My Addons (2)

Posted on July 1, 2017 by gerv

My last post on this topic aroused some interest. Here’s the current status of my addons, according to my research.

Name u	Legacy?	No-e10s?	Solution
Adblock Plus	Y	N	They seem to be working on it. Install from here but you need to disable addon signing.
Bookmarklets Context Menu	N	N	Works
Cleanest Addon Manager	Y	N	Emailed author, but port very unlikely to be possible due to lack of API to alter chrome
HTTPS Everywhere	Y	N	They seem to be working on it
JSONView	Y	N	Enable Firefox’s built-in JSON viewer
Mailman-admin-helper	N	N	Works
Qotter Copy & Show	N	N	Works
Send to Kodi	Y	N	Bug filed, author says he’s planning to do it, but no progress; port should be possible
Vidyo Replay Download	N	N	Works
Wayback Machine	N	N	Works
1-Click YouTube Video Downloader	Y	Y	Switch to YouTube Video and Audio Downloader
About Startup	Y	Y	Emailed author: not possible to port to WebExtensions
Activity Stream	N	N	Works
Advertising Cookie Opt-Out	Y	Y	Replaced by this addon, but that one is still legacy. Asked my Google contact to file a bug.
AutoAuth	Y	Y	Addon has ceased development due to the changes :-(; Chrome option “has a plan for Firefox”.
AutoHiDPI	Y	Y	Bug filed, author will look into it but no progress; port may not be possible due to lack of arbitrary pref API
Expiry Canary	Y	Y	My addon; I believe it’s not possible to update due to lack of SSL APIs in WebExtensions
geckoprofiler	Y	N	New version available from here
Google Translator for Firefox	Y	Y	Switch to Google Translator (webextension)
HTTP Logout	Y	Y	Perhaps some interest; emailed author, who says he has little time
Jidesha	Y	Y	Enables screensharing; not needed since Firefox 52
LinkChecker	Y	Y	Original website gone away; can’t find non-legacy alternative
Live HTTP Headers	Y	Y	Use Firefox’s dev tools
Mass Password Reset	Y	Y	Abandoned by authors; doesn’t seem like there are password APIs
Min Vid	N	N	Works
MoCo Authorizer	Y	Y	Emailed author; seems like some function may be portable but not all
MoCo SSO Tweaks	Y	N	Mozilla is moving away from Okta
No Flash	Y	Y	Bug filed; it may be that the extension is no longer needed
RESTClient	Y	Y	Switch to RESTED
Tab Center	N	N	Works
Test Pilot	N	N	Works
TiddlyWiki for Firefox	Y	Y	Bug filed on e10s work but no progress; porting would be a very big job
UAControl	Y	Y	Switch to User Agent Switcher (revived) and Custom UserAgent String
Ubuntu Modifications	Y	Y	Ignore; doesn’t do anything useful
User Agent Switcher	Y	Y	Switch to User Agent Switcher (revived) and Custom UserAgent String
User Agent JS Fixer	Y	Y	Switch to User Agent Switcher (revived) and Custom UserAgent String
YouTube Downloader – 4K Download	Y	Y	Switch to YouTube Video and Audio Downloader

So the situation is not terrible, but it’s not awesome either. Several useful extensions, particularly those that modify the chrome or the browser behaviour, or which tweak prefs, are simply not replaceable in the new world.

The Wrong Currency

Posted on July 1, 2017 by gerv

The Labour party have objected strongly to the government “buying” stability in the form of a majority by sending money to Northern Ireland at the request of the 10 DUP MPs, who will now support them.

But it seems their objection is not to the principle, but to the currency. The newly-approved currency for the purchasing of government stability is the blood of unborn children.

Lord, have mercy.

My Addons

Posted on June 29, 2017 by gerv

Firefox Nightly (will be 56) already no longer supports addons which are not multiprocess-compatible. And Firefox 57 will not support “Legacy” addons – those which use XUL, XPCOM or the Addons SDK. I just started using Nightly instead of Aurora as my main browser, at Mark Mayo’s request :-), and this is what I found (after doing “Update Addons”):

Addons installed: 37
Non-multiprocess-compatible addons (may also be marked Legacy): 21 (57%)
Legacy addons: 5 (14%)
Addons which will work in 57, if nothing changes: 11 (29%)

Useful addons which no longer work as of now are: 1-Click YouTube Video Downloader, Advertising Cookie Opt-Out, AutoAuth, Expiry Canary (OK, I wrote that one, that’s my fault), Google Translator, Live HTTP Headers, Mass Password Reset, RESTClient, and User Agent Switcher.

Useful addons which will also no longer work in 57 (if nothing changes) include: Adblock Plus, HTTPS Everywhere, JSONView, and Send to Kodi.

I’m sure Adblock Plus is being updated, because it would be sheer madness if we went ahead and it was not being. As for the rest – who knows? There doesn’t seem to be a way of finding out other than researching each one individually.

In the Firefox (I think it was) Town Hall, there was a question asked about addons and whether we felt that we were in a good place in terms of people not having a bad experience with their addons stopping working. The answer came back that we were. I fully admit I may not be a typical user, but it seems like this will not be my experience… :-(

Root Store Policy 2.5 Published

Posted on June 23, 2017 by gerv

Version 2.5 of Mozilla’s Root Store Policy has now been published. This document incorporates by reference the Common CCADB Policy 1.0.1.

With this update, we have mostly worked through the backlog of modernization proposals, and I’d call this a policy fit for a transparent, openly-run root program in 2017. That doesn’t mean that there’s not more that could be done, but we’ve come a long way from policy 2.2, which we were using until six months ago, and which hadn’t been substantively updated since 2012.

We also hope that, very soon, more root store operators will join the CCADB, which will reduce everyone’s costs and administrative burdens on all sides, and hopefully allow root programs to be more responsive to changing circumstances and requests for inclusion or change.

Caddy Webserver and MOSS

Posted on May 15, 2017 by gerv

The team behind the Caddy secure-by-default webserver have written a blog post on their experience with MOSS:

The MOSS program kickstarted a new era for Caddy: turning it from a fairly casual (but promising!) open source project into something that is growing more than we would have hoped otherwise. Caddy is seeing more contributions, community engagement, and development than it ever has before! Our experience with MOSS was positive, and we believe in Mozilla’s mission. If you do too, consider submitting your project to MOSS and help make the Internet a better place.

Always nice to find out one’s work makes a difference. :-)

Eurovision Bingo (chorus)

Posted on May 11, 2017 by gerv

Some people say that all Eurovision songs are the same. (And some say all blog posts on this topic are the same…) That’s probably not quite true, but there is perhaps a hint of truth in the suggestion that some themes tend to recur from year to year. Hence, I thought, Eurovision Bingo.

I wrote some code to analyse a directory full of lyrics, normally those from the previous year of the competition, and work out the frequency of occurrence of each word. It will then generate Bingo cards, with sets of words of different levels of commonness. You can then use them to play Bingo while watching this year’s competition (which is on Saturday).

There’s a Github repo, or if you want to go straight to pre-generated cards for this year, they are here.

Here’s a sample card from the 2014 lyrics:

fell	cause	rising	gonna	rain
world	believe	dancing	hold	once
every	mean	LOVE	something	chance
hey	show	or	passed	say
because	light	hard	home	heart

Have fun :-)

Thunderbird’s Future Home Decided

Posted on May 9, 2017 by gerv

Here’s the announcement. Rather than moving to live somewhere else like The Document Foundation or the Software Freedom Conservancy, Thunderbird will stay with the Mozilla Foundation as its fiscal home, but will disentangle itself from Mozilla Corporation infrastructure. As someone who has been helping steward this exploration process, I’m glad to see it come to a successful outcome.

Also in the world of Thunderbird, the community is discussing the future of the product, in the face of significant upcoming changes to the Gecko platform. On the table is a “Thunderbird++” rewrite/transformation using web technologies. Interesting times…

Everything’s A Cut

Posted on May 1, 2017 by gerv

In UK politics, at least, the language of “cuts” is common (most often preceded by the word “Tory”). There are to be cuts to this budget, and cuts to that service, and cuts to the other program. Cuts are almost universally seen as bad. But almost any change in any funding arrangement can be portrayed as a cut of some sort.

Let’s say the budget for activity X is £100,000 in 2015. In 2016, it’s £90,000. Is that a cut? Clearly. But what if it’s £100,000? Well, that’s a “real-terms cut” because of course inflation means that money this year is worth a bit less than money last year. OK, so let’s make it £102,000, to account for inflation. But the Retail Prices Index has gone up by more than that, so it’s still a “cut”. £105,000? Well, in fact, the costs of doing X have gone up significantly this year because of reasons, so that’s also an “effective cut”. More people using a service? An increase can be portrayed as a cut. More expensive and better treatment option becomes available? Even an increase can be portrayed as a “cut to that service”.

If you move resources from activity X to activity Y, then your opponents can focus on “cuts to activity X”. If you want to start doing a new activity Z, and don’t want to increase your budget, them something somewhere has to be “cut”. There’s always a cut somewhere you can find to complain about if you look hard enough.

If the previous administration was massively mis-spending their money and you have a big rearrangement of priorities, lots of things are going to be “cut”. If a particular client group such as the elderly has been doing extremely well for the past N years (triple lock, anyone?), and you change things to be more equitable, that’s a “cut”. And if that group is particularly photogenic or sympathy-worthy, no matter how much they were getting before, they can get the public on their side by objecting to the cruel “cuts”. Once a set of people has got access to a pot of government money, entitlement sets in extraordinarily quickly.

The difficulty for politicians, of course, is that it’s very difficult to say something like “well, pensioners have been coining it for the past 10 years, and it’s time we had a bit more equity”, because the press can always find a frail-looking pensioner who will be outraged on camera that they now apparently have to choose between food and heating.

The only way to avoid anything which seems like a cut is always to increase budgets for everything. And that normally means tax increases to pay for it (or, via borrowing, putting the bill on our children who can’t object, which is a sadly all-too-common move for politicians to avoid having to pay for what they are doing). But there are limits to how much you can increase tax, because taxation changes behaviour. It’s generally accepted when talking about carbon emissions, or cigarette smoking, or sugar consumption, that taxing something means you get less of it. But people shy away from applying this logic when it’s applied to incomes, or sales, or company profits (which are, absent a monopoly or criminal activity, the reward for hard work and entrepreneurship). Taxing those things means you get less of them too – less economic activity, smaller economy, poorer people.

So when someone tries to engender outrage by simply saying “something is being cut!”, remind them that pretty much everything’s a cut, and point them at this article. Just because something qualifies as a cut, and the group or activity receiving less money is deemed worthy of support, doesn’t make the change necessarily wrong.

Don’t Pin To A Single CA

Posted on April 28, 2017 by gerv

If you do certificate pinning, either via HPKP, or in your mobile app, or your IoT device, or your desktop software, or anywhere… do not pin solely to a single certificate, whether it’s a leaf certificate, intermediate or root certificate, and do not pin solely to certificates from a single CA. This is the height of self-imposed Single Point of Failure foolishness, and has the potential to bite you in the ass. If your CA goes away or becomes untrusted and it causes you problems, no-one will be sympathetic.

This Has Been A Public Service Announcement.

MOSS End-of-Award Report: Mio

Posted on April 18, 2017 by gerv

We are starting to ask MOSS project awardees to write an end-of-award report detailing what happened. Here’s one written a few months ago by the Mio project (Carl Lerche).

Buzzword Bingo

Posted on April 10, 2017 by gerv

This is a genuine question from a European Union public consultation:

Do you see the need for the definition of a reference architecture recommending a standardised high-level framework identifying interoperability interfaces and specific technical standards for facilitating seamless exchanges across data platforms?

Words fail me.

Root Store Policy 2.4.1 Published

Posted on March 31, 2017 by gerv

Version 2.4.1 of Mozilla’s CA Policy has now been published. This document incorporates by reference the Common CCADB Policy 1.0 and the Mozilla CCADB Policy 1.0. Neither of these latter two documents has changed in this revision cycle.

This version has no new normative provisions; it is a rearrangement and reordering of the existing policy 2.4. Diffs against 2.4 are not provided because they are not useful; everything appears to have changed textually, even if nothing has changed normatively.

It’s on days like this that one remembers that making the Internet a better, safer and more secure place often involves doing things which are very mundane. :-) The next job will be to work on version 2.5, of which more later.

Happy Birthday, Mozilla!

Posted on March 31, 2017 by gerv

Mozilla is 19 today :-)

The Only Cure For Shame

Posted on March 23, 2017 by gerv

Tim Chevalier reposted this Tumblr post from Peter Brunton, which has been rattling around inside my head for a few weeks. It makes me really sad, because Peter says he grew up in a “genuinely loving, caring, utterly wonderful” church, but it seems like they didn’t tell him (or he didn’t hear) how to deal with the shame that he rightly felt. I say rightly, because the Bible tells us that sexual sin should cause us to feel shame (Romans 1:26-27). The key piece that’s missing is that the right way to deal with this is not to hide or deny the shame, but to repent and believe the gospel.

The same book of Romans which calls sexual sin shameful tells us:

As it is written: ‘See, I lay in Zion a stone that causes people to stumble and a rock that makes them fall, and the one who believes in Him will never be put to shame.’

Trusting in Christ leads us to not have to feel ashamed any more. And in Hebrews 12 we read:

Therefore, since we are surrounded by such a great cloud of witnesses, let us throw off everything that hinders and the sin that so easily entangles. And let us run with perseverance the race marked out for us, fixing our eyes on Jesus, the pioneer and perfecter of faith. For the joy that was set before Him He endured the cross, scorning its shame, and sat down at the right hand of the throne of God.

The victory won by Jesus at the cross deals with our shame just as it dealt with the supposed shamefulness of what happened to him. Whatever we may have done, he wipes the slate clean, allowing us to throw off our sin and “run the race” of faith and obedience.

It is true that he calls people who are same-sex attracted to do something that is not easy, but if God truly works all things for our good (Romans 8:28) then following him is always by far our best choice. Our sexual preferences are not who we are – they don’t define us. If we are following Jesus, that is our identity, and it subsumes everything else. And if our church is truly loving and caring, its members will help us in that journey. I don’t know if Peter will ever read this, but I pray he will one day come to see that, as many others have.

Firefox Secure Travel Addon

Posted on March 10, 2017 by gerv

In these troubled times, business travellers occasionally have to cross borders where the border guards have significant powers to seize your electronic devices, and even compel you to unlock them or provide passwords. You have the difficult choice between refusing, and perhaps not getting into the country, or complying, and having sensitive data put at risk.

It is possible to avoid storing confidential data on your device if it’s all in the cloud, but then your browser is logged into (or has stored passwords for) various important systems which have lots of sensitive data, so anyone who has access to your machine has access to that data. And simply deleting all these passwords and cookies is a) a pain, and b) hard to recover from.

What might be very cool is a Firefox Secure Travel addon where you press a “Travelling Now” button and it:

Disconnects you from Sync
Deletes all cookies for a defined list of domains
Deletes all stored passwords for the same defined list of domains

Then when you arrive, you can log back in to Sync and get your passwords back (assuming it doesn’t propagate the deletions!), and log back in to the services.

I guess the border authorities can always ask for your Sync password but there’s a good chance they might not think to do that. A super-paranoid version of the above would also:

Generate a random password
Submit it securely to a company-run web service
On receiving acknowledgement of receipt, change your Sync password to
the random password

Then, on arrival, you just need to call your IT department (who would ID you e.g. by voice or in person) to get the random password from them, and you are up and running. In the mean time, your data is genuinely out of your reach. You can unlock your device and tell them any passwords you know, and they won’t get your data.

Worth doing?

Hacking for Christ

Gervase Markham