Mozilla

I use a lot of firefox extensions. You might call me a power user. Yeah, that's right, powerful.

Here is the list of my favorites. They are broken down into extensions that make Firefox better, those that make my general life better, things for "geeky stuff" and things for my life as a web developer/sysadmin/competitve webmaster. Yeah, I'm competitive. My stable of sites is better than yours!

Enhanced Firefox

• Cute Menus - humans recognize colors and images faster than words.
• Download Statusbar - I want the information compact, in an overview, and readily visible. I hate new windows.
• Flashblock - I hate flash. It's amazing how much better the internet is without flash.
• Google Gears - Since I'm in places without internet pretty regularly, it's nice to be able to get my Google feeds in an offline mode.
• PageStyle2Tab - again, humans recognize colors and images faster than words.
• Image Zoom - Firefox lets me zoom text, image zoom lets me zoom images. Duh.
• Locationbar2 - Prettify the URL bar. Also happens to make it safer by clearly identifying the domain and downplaying the importance of subdomains (i.e. the phisher phavorite ebay.com.shadysitestealpasswords.com/enter-username is clearly visible as "www.ebay.com" as a subdomain of "shadysitestealpasswords.com". Whoohoo!

Enhanced Life

The other day I broached the idea of a security bounty in the Drupal project. I had first heard about this concept from the Mozilla Foundation's Security Bug Bounty which appears to be the most famous of these.

Why Security Bug Bounty's are a good idea

This is pretty simple:

1. It provides at least some motivation for folks to actually look at the code and find security bugs making the software more secure.
2. More folks looking at the code is always a good thing.
3. Just the concept and the existence of the program reminds people that we take security seriously, and informs them of the proper way to report a bug.
4. In the case of the Drupal Association - which can't make decisions about the code based about the statutes (en pdf) (more formats/languages).

Generalized Security Bug Bounty System

This concept seems to me like it could be generalized for any software project. Here are the rules I came up with, based upon the Mozilla foundation's rules.

<

ul>

For a little while now Google has been offering a payment for referrals of an IE user that result in a "Firefox with Google Toolbar" installation. (that links to information about the program, not a link that would make me money).

The thing is, they only give you credit if someone who is using IE on Windows is "converted" to Firefox with Google toolbar. So, there's no point showing the referral button if the visitor to your site is already a Firefox user (or is a Safari or Opera or Camino or MacIE user). In that case, you can show a completely different ad or no advertisement at all. I wanted to do this and found lots of solutions that involve the use of javascript. I hate javascript. So, here's my solution that uses PHP variables:

<?php
if (strpos($_SERVER['HTTP_USER_AGENT'],'MSIE')) :
?>
--put your Internet Explorer specific advertising here--

<php else: ?>
--either skip this whole block or put your non IE advertising here--

<?php endif; ?>

For what it's worth, I've noticed this problem on lots of sites...but got inspired to write about it when I was reading Alexander Kjerulf's Chief Happiness Officer blog. He's written some great stuff. It's only fitting he has a high performance (and high converting) site to go along with it.

Firefox Flicks is starting up a new sponsorship drive to get their ads on TV. If you get in early enough and for $10 then your name will appear in the ad.

I sponsored the Daredevil add because it has such a great feeling to it. It reminds me of indulgent time spent in recreating as the sun goes down. It's the california equivalent of spending a day rock climbing in Eldorado and then coming home to a nice hot shower (and beer). And the music is pretty fun, too.

Recently there was a test comparing the Mozilla-Google phishing protection to the MicrosoftIE phishing protection. You can see the detailed results.

This is pretty interesting, but what about Lijit and the Netcraft Toolbar?

There are more than two service providers here, folks, and their different systems for marking the data make them all interesting and potentially valuable. So, how about it. Let's see a larger battle between all of these security data providers.

Al wants to know - how can I get the color tags and the elements they apply to from a css file. I like the lazyweb so here's my idea, al:


greg@gvs1 ~
$ cat file.css
.tabbrowser-strip {
padding-bottom: 0px;
background-color: #C8C8C8;
background-image: url("chrome://browser/skin/pb-1px-hor-gray-line.gif");
background-repeat: repeat-x;
background-position: top left;
border-bottom: 4px solid;
-moz-border-bottom-colors: #535353 #A1A1A1 #BDBDBD #D9D9D9;
}

greg@gvs1 ~
$ touch empty.css

greg@gvs1 ~
$ grep -v color file.css > empty.css

greg@gvs1 ~
$ diff -up empty.css file.css | grep [{}+] | grep -v +++ | grep -v @@ | sed 's/+ / /'
.tabbrowser-strip {
+ background-color: #C8C8C8;
+ -moz-border-bottom-colors: #535353 #A1A1A1 #BDBDBD #D9D9D9;
}

Step one is your example. Step two creates an empty file. Step 3 takes everything BUT the color lines and outputs them into the empty. Step 4 does a diff in universal format with -p to "Show which C function each change is in.". Well, it's not a C-function but close enough. Then I did three extra greps and a sed on the end one to remove all of the lines BUT the function and "added" lines, two to get rid of the header lines, and the sed will take the plusses that were added by the diff and replace them with nothing.

Drawbacks and Weaknesses:

If you have plusses followed by two spaces in your css then they'll get silently removed. If you have a element named color like a <div class="colored"> then that would suck (but you can easily find those before hand...).

Making it run through directories and do this is a fun exercise with find ./ -exec (stuff) {} \;

Biggest drawback

If you're one of the folks who is testing out (or using the now released) new Firefox then you've probably seen an error message saying something like "Security Error: Domain Name Mismatch" and then it says a bunch of jargony stuff and then you see that the domain is for "sb-ssl.google.com error 12263... however the security certificate presented belongs to www.google.com...If you suspect the certificate shown does not belong to sb-ssl.google.com please cancel the connection and notify the site administrator". What the heck is that?

What is sb-ssl.google.com

Well, as this page in the Mozillazine Knowledge base will tell you it's about a secure browsing preference.

This is the Google Safe Browsing extension, installed by default in Firefox2.0, which lets you know if you've hit upon a nasty page.

It could also be used to collect information about your "click stream" so that Google knows where you've been and can then serve more contextually relevant ads to you.

Really though, the most annoying thing in my mind is that Google doesn't have a valid certificate for that domain which means that all users get some crappy warning on each load of Firefox.

Other Providers, like Lijit

Personally, I think the model of lijit is a slightly better one but both never hurt. It would be nice if there were other advertised providers of the sb-ssl.google.com web service so that Lijit could also provide that information. There probably is a way to do that which would just require changes to the Lijit infrastructure - hopefully they'll get there.