Disqus - Latest Comments for Johnathan Nightingale

Re: Google china

Johnathan Nightingale — Thu, 29 Mar 2007 08:53:32 -0000

So is it what they say? I assume it isn't your first trip to China, but does the day to day experience reflect the constant tumult and reinvention that have launched a thousand business books in the last 5 years?

Inquiring minds who have never been want to live vicariously!

Re: might be over-caffeinated

Johnathan Nightingale — Mon, 21 May 2007 22:03:34 -0000

My brother, one Christmas, possibly as a joke, bought me this:

http://www.amazon.com/Caffeine-Advantage-Physic...

Since you are someone who is both a reader and (evidently) a caffeine sink, I thought you might find it interesting. As the review comments on Amazon suggest, it's open to some interpretation whether or not the authors have any skin in the game. It's equally open to discussion as to whether they reason effectively from the facts they present.

Nevertheless, the facts are scrupulously documented with cites to primary sources, which is generally a positive thing. In a nutshell, they point out several things which are not too mind blowing, but nice to know anyhow, to wit:

- that caffeine is a pretty effective broad-based system-waker-upper
- that in addition to raw alertness, caffeine improves a whole host of cognitive and physical dimensions in measurable ways that do not degrade with repeated use
- that a lifetime of use isn't correlated with increased mortality or decreased health in any particularly measurable way, but
- that if you're pregnant, or have a history of sensitivity, or are suffering from diet-coke-scurvy, it might be wise to consider getting more sleep and orange juice.

I'd lend you my copy, but if the legends are true, you'll have read it by the next time I see you. Indeed, if the legends are true, you've already read it.

Re: Beta Users and Security Releases

Johnathan Nightingale — Sun, 06 Apr 2008 22:25:27 -0000

My guess is that the FF3 betas will have more than a million users before release. If we arrange it so that those users become beta-update-channel users for 3.0.x, it seems to me you'll have more beta channel than you know what to do with for at least the first several stability releases, no? It might take that long for the new hotness to be worth switching to, and even still, I imagine your stragglers will number in the hundreds of thousands, maybe?

Are we rigged for that approach right now?

Re: Firefox 3: Site Identification button

Johnathan Nightingale — Tue, 06 May 2008 11:16:39 -0000

@Richard: If we don't rely on domain-verification, then I can set up camp in a hotel lobby or an airport or wherever people and laptops congregate, and start intercepting traffic to, say, https://www.paypal.com. I can generate my own certificates which claim that I am the real paypal.com, and I can put convincing looking details in. Tools like ettercap make this entire attack point-and-click simple (right down to spoofing the certificate contents).

The only thing that tells you it's not the real paypal.com is that no trusted third party has signed off on my certificate. When Firefox shows me that the domain has been confirmed, it is saying that this kind of attack is not happening; that the site I am visiting is presenting an up-to-date *and verified* certificate confirming that they are the legitimate owner of that domain.

As Deb points out, you also really want to know if this website is the "real" paypal - and that's where the distinction between basic and extended verification comes in. A basic certificate is only trusted to confirm the domain name. Some CAs do more work than that, but not in a way we can easily detect and verify. An extended certificate can only be issued by CAs that agree to follow specific practices in terms of identity verification, and to be regularly audited on those practices - for those ones, we can know not only that the real domain owner is in control, but also who that domain owner is.

Is that a helpful example?

Re: Firefox 3: Site Identification button

Johnathan Nightingale — Tue, 06 May 2008 11:42:55 -0000

@LpSolit - That's an interesting question. Certainly it seems on the surface like you wouldn't want to permanently trust a suspicious certificate, right?

But if a typical user hits this only on a few sites, maybe on their college webmail server and their friend's private photo sharing site, then with permanent exceptions, this UI is a rare thing for them, and probably doesn't habituate them into blind click-through. If the default is temporary and they don't notice to change it, dismissing this warning becomes much more commonplace (just like FF2's dialog box). The best way to help users see the sites they want to see, and notice when a site that used to have valid credentials starts having invalid ones, may well be to default them to permanent exceptions for the ones they know they can trust, so that after a week's browsing, they never see this UI again until something bad happens.

This approach has another benefit too - if someone ever attempts to attack the college webmail server they've added a permanent exception for, the certificates will no longer match, and the error will come back. So even for a site without a verified identity, exceptions act like a kind of "manual verification" and mean that attempts to attack THAT site also stick out.

Re: Firefox 3: Site Identification button

Johnathan Nightingale — Tue, 06 May 2008 11:49:15 -0000

@rwg, giovanni - We absolutely do consider the accessibility implications of any change to our UI. Deb focused on the color here because it's certainly how most people will experience it, but the popup text is different in each of the three cases, as is the tooltip hover text on the button. The SSL states (green and blue) also contrast more with the background chrome than the default, gray state. We have also made sure that our access keys and screen-reader affordances are wired up properly, so that people with other vision impairments can still make use of the interface.

I would recommend that color blind users (or others, for that matter) also consider changing the browser.identity.ssl_domain_display pref in about:config. Changing this from 0 to 1 causes the verified domain to be displayed in the button for basic-identification sites. It takes up some location bar space, obviously, and came too late for us to land it in Firefox 3 as a default, but it does give you much more noticeable feedback about the identity of sites you visit.

Re: A Case Against DNSSEC, Count 1: Solves A Non-Problem

Johnathan Nightingale — Tue, 03 Apr 2007 14:29:06 -0000

I need to know, NEED to know, whether you and I both arrived at a blue passport dude for CAs independently within a month of each other.

http://blog.johnath.com/index.php/2007/03/21/re...

(And yes, of course neither of us invented the idea, nor am I implying we're particularly brilliant for invoking it, but nevertheless it sort of caught my eye.)