• Power’s out at mall. No teriyaki bowl for me. Subway it is! (Hmm, and no iced coffee either. *sigh*) #
• Near as I can tell, the Apple store is just completely shut down. Hazards of making checkout depend on computer network, I guess. #
• For contrast, Subway just dug out a pad of paper credit card slips & did texture rubbings w/ a pen. #
• Odd: muzak is so omnipresent I didn’t notice it was still playing. Speakers must be on another circuit from the stores. #
• Turns out only some buildings have lost power. Including all the coffee except Starbucks. But Jamba Juice has power! #
• Was weird walking through mall at lunch seeing lighted stores on right & dark on left. Some stayed open, some closed, some adapted. #
• Coffee Bean mostly closed during the power outage, but set an employee out front with 2 urns of coffee. No ice, though. #

Links of the Day

• Mac users: if you upgrade to Snow Leopard, be sure to re-update Flash afterward. #
• Impressive LA fire pix at Flickr. #stationfire #

On the tech side, it’s similar to SpamAssassin’s whitelist_from_spf and whitelist_from_dkim features. Both allow you to specify a sender to whitelist, and it will only give a message special treatment if it can verify the sender.

On the user-interface side, it’s similar to EC certificates, in that it tries to highlight a “good” class of messages rather than flag or filter out a “bad” class.

It’s not a bad idea, actually, and now that I’m surprised I haven’t seen something similar in other email clients. It’s sort of like setting up custom rings or images for images on your cell phone address book

They seem to be focused on webmail and Outlook so far, and only on Windows, but it looks like the perfect candidate for a Thunderbird extension. They do have a sign-up form to notify you when they add support for various programs and OSes, and I was pleased to see not only Thunderbird and Mac OS listed, but Linux as well. Too often, Linux gets forgotten in the shuffle to ensure compatibility with every Windows variation.

Cookie Security in WordPress 2.5. The latest version of the blogging software has a feature that can make it harder for attackers to grab your login sessions. It involves setting a pass phrase in wp-config.php, one which you’ll never have to remember, but which will be unique to your site. You have to copy the SECRET_KEY section from wp-config-sample.php and add in your passphrase…or you can generate a random code at http://api.wordpress.org/secret-key/1.0/ (be sure to put it in the middle of the file!)

The Internet Storm Center writes on Hundreds of Thousands of SQL Injections — all websites that have been hacked to host various sorts of malware.

Well, yeah. That’s our job.

And a bunch of random websites blocking IE6 aren’t going to convince people to change. If I were to block IE6, or only allow Firefox, or only allow Opera, I’d have to have seriously compelling content to get people to switch. Mostly, people would get annoyed and move on. Who’s going to install a new browser just so they can read the history of the Flash? Or choose an ISP? Or buy a product that they can get from another site?

Slapping the User in the Face

It’s so easy for someone to walk away from your site. One of the tenets of good web design is to make the user jump through as few hoops as possible to accomplish whatever you want him/her to do. Every hoop you add is an obstacle. Too many obstacles, and they’ll just go somewhere else more convenient.

Back when I was following Spread Firefox, every once in a while someone would suggest blocking IE. Every time, people like me would shoot it down. And think about it: what does the average Firefox user (or Opera user, for that matter) do when confronted with a site that will only run in IE? Fire off a complaint, or move on, unless it’s something they can’t live without, like, say, their bank. Only then will they bring up the site’s preferred browser…just long enough to do their business and move on.

Plus it goes against the grain of the concept that a website should be viewable in any browser. It offends my sense of… I don’t know, egalitarianism.

Recommend vs. Demand

My current tactics: I target the latest versions of each browser (or rather, the overlap in their standards support), toss in enhancements where I think something would be nice, but not critical (off-site link icons using generated content, for instance, which works in everything except IE≤7, or rounded corners, which only work in Gecko and WebKit so far). And I take that, and make it look reasonably good in IE6. I don’t try to make it perfect anymore (case in point, the header of this blog), but I try to make sure it’s functional and doesn’t look broken.

Then I include a polite notice recommending that people upgrade to something a little more capable or modern for a better experience, but I don’t require them to do so. I don’t pop up anything that moves, or blocks content, or forces them to click through an extra page.

Enter: PayPal

Now, remember what I said about banks? PayPal intends to block “unsafe” browsers from accessing their site (via Slashdot). They aren’t technically a bank, but PayPal is actually in a position where they might be able to do it: they’re the most well known online payment service where two random people can send each other money. Probably more people will switch browsers and keep PayPal than switch payment services and keep their browser.

They’ve since indicated that they don’t intend to block “current versions of any browsers,” but will focus on “obsolete browsers on outdated or unsupported operating systems.” So you IE4 users on Windows 98? Upgrade already! (And since you can’t install IE7, try Opera. It still runs on Win98!)

They’ve also cited such safety features as phishing protection (present in IE7, Firefox 2, and Opera 9) and support for Extended Validation SSL Certificates (present in IE7 and the upcoming Firefox 3 and Opera 9.5).

Hazards of Browser Sniffing

Of course, once you start actively blocking browsers, you have three choices:

• Keep track of every single browser out there, and every version.
• Let most browsers in, but only block a few problem browsers (similar to Yahoo’s Graded Browser Support)
• Unfairly block browsers that might be perfectly adequate just because you can’t be bothered to investigate them.

The last seems the most prevalent. Just ask any Opera user today, or any Firefox user of 3 years ago. (I remember using Firefox and being told to “upgrade” to Netscape 6, even though NS6 was based on an older version of the same engine. Remember: Gecko is Gecko.)

Whitelist approaches to browser detection are, by their nature, either going to require constant updating or block too much. In this case, issues would include:

• Less well-known browsers, like Flock, which uses the same anti-phishing features as Firefox
• Browsers that don’t do phishing detection themselves, using third-party plugins to do the job.
• Changes in status, when browsers add the capabilities required to get on the list.

Thankfully, it looks like PayPal is going with the most minimally-intrusive approach: blocking only the most troublesome browsers, and letting the rest connect normally.

Will it Work?

There’s still the question of whether it’ll actually make users less likely to land on a PayPal phishing site.

For one thing, it’s not clear whether they’ll block IE6. The initial report would definitely have excluded it, since it lacks both EV support and anti-phishing (without an add-on). But the follow-up statement was focused on Safari. Does PayPal consider IE6 to be a “current” version since Microsoft still supports it? Or do they consider IE7 to be current, and IE6 to be obsolete?

Certainly, if they don’t block IE6, this will really only impact the tiny fraction of users running horribly outdated software. (Well, more horribly outdated.)

The thing to remember is that the features PayPal is promoting will only help if users switch for general browsing. In fact, anti-phishing will make no difference at all on PayPal’s actual site, unless it gets hacked (at which point the user is screwed anyway.)

So let’s suppose that they do block IE6. As much as I’d like people to switch to Firefox or Opera full-time, I’m sure there will be some people who only fire up an alternative to use PayPal, and who stick with IE6 the rest of the time. They’re just as likely as before to click on a bogus “Pay with PayPal” button, or a link in a phishing email. If they weren’t going to do that in the first place, the browser requirement wasn’t needed. If they were, the browser requirement doesn’t help. The bogus sites won’t require phishing detection, or EV certs. Imagine the user saying, “Hey, PayPal fixed the problem where it wouldn’t let me use IE!”

And of course it won’t stop someone with a stolen login and password from connecting using an “approved” browser.

The ISC has also weighed in re: limitations of EV certificates. Among other things: it may be easier to get an EV cert than suggested, in which case it won’t indicate any greater degree of trust than a standard SSL certificate. And it doesn’t prevent other issues, like keyword loggers or trojans that simply hijack a user’s session.

I apologize for the rambling nature of this post (yeah, site title and all that). But I worked on it on a succession of late nights, and decided it was time to just post the thing. Also, I should have a somewhat more concise post up on OperaWatch soon now.

The ISC reminds us that IE7 will be pushed out to WSUS next week, which should help get rid of IE6. Yeah, I’d rather more people switched to Firefox or Opera, but I’m at the point where I’d love to be able to stop worrying about IE6’s shortcomings when trying to build sites. IE7’s shortcomings are much easier to work around. (Sorry to keep harping on this!)

The inventor of Norton Antivirus talks about computer security and has some rather interesting ideas on what policies are worth pursuing…and what policies aren’t. Long passwords? Great for protecting a stand-alone machine, but on a 10,000 machine network, they only need to crack one. Patch everything? Not every vulnerability gets exploited. I’ll have to read the Slashdot thread when I have time; that should be really *ahem* interesting.

Hixie’s Natural Log: Come up with the best test for Acid3 Edit: Strike that, Acid3 has been completed.

Spies in the Phishing Underground (via Slashdot)

And, on a more serious note, the Internet Storm Center is reporting on people finding malware pre-installed on digital picture frames, memory cards, etc. Something to watch out for with portable devices that can connect to your computer.

I usually avoid any sort of shopping on the day after Thanksgiving, online included, but I’ve been getting email from various online stores that are trying to get into Black Friday. Amazon is advertising a Black Friday Sale, and Apple is promoting a “special one-day shopping event” on their website—and annoyingly, neither of them is giving any clue as to what sort of deals are involved. Amazon keeps forwarding me to today’s deals, and Apple just says something’s coming. And neither site lists actual hours. Is it midnight to midnight? What time zone?

Speaking of Amazon, their entire home page is currently taken up by the announcement of their new eBook reader, Kindle. At $400 I’m not going to rush out and buy one, but it looks like they’ve solved some of the main e-book problems: it’s small, light and wireless, and they even bring up the reading-in-bed issue in the intro. The real question is going to be compatibility & openness: It’ll read plain text, HTML, Word, and a few other document formats (and they’re promoting its access to Wikipedia), so it should be possible for other stores to sell books for the device. And what about the e-book offerings themselves? Will they be loaded down with draconian digital rights management like the Adobe ebooks of a few years ago, or are they following the model of Amazon’s MP3 store?* In a nice change, their music downloads are entirely DRM-free and they use it as a selling point. Edit: Per Andrea’s comments and further research, Kindle ebooks are locked down with DRM. No, thanks!

The name, however, makes me wonder how soon they’ll offer Fahrenheit 451.

Finally, the Internet Storm Center has an insightful response to the statement, “There is nothing on my computer that a hacker would be interested in.” Let’s leave aside the question of your personal data for the moment. Just the fact that you’ve got a computer with an internet connection could prove very useful to someone who wants to cover their tracks or just add more power to their own distributed system.

* Amazon’s MP3 store is also surprisingly cheap. I replaced my old tapes of the original cast recordings of Les Misérables (Broadway) and Phantom Of The Opera for $9 each—they run upwards of $30 on CD.

Last Friday saw the release of PHP 5.2.4, on the Friday before—in the US, anyway—a 3-day weekend. This morning Apache released security updates for all three supported branches of their webserver. And this evening—yes, Friday evening—WordPress 2.2.3 came out.

Which reminds me, I’m going to have to start looking at the betas for WordPress 2.3. I think it’ll be a good time for a redesign. Maybe pick a new theme and tweak that one, maybe try my hand at actually designing one. I wonder if the new tagging system can import Bunny’s Technorati Tags.

Things worth noting:

• The SVN source that the developers use was not altered.
• Older versions, such as 2.0, don’t seem to have been affected.
• If you downloaded 2.1.1 when it was first released, it’s probably okay.
• 2.1.2 also includes a fix for a cross-site scripting vulnerability discovered a few days ago, so it’s worth updating anyway.

I still had the tar archive of 2.1.1 from when I grabbed it the day of the release, so I compared its contents to the 2.1.2 archive. The two files mentioned in the announcement, feed.php and theme.php, aren’t any different, confirming that the initial release was unaffected. That’s also where I saw the changes for that XSS bug.

*sigh* It’s always something…

According to the announcement, WP 2.1 should be out by the end of the month. Looks like it’s almost time to see how many of my customizations will work with the new version.