Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Firefox 23 released

Another new version of Firefox was made available yesterday. Along with the usual crop of security bug fixes, version 23 sports a few changes worthy of mention:

  • A shiny new logo.
  • A Network panel was added to the Web Developer Tools. This panel shows the network activity associated with web browsing, including load times.
  • The HTML text ‘blink’ attribute has been removed. Blinking text has fallen out of fashion, and it’s generally seen as not user-friendly and non-accessible.
  • The ‘Disable Javascript’ setting has been removed from the Options dialog. The developers feel that since disabling Javascript causes many web sites to fail, the option should be hidden. The Javascript options are still accessible via about:config.
  • The ‘Load images automatically’ setting was removed from the Options dialog. Again, the developers decided that this option was too dangerous for most users. You can still find the setting in about:config.
  • The ‘Always show the tab bar’ setting was removed from the Options dialog. Like the other removed settings, somehow this option was felt to be too dangerous for most users. You can still find the setting in about:config.

Firefox version announcements still lacking

Update 2016Jan06: The release notes page for Firefox 23.0 no longer exists. It was moved to an archive site by Mozilla, but must have been lost in the process. There’s a broken link to the missing page on the Releases/Old/2013 page.

As always, there was no proper announcement for this release. I discovered the new version when I was reading Hacker News. I’ve outlined the problems with Firefox’s online resources in several previous posts, so I’ll just provide a brief list here. Suffice to say that nothing has improved since Firefox 22.

  • According to Mozilla, the Mozilla Blog is where new versions of Firefox are announced. The blog has an RSS feed, which is good, and whenever a new version of Firefox becomes available, there is usually at least one post on the blog that describes some of the new version’s features. But these posts do not qualify as release announcements, because they never mention the new version number, or even that there is a new version! Here’s the ‘announcement’ for Firefox 23: Firefox Makes it Easy to Share Your Favorite Content with Friends & Family.
  • The main release notes page has several problems, all of which would result in a failing grade in any ‘Web Pages 101’ course:
    • the page’s title makes no mention of the version;
    • the version isn’t mentioned in any of the page’s headings;
    • the first text on the page reads "Firefox Notes (First offered to release channel users on…", which makes it sound as though some ‘notes’ are being offered, not a specific version of Firefox;
    • the version is only visible in the page’s URL, which is barely human readable, and in an aside that thanks contributors.
  • A link on the release notes page titled ‘complete list of changes‘ points to a list of bugs in Mozilla’s bug tracking system. The list is huge, and the information is highly technical and not really intended for regular users.
  • The main download page never mentions the version, although all of the download links point to the most recent version.
  • The hidden ‘security advisories‘ page lists Firefox security vulnerabilities by the date on which they were first reported by Mozilla, with no indication of which vulnerabilities have been fixed, or when they were fixed. This is somewhat mitigated by the also hidden ‘known vulnerabilities‘ page, which lists security vulnerabilities and the versions of Firefox in which they were fixed.

Opera 12.16 and 15.0

Version 12.16 of Opera contains only a minor change, to the code signing certificate.

It appears that the classic Opera browser is soon to become extinct. Opera’s developers decided to toss out their distinctive browser and the ‘Presto’ engine on which it was based. Instead, starting with version 15.0, Opera will be based on the Webkit engine. As a result, Opera 15.0 is virtually indistinguishable from Google Chrome. If there’s a specific reason you’ve avoided Chrome in the past, that reason now applies equally to Chrome. For instance, Chrome has no sidebar feature, and now neither does Opera.

I have been unable to discover how long Opera’s developers will continue to update and support the 12.x series browser.

Opera version 15.0 is now available, but I can’t bring myself to recommend it. If you want to try it, just look at Chrome.

The perils of saving passwords in your web browser

Web browsers want to make your life easier, which is why they all offer to store web site userids and passwords. But if you thought this was a safe way to store passwords, you’d be wrong. Still, some browsers handle this better than others.

Lock Your Computer

First of all, regardless of which web browser you use, if a person has access to your computer while you are logged in, and you allow your browser to store passwords, you should assume that the person now knows all your web site passwords. Simple techniques can be used to trick any web browser into displaying otherwise obfuscated (e.g. ‘*****’) passwords as plain text. This is yet another reason – as if you needed one – to always lock your computer when you walk away from it. Most operating systems have a setting that locks your computer for you after a period of inactivity. This is the only way to be at all secure; access to your logged-in computer potentially gives intruders access not only to your passwords, but also to all of your documents.

Password saving features in web browsers

Given the above, does it even make sense to worry about how your web browser handles saved passwords? There are arguments for both points of view. From my perspective, security should be layered: getting past one security hurdle shouldn’t open up everything. So if you allow your browser to save passwords, you should consider using the browser’s settings to secure those passwords. The four browsers I use handle passwords with varying degrees of security:

  • Firefox: Prompts to store passwords. By default, shows your saved passwords to anyone who looks in the settings. You can set up a master password to control access to the stored passwords; you will be prompted for the master password once per session, and when you try to show your passwords.
  • Opera: Prompts to store passwords. Doesn’t show passwords anywhere. You can set up a master password to control access to the stored passwords, which you will be prompted for once per session and at set intervals.
  • Internet Explorer: Prompts to store passwords. Doesn’t show passwords anywhere. No master password.
  • Google Chrome: Prompts to store passwords. Shows passwords to anyone who looks in the settings. No master password.

Google Chrome stands out in this list, since it both shows your passwords, and has no master password feature. Elliot Kember recently wrote about this, describing Chrome’s password handling as ‘insane’. I’m not sure I would go that far, but Chrome clearly needs a master password feature.

I’d like to see all web browsers show a prominent warning to any user who uses a password saving feature: “WARNING: saved passwords can be retrieved extremely/relatively easily. Always lock your computer when you leave it unattended.”

Update 2013Aug11: Here’s Google’s response.

Update 2013Aug25: Tim Berners-Lee (the person who invented the World Wide Web) weighs in. tl;dr – he agrees that Chrome should at least have a master password.

Web advertising networks: the next malware attack vector?

Researchers speaking recently at the Black Hat Briefings in Las Vegas showed that the Javascript used by most advertising networks could be compromised by a malicious third party. The malicious code could then run in any web browser configured to allow advertising.

Hold on. Wouldn’t the people responsible for the advertising networks and the associated Javascript notice the problem and fix it? Possibly. But not always. If you’re like me, you’ve seen more than a few messed up web ads. A seriously broken web ad can prevent a web page from displaying properly or cause it to load very slowly. It’s one of the many reasons why people use script blocking technology like NoScript.

It’s difficult to predict whether malware purveyors will start using the ad networks like this. But if they do, you can bet we’ll see a surge in script and ad-blocking software installations. Since advertising is the primary source of revenue on the web, this will get the attention of the advertisers, who would hopefully then institute better quality control.

The back-room wrangling that dictates your online experience

Okay, so this isn’t exactly news, in the sense of being new. But it is interesting. And it most definitely does matter, to anyone who uses the Internet.

If you’ve ever wondered why Youtube videos are suddenly buffering, or why that download is taking so long, you probably assumed that the server was overloaded, or your Internet provider was having infrastructure issues. But there may be a deeper cause.

A handful of organizations – mostly commercial in nature – provide the backbone of the Internet: the network hardware that makes up the core of the net. Since its inception, these organizations have engaged in negotiations about how they move data amongst themselves. When the commercial web got off the ground, these negotiations began to involve large amounts of money. As with all negotiations, all parties try to get what they want for the least amount of effort and expense. The difference is that in these negotiations, when one party is unhappy with the results, they can make their feelings known by downgrading the service they provide.

All of these negotiations happen without much fanfare, and the fights ebb and flow according to changing technology and the rise and fall of the fortunes of individual companies. The net effect for Internet consumers is inexplicable changes in Internet speeds.

Ars Technica has a terrific overview of this process and its ramifications. It’s a long read, but well worthwhile. Maybe you can read it while you’re wating for that Youtube video to finish buffering…

Canada’s new anti-spam law

Canada is late to the game when it comes to anti-spam laws, but with the recent passing of the “Canadian Anti-Spam Legislation” (CASL), it’s about to get a lot harder for spammers to do their work here (yes, I’m in Canada).

As with other anti-spam laws, the focus of CASL is consent. The following activities will become illegal with the new law: sending a commercial electronic message to a recipient without the recipient’s consent; installing software on a recipient’s computing device without their consent; and altering electronic messages during transmission without the recipient’s consent.

Other activities that will become illegal with the new law include: collection of personal information through access to computing devices; and harvesting electronic addresses from the Internet through automated methods for the purposes of building bulk email recipient lists.

There is no set timeline for enforcement of CASL to begin, but it should be within a few months, and certainly by the end of 2013. Once the law becomes official (comes into force), immediate compliance is expected. However, there will be a three year transitional period during which consent may be assumed for existing relationships.

Several different agencies will be involved in enforcement of the new law: the CRTC, the Competition Bureau, and the Office of the Privacy Commissioner.

Additional highlights:

  • Any commercial electronic message is assumed to be illegal, although there are exceptions.
  • Potential recipients of commercial electronic messages cannot be added to recipient lists automatically. Explicit consent to receive such messages must be given by the potential recipient. In other words, commercial email list subscription must be “opt-in” instead of “opt-out”.
  • Software must not be installed automatically on customer computers. This part of the law is meant to curtail the forced installation of unwanted software along with other (wanted) software.

The new law will present serious challenges to commercial organizations, so it would be wise for all such organizations to begin assessing its impact immediately. Penalties will typically take the form of very steep fines: up to ten million dollars.

An official FAQ for the new law is available.