Everything within Reason

and breaks the functionality @ Dutch Rabobank Internet Banking.

I got the Safari 4 update this morning, and with most Apple updates I just install them. After the update I launched it and was (at first) surprised at the Interface. It opened with ‘Top Sites’. An overview of Websites along with thumnails… Nice.

Since I had a web browser open, I launched the Rabobank Internet bankieren website. Since Apple boasts with the fact that Safari 4 passes like a gazillion Acid tests (and Microsoft like only 1)

Safari 4 ACIS tests results (according to Apple)

From another source:

On February 24 2009, Safari 4 was the first fully functional build browser to pass Acid3.[22]
On 08 June 2009, Safari 4 was the first official release version of a desktop browser to display a score of 100/100 and pass the Acid3 test.

The main page worked fine, but transferring funds leaves you with empty screens etc. There is no way of managing your money with Safari 4.
I haven’t search for workarounds, since I don’t want to search through knowledge bases, or sniffing through settings within Safari (or OSX). A browser should work.

So they might be perfect in a lab environment, but I’d rather have a less perfect browser which enables me to manage my money.

So, to summarize:

Safari 4: 100% ACID 3 proof, and a 100% failure rating in displaying websites
(since I only tried one website)

Anyway, back to FireFox for me.

B.t.w. I have tried the same with Internet Explorer 8 on a worklaptop (since it got pushed through my throat), and that one works fine. Even when it’s not in its compatibility view mode (for displaying non-standard websites). Must the one of the few times that Internet Explorer seems to work….

On Windows PC’s I use SnagIt from TechSmith for screencaptures etc. On OSX I use the built-in capabilities of OSX for capturing screens, windows, or areas, but there was something missing…

SnagIt can capture large windows within *cough*Internet Explorer*cough* or Firefox as one image. So no need for a capture, scroll down, capture again etc. This feature isn’t available in OSX, or any (commercial) capturing software I could get my hands on. Until I ran into Screengrab.

Screengrab is a FireFox extension which allows you to save an entire webpage as an image (jpg or png). Excellent extension if I may say so.

WebTrust broken?

When a CA issues a SSL certificate they (the registration authority) should verify certain information provided by the requester. This includes at least the domain name ownership and preferably the person or company tied to the domain name ownership. Basic stuff really, but what happens when certificates get issued without any verification? Well, this happened to Mozilla [2].

Basically the complete trust framework collapses (for that CA). Especially combined with hosts file and/or DNS hijacking. What if this incident isn’t the first? What if some cybercrook got some SSL certs due to similar mistakes of your favorite bank? You’re no longer sure if the https connection of your bank really terminates on the servers of your bank. They could just as easily terminate on a server in Russia or Albania. Which leaves you with an empty bank account (most likely).

If the certificate is issued (signed) by a Comodo Root CA (as it was in this case), your browser accepts this as a valid/trusted CA and for the user everything seems fine. This takes me back to the issue of all those trusted root certification authorities in the average OS or browser.
This time, it’s a Comodo affiliate that’s screwed up (there’s no other way of describing this), but what are the chances that some of those trusted 100+ CA’s make a mistake? The bigger the list, the bigger the chance of wrongfully issues (SSL) certificates.

By the way, if you’re using an older browser (pre IE6 e.g.), chances are that SSL certificate revocation checking is disabled by default. So even when the revoke they certificate you still wouldn’t know…. You can verifiy this by opening the Internet Explorer options section and checking the Advanced tab.

In the ‘old’ days, Safari was probably the only Internet browser with some decent color management. The problem was that images displayed in Firefox and Internet Explorer looked a bit desaturated and lighter.

Now, in FireFox 3 you have the opportunity of enabling color management. Just set the following configuration option to ‘true’ (by double clicking) in the FireFox configuration settings (to access the config-part of FireFox, just type about:config in the address bar).

gfx.color_management.enabled

This feature is turned off by default. Restart firefox and be amazed by the colors on your photos on the Internet

Most web browsers support the extended validation certificates. These certificates give a visual indication (green browserbar for example) that the SSL connection is trustworthy. The only problem is that they are expensive. Especially compared with the ‘ordinary’ SSL certificates.

These certificates are special because the Certificate Authority (e.g. VeriSign) validated the company who buys these certificates. This way, the end user can shop / bank / or whatever online without worrying too much.

Some affiliates / certificate vendors already did this years ago (validating the actual companies), so this is nothing new. Yet another way to fool the consumers, and make some extra money…..

The problem I run into is that I used to have a ‘yellow-ish’ addressbar when I entered an https website. Today (at least with FireFox 3) the address bar remains blank. The only indication is a tiny lock displayed at the bottom of the browser. Something you might (and definitely will) overlook.

I use a home made Certificate Authority to create my own certificates (for webmail, secure IMAP, SSL, etc.), but I would like to see a proper visual indication of the SSL connection. So, is there a way to create an EV-like certificate (or even a new CA) by using Microsoft Certificate Services or by using OpenSSL which displayes the colored addressbar?

I did find some info on the EV requirements, but these should be ’spoofable’ some way or another…..

UPDATE: I found a website which suggests reconfiguring Firefox 3. Problem with that is that I need to reconfigure all my browsers. I’d rather do it by ‘faking’ the specs.

It seems that the OCSP-responder is mandatory for the bars to turn green….

Like most security conscious people I use Firefox (FF) for my everyday browsing on the Internets. So when the Mozilla guys released version 3 I installed it on all my machines (2 Windows and 2 OSX platforms).

It was a bit getting used to. The underlying FF part had been changed. Bookmarks, history etc are all stored in sqlite databases. So no more flatfiles. This took me a couple of hours to figure it out, but finally I got ‘there’.

Using FF was business as usual… Apart from one very annoying bug; Opening new windows (not new tabs) results often in an empty bookmarks bar. And this is happening on Windows and OSX versions of FF.
The bookmarks are ‘there’ but not click-able. Using the right mouse button (on OSX: ctrl-mouse click) on the bookmarks bar and selecting ‘Open All in Tabs‘, FF opens every bookmark in the bar.

The only way of restoring the proper bar is the completely shutdown FF and restart it. After that it works for a certain amount of time.

The problem isn’t isolated to my environment. Just google on the issue, and you’ll find more people. There’s one suggestion I haven’t tried yet. Starting with a fresh/clean profile, but I do need my settings/passwords/bookmarks. I’m lost without those

UPDATE: I tried a new profile, and this seemed to work. After this I started to repopulate the new profile with the old settings, etc. Everything went fine until the point where I added the extensions. It seems that even old / not active extensions (SwitchProxy in my case) are still able to f*ck things up.

Firefox is the default browser on all my platform, and every once in a while I run into strange dialog boxes.
E.g., this evening I updated some digital certificates for the test environment of VeriSign MPKI backend. These certificates are issued by a (private) VeriSign CA. So there’s no trust by default.

After generating the keypair in FireFox 3 I got the positive dialog box as showed below.

No problem so far, but the next dialog box ’scared’ me a little;

This dialog box, or at least the result, would remove (or delete) the certificate I just generated. The issueing CA is not installed in FireFox (or on the machine itself for all it matters). But in fact the certificate was installed in the Crypto/Certificate store of FireFox, and I could use it to access the VeriSign test backend.

So, eventhough, FireFox warns the user that the content will be deleted (or not added), it doesn’t exactly does that at all. Let’s see if I can file a bug report, because this occured on all 4 certificates I generated/imported.

Mozilla released Firefox 3 during my holiday. So the first thing I had to do was upgrade v2.x to the latest version. Initially everything seemed fine…. INITIALLY…

The trouble began when I tried to add bookmarks. The new bookmark interface (it’s called Library) showed up empty. When I tried to add a bookmark, it was impossible to remove it.

“Why would you want to remove a bookmark??” Well, because every bookmark I added ended up with the URL to some ad. At first I thought I had some weird virus or trojan on my Mac. But it seemed that every Mac had the same problem.

E.g. If I added the SnipURL button to my toolbar (which is basically a javascript) it would work, but when I pressed the button, it would show a Google ad. There was also no way of removing or changing it.

Today I started digging into the /Users/<username>/Library/Application Support/Firefox/ folder. This was the place where all settings were stored. After fooling around with importing the old bookmarks.html file I ended up with 3 times the amount of bookmarks and no way of deleting them.

It seemed that Firefox 3 uses a SQL-like database called ‘places.sqlite‘. This database imports the old bookmarks.html file upon the first launch. Possibly, that html file was corrupt (or what ever), because when I removed all bookmarking files (I did make a backup of the old bookmarks.html file!!!!) and relaunched Firefox 3, the bookmarking interface worked correctly. Now I imported the ‘old’ bookmarks.html file, and everything was back to normal (so far).

For those interested; I removed the following files under the /Users/<username>/Library/Application Support/Firefox/ directory;

• Everything with bookmark in it’s name (make sure to backup the ‘original’ bookmarks.html). This includes backups etc.
• places.sqlite

After starting Firefox 3, you may want to import and (re)organize the old bookmarks.

Note that this scenario occured while upgrading from the latest Firefox 2 version to 3 on an Intel Mac. Other scenario’s might show similar ‘bugs’, but are not tested in any way.

Apart from this ‘minor’ issue, I’m very happy with the new browser. Speedy, less memory consumption, etc.

Now I need to figure out if bookmark-syncing is available in FF3.

A friend suggested the Opera Mini browser (v4 beta2) as a browser on my Nokia E61i. So I downloaded it and installed it. Great looking browser which renders some sites much better than the normal included browser (and it’s still absolutely free!!).
My online banking site seems to work a bit better anyway.

One thing I haven’t figured out is how to set the Opera Mini browser as the default browser. If I open a link in an e-mail it opens the original browser….

I received an error today when I tried to access a SSL protected website. According to FireFox;

Firefox can’t connect securely to because the site uses a security protocol which isn’t enabled.

It seems that FireFox has removed the support for older/insecure SSL sessions. Some research showed that these setting are accessible through the ‘hidden’ configuration in FireFox. Just type about:config in your addressbar and it shows the advanced settings of FireFox.

Put security.ssl3.rsa_rc4_40_md5 in the filter bar, so that all other settings are removed from the current view. After that set the parameter to true (default is false).

After this you’re able to access the website. If not try enabling the other encryption parameter to true (which are set to false). Filter on security, and the parameter are quite similar to the one discussed in this entry.

Note that there might be some security issues when you enable old(er) security protocol support in FireFox. These are disabled for a reason!!!.