Softcore software development
It's all about the cycles
  • Home
  • About

Allowing mixing insecure and secure content

Web No Comments »

This is something that’s been floating in my head. Not sure how much this is worth advancing, or whether it is deeply flawed. Or whether it was considered at some point but not indexed by Google good enough.

Many sites do mix HTTP and HTTPS content. Sites that do this are no-longer considered secure (Larry goes away, the lock has a warning symbol over it) for good reason, the insecure content cannot be trusted. It may have been tampered with. If the content was a javascript file for instance, it could be very bad news.

But if we know that data from a secure source can’t be tampered with, could it vouch for content that isn’t secure? Let’s take an example of a fictitious webpage :


<script type="text/javascript" src="http://media.cesaroliveira.net/badass-javascript.js"></script>
<img src="http://media.cesaroliveira.net/panda.jpg" alt="look out!" />
Credit card number : <input type="text" ...

Even though the site is served securely, some important information is sent insecurely. I am proposing that the secure content is able to pass along a hash (sha1, not md5) of the content that it expects. If the content in the insecure channel meets the has the same hash value, then we can be reasonably assured that the data has not been tampered with during transport. Let’s see the code again :


<script type="text/javascript" src="http://media.cesaroliveira.net/badass-javascript.js" data-hash="sha1:12b36be3076d357b2d390b2df3f9b65cd55b93e1" ></script>
<img src="http://media.cesaroliveira.net/panda.jpg" alt="look out!" data-hash="sha1:bcf31e777fa69753f8ecf9701fc9b6f1518b51b3" />
Credit card number : <input type="text" ...

Starts with data- because I doubt something like this would be implemented outside of my head. But it seems to solve the problem of tampering with the data. If the hashes don’t match, the website is still broken. If they do match then we should be able to breathe easily.

Of course, in time people will figure out vulnerabilities. Hash collisions is a problem. But this is something that web had to deal with before. Maybe a nice edition would be allowing multiple hash values, like :

<img src=”http://media.cesaroliveira.net/panda.jpg” alt=”look out!” data-hash=”sha1:bcf31e777fa69753f8ecf9701fc9b6f1518b51b3;md5:953c78ac57ca68bfe532eb50120c8aa1″ />

Yeah. I know I said no md5 ;)


August 30th, 2009 |

Tags: crazy, security, Web




Statistical gathering for add-ons

addons No Comments »

Today I submitted version 0.7 of the safe add-on. This was not a version with additional features, but rather a version that collects stats from users who uninstall the add-on.

I mainly did this because I wanted to know more about why only a small percentage of users who downloaded my extension continued on using it. How long have they used the extension? What options have they enabled (if any)? Where are my users coming from? I stopped short of asking people to complete a feedback form, instead opting to just send data to my server. It’s relatively anonymous, except for the IP address which gets recorded.

Unfortunately, this doesn’t really give me useful statistics from people who stay with my add-on. Which is still useful. My best hope is that it’ll answer at least one of my questions that it was set out to answer.


August 9th, 2009 |

Tags: extension, safe, stats




Open source shoes

personal No Comments »

A few days ago, I went to buy a pair of new shoes. I decided that I would put effort this time into actually looking for vegan (or as they say, cruelty-free) shoes. Generally I am more lax about leather/pelts than most other vegetarians, but I still don’t like supporting the industry. So I decided to go and buy hemp shoes (FYI, paylesss hoes seems to have leather-free shoes, according to the TVA). I found this little place called Left Feet, which had hemp shoes that didn’t look like a hippy designed it.

The shop is small. Very small. With limited selection that caters to people who go out of their way to buy products that are typically made with leather. After I found a pair that I liked, I brought it home and saw a pamphlet at the bottom of the box (emphasis on their part, not mine).

Join the Blackspot Community

You’re now the owner of a pair of Blackspot shoes. It’s a purchase that could be unlike any you have made before. By buying Blackspots you’ve become a member of an international movement to regain control of our own minds and communities.

The open-source logo, hand-drawn on the side of your Blackspots, is a symbol of resistance against the kind of big-money hyperbranding that has been undermining civil society for decades. Earth-friendly, anti-sweatshop (made in Europe), cruelty-free, and pro-grassroots, the Blackspot model represents fundamental change.

The open-source logo they talked about looks like below. Despite the name the logo is white, not black. The black you do see is dirt. If you touch it, it feels sticky. Kinda like gum.

Blackspot Shoe

The reason why it’s called an open-source logo is because anyone can supposedly use it. It’s not a particularly great logo, and it likely didn’t go through over a dozen iterations.

On the plus side, they were very well priced for what they claim to do (organic hemp, biodegradable materials, made by unionized workers). I am happy with the purchase despite the smaller selection.


July 24th, 2009 |

Tags: "open source", activism, personal, shoes




Google Maps and geolocation

Web, hugs, programming No Comments »

I was first made aware of the fact that maps.google.com now uses geolocation by sdwilsh, which is new in Firefox 3.5. But when I loaded maps, I was surprised to see that it didn’t work when I visited the site. And I was using something even more recent than Firefox 3.5, Minefield. Surely, it has geolocation, so what is going on?

The reason maps doesn’t support Minefield is because of *drumrolls* … browser sniffing. Developers… no wait… GOOGLE web developers, I thought we moved on?

The actual bit of code is here unminimized and tidied up ;

function isBrowserGeolocationSupported(){
    if (window.navigator &&
        navigator.userAgent.search("Firefox") != -1 &&
        navigator.geolocation)
        return true;
    if (window.navigator &&
        navigator.userAgent.search("Chrome") != -1)
        return Number(String(/Chrome\/[0-9]+/.exec(navigator.userAgent)).substr(7))>=2;
    var gearsFactory=null;

The hell? Ok, so I understand they do a bit of browser sniffing because it looks like Chrome had a old/broken implementation of geolocation. But I wish there was a more graceful way of doing this (maybe something like navigator.geolocation.version < 1). One that didn't break every application that may implement geolocation that isn't named Firefox. Because, those exist too.


July 10th, 2009 |

Tags: browser compatibility, google chrome, Web




Oh Windows

hugs No Comments »

You are an endless source of joy in my otherwise frustrating Linux life.
Microsoft Windows Operating System has encountered a problem and needs to close.


February 11th, 2009 |

Tags: microsoft, windows error




Dear reddit

Uncategorized No Comments »

Please, please, please stop defending Phelps on this pot thing. You’re not only really bad at defending him (and really, he can defend himself. He’s an adult), but you might be actively hurting the pot movement you are so obviously championing for. You are well intentioned, but please keep thought-deprived comments and headlines to yourself.

If you want to learn more about the movement, both for and against. You can read more about it at the National Institute on Drug Abuse or the National Organization for the Reform of Marijuana Laws. Either of these do a much, much, much better job.


February 8th, 2009 |



Uncovering the underlying metadata

Web, hugs No Comments »

A few weeks ago, I wanted to do some C++ Mozilla coding to make sure I wasn’t going soft. But I didn’t really know what to do. I left it for a bit until I found something weird about the HTML5 spec – there was a method of testing whether metadata has been loaded, but no way to expose the metadata (eg. song title, artist, album, etc) to the user such as through page info.

I think this will be useful. As media starts being embedded into the web browser, it would make sense to start exposing this to the user. I know there have been a few instances where I was listening to something on the radio, but there was little hint of what the song was called (I usually tried to remember a few lyrics and did a Google search. Mixed success).

I brought this up in the whatwg irc channel, and apparently this is being considered for the next version of the spec. Which is understandable, because the server can always display the metadata. But often, media may not be central to the website. For example, background music.

I started look at the Audio/Video backend stuff that moz uses. It got confusing real quick (it doesn’t help that the audio code itself is completely empty). Plus I was in a hurry. So I decided to implement it as an extension.

It was a lovely experience. I had a few problems, including finding out that audio/video wasn’t actually being saved to the cache (bug 469446). It was checked-in like 2 days after I found it out. Also, I hate string very much. The string guide helped, but it is still awful. And I made firefox crash a few times because I’m a nsCOMPtr n00b.

Right now, this extension is working only with ogg vorbis files. Which is stupid because <audio /> is rarely used anywhere, and if it is used, only with certain conditions (wikimedia commons uses the audio tag, but not really. Apparently, the video/audio tags start automatically downloading the media even if it isn’t under autoplay. This is a mess if you have dozens of audio tags in one page. bug 464272). It is so rarely used, that I had to create a audio demo page for testing purposes.

Using it is very simple. Right-clicking on a audio tag brings up the context menu. I decided to use the context menu over Page Info because the media tab of the Page info dialog is very much geared towards images, and that code has to be changed in the firefox source (it’s not easy/pretty to overlay).

audio context menu

Which brings up the audio’s metadata

audio properties

While a lot of metadata is displayed, some isn’t. For example, iTunes has support for cover art as a COVERART header. While you can put that in vorbis, it should be noted that it isn’t widely supported. So I decided to put in only the standard headers for now.

This is dealing with C++ code. Which is much more dangerous than javascript code because NS_ERROR_OMGWTF doesn’t appear in your error console when I try to free an uninitialized pointer. I made basic checks so hopefully nothing bad will happen. But I didn’t do extensive checking in case we have a bad ogg file or something.

Well, to be fair to me, I always save the function’s return value. I just didn’t check whether it passed nor did anything about it. And this won’t just crash at any time. It’ll crash if you try to load the metadata (I’m very nice like that).

The name of the extension is saraswati, named after the hindu God of music and knowledge (really, a Google search helped out a lot here). Please enjoy! (Linux x86, x86-64 and Windows x86 only right now)


January 22nd, 2009 |

Tags: audio, bug, extension, html5, seneca, sleep




Another mix up

personal No Comments »

I came home about a week ago with Toolroom Knights mixed by Mark Knight, instead of my intended target of Mark Oliver. It was OK because I have, and still enjoy, Toolroom Knights mixed by Gabriel and Dresden. Both CD describe themselves as a “journey through the world’s finest house music”. But their styles are so different. I already found it difficult to describe the genre. Now it’s just impossible.


January 13th, 2009 |

Tags: house, microblog, music




Successfully Getting your Addon Reviewed

addons 2 Comments »

As the addon review queue grows beyond 600 nominated and updated addons, it is more important than ever to make sure your extension passes review the first time around. Editors have a review guide, and a well hidden but publicly viewable set of policies. But here is a quick list of the most cited reasons for addon refusal :

  1. Addon should have at least 3 user reviews before being nominated. External reviews count too, but you have to mention them in your nomination message. Softpedia reviews do not count.
  2. Wrap your loose variables. All objects, variables, and anything that your addon makes global should be wrapped to avoid conflicts with other addons.
  3. Look at the error console. Is your extension throwing up javascript errors? Fix it. There are some options you can set in about:config to help you with this.
  4. You break functionality in the host application (Firefox, Thunderbird, etc.).
  5. Your extension doesn’t work properly, or showing unexpected results. This is what user reviews are expected to catch, but you really should get someone who wasn’t involved to test and report bugs.

There are other less common things that can get you busted too. I’ll just list them here for completeness sake :

  1. Including remote javascript/css or other files, anywhere. Include them in your xpi file instead.
  2. CSS warnings on the error console if your submitting a theme.

If you have any doubts, check the public policies page linked above.

And don’t ask when your extension will be reviewed in the comments. Because every answer will be the same : When someone gets around to it. It could be sooner if you’d help!


January 13th, 2009 |

Tags: editor, extension, hugs, mozilla




NSILHNFHDwxyz

hugs, personal No Comments »

This has sorta turned out to be a mashup of NSID. But because I started mid-November, it’s

No Shaving In the Last Half of November and First Half of December. wxyz for the more obtuse title name.

I wasn’t sure when I started. At the very latest, it was November 14th. So yesterday marked the 31st day, and today is the day I can shave it off :) Happy New Years!
It wasn’t easy, and I hate the end result. But I enjoy the not shaving for 31 days part.

I’m covering up my beard here. I wouldn’t look too bad with some facial hair :
In deep thought

A comparison :
Me vs. Waluigi

UPDATE : I originally wrote this mid-December, but kept it in draft until the beginning of January so not to spoil the other participants and for them to get all jealous. Thanks to one of my bank statements, I figured out I most likely started on the 19th, not the 14th. So I shaved 5 days too early. fail


January 4th, 2009 |

Tags: nsid, personal, shaving




Previous Entries
Next Entries
  • Categories

    • addons
    • hugs
    • Living
    • personal
    • programming
    • Uncategorized
    • Web
  • Recent Posts

    • Reordering the tab key – tabcomplete
    • (Almost) Can’t touch that new music
    • Endianness, how I loathe you
    • Update
    • AES and CBC
  • Tags

    "open source" activism audio browser compatibility bug chrome editor extension fennec google chrome house html5 hugs ie intern jquery json konqueror lazy microblog microsoft mozilla music nsid opera personal prism python regina ria safari safe security seneca shaving shoes sleep stats svg tinderbox tip toronto Web wildon windows error
  • Archives

    • July 2010
    • May 2010
    • February 2010
    • December 2009
    • November 2009
    • October 2009
    • August 2009
    • July 2009
    • February 2009
    • January 2009
    • November 2008
    • October 2008
    • September 2008
    • August 2008
    • July 2008
    • June 2008
    • May 2008
    • April 2008
RSS XHTML CSS Log in
Copyright © 2010 Softcore software development All Rights Reserved
Wp Theme by i Software Reviews
Proudly Powered by Wordpress