IE auto-upgrades, plugins next?

Last week the IE team announced that they'll soon start to automatically upgrade IE across Windows 7, XP, and Vista through Windows Update. A follow up from Microsoft's IT pro team details that IE 6 and IE 7 will be upgraded to IE 8 on Windows XP, while Vista and Windows 7 users will get IE 9. With Microsoft joining the herd of auto-upgraders the final pieces of the puzzle start to fall into place, now "everybody" does it. Other major browser manufacturers (Opera, Chrome, and Firefox) have been auto-upgrading their installations for some time already. Apple's Safari now stands out in the crowd and it will be interesting to see whether they'll stick to their current update regime.

For Microsoft, this is yet another important step to kill of IE 6 which still has a considerable user base. Up til now they have been running campaigns urging users to upgrade their browsers. They actually have a website dedicated to kill of the browser, www.ie6countdown.com (I have to point out that Norway is leading the pack, with only 0.2% IE 6 users). Hopefully the automatic upgrades will have a notable impact on the remaining IE 6 installations.

In two earlier posts (one and two) I've advocated silent auto-upgrades as an important strategy to keep Internet users safe by providing them with timely security patches. Recently I came across an interesting study on the effectiveness of different Web browsers update mechanisms. It's definitely worth a read. (*Surprise*, it aligns just fine with my views so I can safely link to it).

See pics of women, free

Just now on Facebook I got the following advertisement:

I didn't quite react at the first glance, since every once in a while you get served the ads for "Russian ladies looking for love" etc. (hope I'm not the only one getting those). Then I realized that this ad was for Match.com! That's amazing. I clicked on it, and yes, it led me to: no.match.com.

The title of the ad suggests that it leads to one of the more sleazy sites on the Internet. If you do a Google search for free pics of women, you'll get the idea. Warning: NSFW!

I'm not convinced that this is how girls looking for a relationship would want their profiles advertised on the Internet. And it is yet an example of how a social website might try to capitalize on the personal information you've shared — in a way that would make you uncomfortable if you were made aware about it.

Shame on you Match.com! This is not how a responsible and respectable dating site would treat their users.

Twitter app privacy, there just might be hope!

A couple of months ago I blogged about Giving up your privacy for nothing at Yahoo News, ranting about how the Tweet button on a Yahoo News article required you to give complete control of  your Twitter account to some Twitter application. Well, I just had a more encouraging experience!

You've probably heard about this Klout thing. On Twitter there has lately been several reports of people getting Klout perks, so I became a bit curious on how all of this worked. After all, there's not that many web pages where you sign up and then get stuff sent to you by mail because you have many Twitter followers (deliberate over-simplification). I had to register to see what this thing was all about.

Note that there is an ongoing privacy discussion about Klout, here's an excellent article that summarizes some of the issues. I won't go in to that discussion here.

You can sign in to Klout using your Twitter profile. An this is where I was in for a pleasant surprise!

Base64 decode online — are you sure?

Are you using one of the many web pages that let you base64 decode data? In that case you should take a moment to think about the nature of the data you want to decode and what those pages could be doing with the data — apart from showing you the decoded version.

tl;dr: Check out transformtool.codeplex.com for an offline alternative to the online Base64 decoders.

Google's keyword tool reports 9,900 monthly searches for "base64 decode online". How many of these searches lead to disclosure of sensitive business information, or personal information (PII) to one of the Base64 decoding webpages? None of these searches are from IT-professionals trying to figure out what's wrong in a production system, right?

Top Google results for "base64 decode online" at time of writing

Update Java — or just remove it

Oracle recently released an update to its Java software, fixing more than 20 critical security issues in the software. Krebs has a good post on the update, briefly discussing the vulnerabilities and the fact that Java vulnerabilities are exploited for real.

I have to say that in recent years I've installed Java more due to habit than because of an actual need for the software. So when I got the update bubble in the corner of my screen, I figured "of course". I knew they, among other things,  fixed the same-origin-policy bypass used in the BEAST attack (You'll find a straight forward explanation of the Java vulnerability here, and links to resources on BEAST here). So I started the update process, and this was one of the first screens I was presented.

A Google 2-step verification vulnerability

Early this year Google started rolling out their new two-factor authentication procedure, which they refer to as 2-step verification. On their corporate blog they provided a few hints on why they were rolling out a new authentication procedure — mentioning risks associated with password reuse and phishing attacks. 2-step verification is now widely deployed, by June it was available in 150 countries, and in 40 different languages.

Of course, I took interest in how the two-step verification was designed and I discovered a couple of design issues. In addition I discovered a security flaw that qualified for Google's vulnerability reward program, so I engaged in a responsible disclosure process with Google. Now they've fixed the bug, my reward has been donated to charity, and I've received my 19 bytes of fame, so I guess it's time to blog about this. I'll focus on the security bug here, and blog about the design issues later. I need to do some investigation to see whether Google fixed any of them or not, as they reported that they were re-evaluating some of their design decisions.

If you're unfamiliar with how the two-step verification works, see Google's video below (borrowed from Getting started with 2-step verification).

Now, straight to the point.

Making the web even safer: From auto-upgrade to silent updates

Mozilla now aims to add silent updates to Firefox — much like Chrome and Opera already does — as summarized in this Computerworld article. This marks an important milestone, and is an important follow up to Mozilla's decision back in June to auto-upgrade the then soon-to-be unsupported Firefox 3.5. Back then, I blogged about the importance of the bold decision to NOT leave users behind on an unsupported version.

Later in June when Firefox 5 was released, Firefox 4 users where prompted to update to the new version. I was so excited, I had to blog about that too.

Now Mozilla has decided to introduce silent updates to Firefox. From Mitchell Baker's blog we can learn that:

Before Mozilla instituted the rapid release process, we would sometimes have new capabilities ready for nearly a year before we could deliver them to people.  Web developers would have to wait that year to be able to make their applications better.

And why is that a problem?

A browser is the delivery vehicle for the Internet. And the Internet moves very, very quickly.