handsomeransoms's comments

That's a great idea! I would be willing to help, and could probably find some others to help too!

> I have been completely dedicated to write an extension which completely informs the user about what a web page does, and gives the user full control over what web sites do in his/her browser.

That's awesome! At Mozilla we've been daydreaming about incorporating something like that into the product. Especially with the proliferation of both in-browser content policies (CSP, Mixed Content blocking, etc.) and out-of-browser content policies (addons like Privacy Badger, ABP, Ghostery, etc.) it's almost impossible to understand the root cause of what's breaking a page, especially if you're not a technical user.

> but also making it work efficiently (wrote custom ABP engine from scratch which doesn't suffer the real one's abuse of memory/CPU)

For the Firefox version of Privacy Badger, we also eschewed the ABP engine in favor of something we wrote ourselves. Don't get me wrong, ABP is a great tool and we learned a lot from its code - but we wanted something as lean and performant as possible. I'd be interested to see the approach you took!

> only one extension is allowed to modify the HTTP headers

> it will break any previously installed extension

That sounds like a shortcoming in Chrome's Extension API. Firefox is somewhat better in that we do not restrict addons based on the behavior of other addons, so multiple addons are allowed to modify a request's headers. Unfortunately, the order in which the request is passed from handler to handler is not guaranteed, so in practice this may not end up being so useful.

We're trying to improve this situation by rewriting the Gecko Content Policy API [0], but that's a large project with no clear deadline.

[0] https://groups.google.com/forum/#!msg/mozilla.dev.platform/v...

Generally I think your addon and Privacy Badger are targeted at different audiences and have different use cases. It is too bad they are incompatible with each other - I, for one, would like to have both installed. Perhaps we can resolve this by talking to the Chrome devs about their Extension API?

- One of the Privacy Badger devs

Exactly! gorhill, if you're interested in a position at either Mozilla or EFF, PM me :)

- One of the Privacy Badger devs

It landed on Nightly a week ago, check it out! You can help us by testing it [0] or reviewing the code [1].

[0] https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing... [1] https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing...

"Don't want to" is a bit uncharitable. We want to, but have limited resources and a lot to do. We actually recently rewrote the certificate validation library and it is currently on Nightly. Check it out!

Of course, it is open source, so patches are always welcome. (Firefox dev here)

The key idea of TACK is that it puts controls of pins in the hands of the site operators. The goal is to protect trustworthy site operators from rogue or compromised CAs (e.g. Diginotar, Comodo). The site operators have a better idea than anyone of what keys and certificates are correct for their site.

Pinning directly in the app puts trust in the developers of the app instead, which is indirect and prone to lag. It is also generally fragile (have to issue app updates for cert revocations) and can be hard to scale. How many secure sites does your app need to connect to? Is it flexible, unknown? How are you, the app developer, going to validate those certs beyond relying on the CA PKI? (and then you're back to square one).

This is a great reminder for others to consider a donation to the Freedom of the Press foundation's ongoing campaign to fund the development of encryption tools to benefit journalists, sources, and everyone who communicates digitally!

https://pressfreedomfoundation.org/

Huge thanks to Neel, whose donation pushed us over the edge to meet our goal!

(Full disclosure: I work for the Freedom of the Press Foundation)

Or just customize the UI and remove the search bar if it bothers you so much. Right-click the toolbar in <29, click the menu button and choose "Customize" on the bottom left in >=29.

> why not always use a VPN?

Because then you're susceptible to remote MITM? VPNs are useful but do not replace end-to-end encryption.

I think he's referring to app updates, not iOS updates. Also, desktop Mac OS X.

As a general rule: if you think Firefox is slow/laggy, try running it with addons disabled. One or more addons are often the culprit.

For page load lag, addons like ABP are often especially bad because they're running the URI of each request against a bunch of regex filters to determine if the load should be allowed to begin.

This property of ES6 generators, along with Promises, is what enables task.js [0] If you're interested in concurrency patterns for JS, you need to check it out.

Does this mean that we can use Task.js in ordinary web pages now?

[0] http://taskjs.org/

This posts reeks of cisgender privilege [0]. Gender is a social construct, not a biological inevitability, and it is disrespectful to refer to someone as a gender that they have explicitly stated they do not identify with.

I'll let you fill in the comparisons to widespread sexism, racism, and homophobia for yourself. Go back to the leaders of the American civil rights movement and tell them to let things "percolate through society" so they can know "where to draw reasonable lines".

[0] http://www.t-vox.org/index.php?title=Cisgender_privilege

> Aaron, I am sorry to say, has died in vain.

This contrived conclusion mars an otherwise sensitive synopsis of the film, and through that, Aaron's life. The drive to reform CFAA continues. Strides are being made for open access to research [0], the cause that lead to Aaron's conviction. The Strongbox/Deaddrop project is being actively developed and deployed to protect journalist-source communication and empower whistleblowers all over the world. [1]

The fight is not over - it has only just begun.

[0] http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/17... [1] https://github.com/freedomofpress/securedrop

> I'm not sure but I think it's not a real sandbox, the code is still executed like any native code

It is actually quite different, read: http://static.googleusercontent.com/media/research.google.co...

There are fact several layers of sandboxing, which dramatically limit both the ability to create exploits, and the damage that a successful exploit can cause.

To be clear: I work for Mozilla, and I think Asm.js is a great project with a lot of potential for developers and the web; however, Google did a lot of innovative work to have a great security foundation for NaCL, which was not a real goal for NaCL AIUI.

> a "beta product" shows that it's not 100% safe

There is no correlation here.

> in the context of an interpreted, thoroughly tested JS engine, which is very much more secure.

> but since JS engines are heavily optimized, it makes the security problem disappear completely because JS is an old language, so all security problems are already known.

The continuing drive for JS performance has lead to new avenues for serious exploits, some of which are poorly understand are only have been partially mitigated by widely used engines. For just one example, see http://www.matasano.com/research/Attacking_Clientside_JIT_Co...

> The fact android uses java for its app is another demonstration of the easiest path to security.

I lol'ed.

TLS 1.2 will be enabled by default in the next release, Firefox 27, which will be released the week of February 4th. So, in less than 4 weeks, Firefox release will be "good".

Should be pretty easy to add that functionality! File a bug on https://bugzilla.mozilla.org. In fact, this would make a great first bug for a new contributor :)

Yeah - looks like it's emulating a lock so only one page can be rendered at a time (plus the overhead for database IO to maintain the lock). Is this really the best way to go about this?

Firebug is known to not work (and cause stability problems) at the moment (for reasons mentioned by cpeterso). We're working with addon developers to improve this situation.

A little while back, somebody a cool demo of ultrasonic networking (using HTML5 Web Audio!)

http://smus.com/ultrasonic-networking/