Indistinguishable from Jesse

For visitors who reach my site through Google searches, browser percentages vary widely depending on search terms. In general, geekier terms have a higher percentage of Mozilla users. I analyzed stats for 35 days in June and July 2004 using a hacky batch file.

Stats for some of these search terms are skewed toward Mozilla not because the search terms themselves are geeky but because "Firefox" or "Mozilla" appears in the title of the result page on my site. Searches for "good porn" and "best porn" lead to a page on my site titled Why Mozilla Firefox is the best porn browser. Searches for "how to get a gmail" lead to my blog entry titled Help make Firefox better and get a Gmail invitation!.

By the way, over 50% of total hits to my site are Mozilla :)

<blake2> congratulations mconnor
<blake2> you just destroyed a legend!

Today Mike Connor replaced "Cookies are delicious delicacies." in Firefox's options with "Cookies are pieces of information stored by web pages on your computer. They are used to remember login information and other data."

Blake's famous placeholder text even appeared in a book, O'Reilly's Google: The Missing Manual:

As of this writing, Firefox is still in the testing, or beta, stage (version 0.8), which sounds dicey. But in fact, it's definitely far enough along that anyone can use it with confidence. The underlying technology is the same as Mozilla's, so problems tend to show up in things like the occasional misspelled menu item or a cookie setting that includes the observation, "Cookies are delicious delicacies," inserted by an engineer with a wacky sense of humor.

(O'Reilly sent me a free copy of the book because it dedicates several pages to my search bookmarklets. The authors of the book say several useful things about my bookmarklets that I didn't know!)

<blake2> how times have changed. I guess we really are shipping something.

mgaugusch's 70-person company not only prepared Firefox for network install, but it also used Squid to block Internet Explorer from accessing sites other than Windows Update and the company's own site. The company does not prevent employees from using other browsers, such as Opera, although Opera users may have to change their user-agent setting to make Opera stop making itself appear to be IE. (Via mgaugusch's post on MozillaZine.)

update.mozilla.org now has 100 Firefox extensions that work in 0.9. Extensionroom has 195, but many of them only work in older versions.

Slashdot was responsible for my initial involvement in the Mozilla project. It might have been this article or it might have been a comment (such as mpt's) in another article.

The first Mozilla build I used was M13. I reported my first bug in February 2000, when I was a senior in high school.

At first, I only reported and triaged bugs. Then I started writing testcases for layout bugs, participating in user interface design, and finding security holes. Now I'm also writing patches for UI bugs.

Things that encouraged me to continue contributing when I was a newbie:

• Eli Goldberg's comment in my first bug report.
• My sixth bug report, which was about pop-up windows, getting forty votes, including at least ten due to a comment I posted on Slashdot. At the time, that was enough to put it in the top ten!
• Some of my bug reports getting fixed quickly.
• Asa's enthusiastic email to me when he gave me the ability to confirm and edit bug reports in Bugzilla.
• Communicating with other Mozilla community members not only through Bugzilla but also through IRC.

There seem to be five ways to set character encodings in Firefox.

1. Options > General > Languages > Default character encoding
2. View > Character Coding > Auto-Detect > (select a language or "Off" or "Universal")
3. View > Character Coding > More > (select an encoding)
4. View > Character Coding > Customize > Active character encodings
5. View > Character Coding > (select an encoding)

What do these options do? How do they interact? How can the options and how they interact be made more clear in the UI, or even in Help? Note that I only have a vague idea of what a character encoding is and why a user would need to select one.

Google didn't get me far. Help in Firefox only says "View > Character Coding: Allows you to manually change the character encoding on a Web page. Firefox usually does this automatically." Bug 181541 comments 61 and 62 helped me understand a little.

MontyDrei:

Holy crap, Mozilla Firefox is awesome. I wish I had converted earlier.

He was this missionary who brought me out of darkness into the light of Firefox.

I installed Firefox on his computer in order to write a bookmarklet for him. And in order to convert him, of course.

I discovered arbitrary code execution holes in Firefox, Internet Explorer, and Opera that involve human reaction time. One version of the attack works like this:

The page contains a captcha displaying the word "only" and asks you to type the word to verify that you are a human. As soon as you type 'n', the site attempts to install software, resulting in a security dialog. When you type 'y' at the end of the word, you trigger the 'Yes' button in the dialog. I made a demo of this attack for Firefox and Mozilla.

Another form of the attack involves convincing the user to double-click a certain spot on the screen. This spot happens to be the location where the 'Yes' button will appear. The first click triggers the dialog; the second click lands on the 'Yes' button. I made a demo of this attack for Firefox and Mozilla.

These types of attack work on any security dialog that can be triggered by untrusted content. The attack is most useful in a dialog where one of the buttons means "Yes, let this untrusted content run arbitrary code". Firefox has such a dialog in the form of the extension installation (XPI) dialog. Similarly, Internet Explorer has the ActiveX installation dialog and Opera has an "Open" button for downloaded executables. Programs other than browsers might also be vulnerable.

Firefox's solution, from bug 162020, is to delay enabling the "Yes"/"Install" buttons until three seconds after the dialog appears. I believe that this is the only possible fix other than completely denying untrusted content the ability to pose the dialog. Unfortunately, this fix is frustrating for users who install extensions often.

Some users have been intentionally lowering the delay to 0 seconds, which frustrates me. These users think the delay was added merely to force everyone to read the dialog. It surprises me that these users were not able to figure out the security hole given the fix. Ironically, advanced users are the most susceptible to these attacks, because they type and double-click faster than they react to unexpected stimuli.

It might be possible to lower the delay to less than three seconds, making it less annoying, without jeopardizing security. Designing experiments to determine the minimum "safe" delay would be tricky. You would want to do everything an attacker could do to increase participants' reaction time: give them a complicated task, make new rectangles appear every second to make the dialog less unexpected, etc.

It might make sense to make the dialog appear only after the user clicks a statusbar indicator that means "This web site wants to install software". This would get rid of the problem of choosing a delay, and it wouldn't require users who want to install extensions to wait.