), at [Release+9] days. Greece has achieved Red status the other day. In the Balkan region, Turkey, Romania and Bulgaria had reached 100,000 first.

In the EU region, it is notable that Ireland, at 76,000 downloads, is lagging behind.

Another observation is that the countries from Africa are lagging significantly from the rest of the world. Low broadband Internet penetration and limited number of Internet users is likely to be the reason.

How many downloads have there been for the Greek localisation of Firefox 3;

kkovash reveals that there have been about 60,000 downloads for the Greek localisation of Firefox 3. This would approximately mean that more than 60% of the downloads in Greece have been for the localised version. Great news.

Today you’ll make history with Firefox

Today you’ll make history with Firefox

Are you ready to make history? Are you ready to set a World Record? Today is Download Day. To become part of the official Guinness World Record you must download Firefox 3 by 17:00 18:15 UTC on June 18, 2008, or roughly 24 hours from now.

Download page with live download statistics

The sender of this email is Mozilla Corporation, 1981 Landings Drive, Bldg. K, Mountain View, CA 94043-0801.

Did you receive your notification for your pledge?

The Firefox Download Day has just started. We are already counting 1 and a half hours in the download day. See download countdown which shown until when your downloads count for the record attempt.

Mozilla.com is currently very slow due to the repeated attempts to download. I hope the issue is resolved soon.

Update +2 hours: Now it works; when you visit the download page, it now shows correctly that Firefox 3.0 is available for download.

Update +16 hours: The download count reached 5,400,000 downloads. It is good to drive it higher. You can get your national download total, and ask your friends and family to help increase it.

Update +20 hours: The download count is over 6,000,000 downloads. Due to the technical issues at the start of the record attempt, the deadline for downloads has been extended by one hour and 15 minutes.

Update +24 hours: The download count is nearing 8,000,000 downloads. We have a bit more than an hour to go (due to the technical issue that delayed the start of the downloads). Can we make it to 8 million?

Update +25 hours: We did it! 8 million downloads in 24 hours! World record!

Update +30 hours: The world record attempt has been completed. Still, the Firefox 3 downloads continue. At the moment we surpassed 9.4 million downloads and counting.

Firefox Download Day Today! Check the start time!

Tuesday, 17th June 2008, is the Firefox 3 download day.
Download Day
For the world record attempt, check the start time for your location before downloading Firefox.

If you are located in Athens, Greece, we start at 20:00, Tuesday 17th June 2008.

If you are located in London, UK, we start at 18:00, Tuesday 17th June 2008.

Check the correct start time for your location.

Download Firefox 3!
Download Day - English
For more information, see http://www.spreadfirefox.com/

thersa.org.uk, infected.

Probably through SQL injection, this page of thersa.org.uk links to a javascript file from some server in China

The screenshot shows the thersa.org.uk website has been infected, and users that visit it end up running in their browsers malicious JavaScript code. The code loads Javascript files from the .cn and the .la domains.

There is a reference in one of the files to a cookie named killav (Kill Antivirus?) that may disable some antivirus programs.

In addition, one of the JavaScript files checks which browser you have. If you have Internet Explorer 6 or 7, it loads some exploit which attempts to run binary code. If this succeeds, you are infected. If you have Firefox, it does not attempt to perform an infection, and it goes to the next phase.

The next phase is to open up pages to sites in China. It appears to me that the bussines plan in that case is to generate revenue from ad hits.

The worst thing however is if you get infected. Unpatched windows systems are at the mercy of these attackers.

One way to mitigate such risks is to use Mozilla Firefox, and have the NoScript add-on installed.

Update 5 June 2008:

The RSA updated their website by moving it away from Windows and ASP, to open source software. They are using Centos Linux, Apache, and an open-source CMS. Therefore, the above security risk does not apply any more.