Category: Firefox

Thunderbird, meet Norton

I just downloaded a trial copy of Norton Antivirus 2007 to install on a test machine. On the same box, I have Mozilla’s new Thunderbird 2.0 e-mail client installed. As part of the trial install, I had to create a Norton Account (not sure, but that might be a (TM)) with Symantec.

Symantec sent me an acknowledgment message via e-mail within minutes after I created the account. Thunderbird’s anti-phishing module wasn’t pleased: 

Sym_scam

I’ve been reasonably impressed with the performance and design of Thunderbird so far, but this sort of false positive is always troubling, no matter where it comes from.

Update: I’m surprised that this post drew so many comments so quickly. Here’s why I’m pointing this out: Mozilla and Google are tight, very tight. They collaborated extensively on the anti-phishing technology in Firefox. Google Mail (Gmail) even gets its own entry in the New Account Setup dialog box for Thunderbird.

Gmail_tbird

So I would assume that mail coming into Thunderbird from my Gmail.com account should be the best possible candidate for the Mozilla/Google team to get right.

And in fact Google Mail does get it right. When I look at the message source, I see two headers added by Google: One shows the results from a Brightmail scan, which says the message is from a whitelisted domain. The other is an SPF header from Google, which is tagged PASS and says the IP address from which the message originated is a “permitted sender.”

Google has gone to a lot of trouble to screen all mail coming into a Gmail account as junk or suspicious. So why isn’t Mozilla able to piggyback on this analysis?

Update 2: For those who think I’m picking on Mozilla, note that I called Microsoft for an even sillier false positive about 18 months ago. And in both cases this behavior is the correct default. When in doubt, let me make the decision, exactly as Thunderbird has done here. But the algorithm really should be better than this.

Tags: , , , ,

Worst. Review. Ever.

CNET is serving up perhaps the stupidest PC software review ever written, a comparison of IE7 and Firefox 2.

It encompasses just about every eye-rolling, groan-inducing, focus-on-the-trivial, big-picture-missing flaw I’ve ever seen in the PC review format. The comments from the three “judges” reflect a depth of analysis that is measured in submicron thicknesses. And I give the whole piece extra lameness points for the cringe-worthy prizefight metaphor, which was tired when I first read it in a comparison of IE5 and Netscape back in 19-frickin-99.

Follow the link if you must, but only if you first swear a solemn oath not to blame me when you get to the end and say, “My God, that was a colossal waste of time.”

(Full disclosure: I write for ZDNet, which is a subsidiary of CNET. But thankfully, I had nothing to do with this mess.)

… On the plus side, at least it’s short.

A missing IE7 feature

Browsers crash occasionally. That’s a fact of computing life. If you have a whole bunch of tabs open, it’s a pain to try to recover the group you were working with.

You can install Firefox extensions that can handle auto-reopening tabs after a crash, and this feature (called Session Restore) is going to be included as a standard option in Firefox 2.

IE7, alas, has no such feature. If you choose to close IE7, you can click a checkbox to reopen those tabs the next time you open IE. So why can’t the error-handling code that triggers this dialog box do the same thing?

If anyone from the IE7 team is reading this post, please put this request on the stack!

Clowns

A few days ago, a presentation at the previously obscure Toorcon security conference features a pair of self-styled hackers who claimed they had discovered a zero-day exploit in Firefox. On a scale of 1 to 10, this is about a 13, especially with the added detail that devising a patch might be difficult or even impossible.

 I chose not to write about it here or at ZDNet, because something just didn’t feel right about this story.

Now, it turns out, one of the two presenters admits they were just clowning around:

[Mischa] Spiegelmock, a developer at Six Apart, a blog software company in San Francisco, now says the ToorCon talk was meant “to be humorous” and insists the code presented at the conference cannot result in code execution.

If these two really were just clowns, it wouldn’t be a big deal. But one of the two works for Six Apart, which runs the TypePad and LiveJournal blogging services and sells the Movable Type blogging platform. Having a heavyweight name on his business card probably has at least something to do with why these guys were selected to speak, and why the security community took them seriously. Pulling a fire alarm isn’t funny, and it no doubt sent a lot of security professionals scrambling to perform work that wasn’t necessary. They have every right to be pissed off.

eWeek’s Ryan Naraine and Brian Krebs of the Washington Post are both excellent reporters. I hope the folks at Six Apart turn over every rock to find the real story. If Naraine and Krebs are reporting accurately, someone needs to be fired – or sent to work night shifts on the Clueless Newbies support desk.

Tip of the day: Zoom this web page

Several people have commented that this site is harder to read now, because of the change in typeface and the white background. One solution is to zoom the page and make everything a little easier to read.

In Internet Explorer or Firefox, select the window or browser tab containing the page you want to zoom, hold down the Ctrl key, and move the mouse wheel – forward to make the page larger, back to make it smaller, If you don’t have a mouse wheel, you can click the Change Zoom Level button in the lower right corner of the IE7 window and select a percentage. Or, in either IE or Firefox, press Ctrl+[plus sign] or Ctrl+[hyphen] to zoom in or out.

To return the zoom level to normal  size, press Ctrl+0 (that’s a zero). Update: As Alex Danvy points out in the comments, you can’t use the 0 on the numeric keypad for this; you have to use the zero on the row of numbers above the QWERTY row. Or you can use Ctrl+[asterisk], but only if you use the asterisk on the numeric keypad, not the one above the number 8 on the number row of the keyboard. Thanks. Alex!

Zooming affects only the current page, isn’t persistent, and can be undone any time. Some pages look very strange when zoomed, but those built using a decent style sheet should look just fine zoomed a few clicks in either direction.

This site’s browser stats, updated

With the help of SiteMeter, I’ve been keeping track of which browsers are used by visitors to this site. The latest stats continue to confirm that most people have made up their minds about which browser they want to use:

The last time I published these stats was on April 30, 2006. The share of visitors using Firefox or Mozilla has dipped roughly 1% since then, from 35.2% down to 34.18%. It’s still a bit higher than the August 2005 share of 33.2%, however.

Meanwhile, IE’s share crept back up by 1.5%, from almost exactly 60% to 61.47%. Not surprisingly, the percentage of people visiting this site using IE7 has more than doubled, from 6.53% last April to 14.52% today.

Five months ago, I drew this tentative conclusion and made a prediction:

The easy gains for Firefox are over. I’ll be very surprised if Firefox is able to make any significant gains in share when I look at this snapshot six months from now. In fact, I’d be willing to bet that IE will gain back some ground during that time with the help of IE7.

I jumped the gun by a month, but the prediction appears accurate. And although Firefox 2 looks like a perfectly solid upgrade, it doesn’t offer anything that’s likely to convince IE holdouts to switch now.

Trend-watchers can look at all previous editions by following these links:

April 2006

August 2005

October 2004

Update: Here’s a chart I put together showing the general trends among the major browsers. I combined all versions of each product into a single number to make the trend easier to see. (Click to see a larger version.)

One less reason to use Firefox

It took a while, but someone finally released an add-on that fixes the most annoying part of searching pages in Internet Explorer. The Inline Search for Internet Explorer add-on replaces the modal Find dialog box with a bar that sits at the bottom of the page, exactly like the one in Firefox. As you type in your search term, it locates the first instance on the page immediately. You can find the next or previous instance using the buttons on the toolbar or by pressing the up or down arrow keys. You don’t have to click a Find button or close the dialog box when you’re done either.

I’ve been using IE7 more and more and generally prefer it to Firefox these days. I still keep Firefox around for the small number of pages that just won’t work properly in IE7.

(Thanks to Omar Shahine for the pointer, via Mike Torres.)

A phishing follow-up

My e-mail inbox has been remarkably free of phishing messages lately, so I haven’t been able to compare the performance of the IE7 and Google/Firefox phishing filters, as I promised last week. (The filters on my e-mail server do an excellent job of blocking this junk.)

Today, I finally got one – a come-on from a Romanian server attempting to get my Bank of America credentials. The good news is that both IE7 and the Google Toolbar for Firefox nailed it. (Firefox 2 Beta 1 alllowed it right through, but that’s to be expected since the phishing feature isn’t turned on yet.)

In looking at the two browsers side by side, I was able to compare the different behaviors. Here’s IE7:

Ie7phish

The URL appears in the address bar, but the page itself is completely blocked. I have to choose to click a link to go to the suspicious page. Any other option sends me somewhere else, away from the unsafe site.

Now here’s how the Google Toolbar flags the same site in Firefox:

Ffphish

The phony page is visible, but grayed out. If I try to click on the site, it doesn’t work because the Web Forgery dialog box has completely taken over the focus. That’s good. And the Get me out of here! link is unmistakable in its effect. The only part I don’t like is the big X in the upper right corner. I don’t know about you, but I’ve learned, Pavlov-style, to click that X whenever I see a popup window or a warning dialog box. In this case, though, clicking the X dismisses the dialog box and allows you to go to the page.

That default behavior seems wrong to me. If I’ve chosen to use a piece of security software, I want it to protect me from any threat unless I specifically and unequivocally choose to ignore its warning. The X in the dialog box is ambiguous, and in my opinion the default behavior in that case should be the exact opposite: I didn’t choose to ignore the warning, so send me somewhere else, far away from that threat.

If anyone at Google or Mozilla is listening, consider this a feature request.

Mozilla says Firefox phishing filter isn’t working yet

Earlier today, I wrote about the new anti-phishing feature in Firefox 2 Beta 1, which was unable to catch a single scam e-mail in my testing. This afternoon, a Mozilla spokesperson sent me an e-mail that said, yes, it doesn’t work yet. In fact, said the spokesperson, this feature “was intended to test the core Phishing Protection framework within the browser, not to provide a full list of suspected scam sites.”

Mozilla really needs to get its act together here, because that’s not the message they’re sending out to people who download the beta version of Firefox 2. Exhibit A is the announcement page for Firefox 2 Beta 1, which provides a bulleted list of 16 “new features and changes to the platform.” The #1 item on that list? See for yourself (yellow highlight added):

Eb_ff2b1_bullets

See anything there that says the feature isn’t implemented? Me neither.

In fact, if you follow the link to read more about the Phishing Protection feature, you get to Exhibit B, which has this box prominently displayed at the top (again, the highlighter is mine): 

Eb_ff2b1_antiphishing

“If you encounter a web forgery and don’t see the anti-phishing warning … let us know about the problem and we’ll update our lists…”

Again, nothing to suggest that this feature isn’t working in Firefox 2 Beta 1. In fact, this blurb clearly suggests that the feature is enabled and intended for use today.

Here’s the second item on the FAQ:

2. How does the Phishing Protection feature work in Firefox 2 Beta 1?

Phishing Protection is turned on by default in Firefox 2 Beta 1, and works by checking the sites that you browse to against a list of known phishing sites. This list is automatically downloaded and regularly updated within Firefox 2 Beta 1 when the anti-phishing feature is enabled. Since phishing attacks can occur very quickly, there’s also an option check the sites you browse to against an online service such as Google for more up-to-date protection. This enhanced capability can be turned on via the Anti-Phishing preferences pane. (Note: final set of anti-phishing service providers TBD.)

Based on what the PR spokesperson told me, that paragraph is essentially inaccurate. It isn’t until you get nearly to the end of the FAQ that you see this little disclaimer:

7. I tried browsing to some known phishing sites and I didn’t receive a warning. What happened?

At this time we are using a limited list to test the core Phishing Protection framework within the browser. Users are encouraged to verify that the above test links properly display a warning dialogue, but to wait until a future beta release of Firefox 2 to verify the accuracy of the list of web forgeries.

Meanwhile, the Google Safe Browsing feature is available in the Google Toolbar for Firefox, which is shipping now. In my tests so far today, it correctly identified one phishing site and missed two others. IE7 blocked navigation to all three and flagged them as “confirmed phishing sites.”