LWN.net Logo

Advertisement

ThinLinc Terminal Server

Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux applications on the same desktop.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Development page

Sponsored link

Serve your customers, not your servers, with VERIO Linux VPS. Full-access test-drive here.

Recent Features

LWN.net Weekly Edition for May 15, 2008

Distributed bug tracking

A Talk with Fedora Project Leader Paul Frields

LWN.net Weekly Edition for May 8, 2008

Blizzard tests the reach of copyright law

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Firefox Bon Echo Alpha 3 milestone released

[Posted May 29, 2006 by corbet]

From:  beltzner <mbeltzner-AT-gmail.com>
To:  "dev. planning" <dev-planning-AT-lists.mozilla.org>
Subject:  Bon Echo Alpha 3 Milestone Released
Date:  Sat, 27 May 2006 01:47:45 -0400
Archive-link:  Article, Thread 

Please note: We do not recommend that anyone other than developers and
testers download the Bon Echo Alpha 3 milestone release. It is
intended for testing purposes only.

Bon Echo Alpha 3 is the third developer milestone focused on testing
the core functionality provided by many new features and changes to
the platform scheduled for Firefox 2. Ongoing planning for Firefox 2
can be followed at the Bon Echo Planning Center
((http://wiki.mozilla.org/Firefox2), as well as in this newsgroup and
on irc.mozilla.org in #bonecho.

New features and changes in this milestone that require feedback include:

* Built in Anti-Phishing protection
* Search suggestions now appear with search history in the search box
for Google and Yahoo!
* Support for client-side session and persistent storage.

And please continue to test out these other features which are new
from previous Bon Echo releases:

* Changes to tabbed browsing behavior
* Search plugin manager for removing and re-ordering search engines
* Better support for previewing and subscribing to web feeds
* New microsummaries feature for bookmarks
* Inline spell checking in text boxes
* Automatic restoration of your browsing session if there is a crash
* New combined and improved Add-Ons manager for extensions and themes
* Extended search plugin format
* Updates to the extension system to provide enhanced security and to
allow for easier localization of extensions
* Support for SVG text using svg:textPath

The Bon Echo start page
((http://www.mozilla.org/projects/bonecho/index-2.0a3.html) has also
been changed to make it easier for testers to provide feedback and
report bugs.

Builds are available for testing here:

Windows (5.3 MB)
http://download.mozilla.org/?product=bonecho-alpha3&amp;...

Mac OS X Universal (17 MB)
http://download.mozilla.org/?product=bonecho-alpha3&amp;...

Linux (8.8 MB)
http://download.mozilla.org/?product=bonecho-alpha3&amp;...

Testers should also be sure to read the release notes
((http://www.mozilla.org/projects/bonecho/releases/2.0a3.html).

<i>Note: Please do not link directly to the download site. Instead we
strongly encourage you to link to this Bon Echo milestone announcement
at http://developer.mozilla.org/devnews/index.php/2006/05/26...
so that everyone will know what this milestone is, what they should
expect, and who should be downloading to participate in testing at
this stage of development.</i>


cheers,
mike
-- 
/ mike beltzner / user experience lead / mozilla corporation /
(Log in to post comments)

Firefox Bon Echo Alpha 3 milestone released

Posted May 30, 2006 0:26 UTC (Tue) by iabervon (subscriber, #722) [Link]

I really wish that browsers would support a per-user anti-phishing whitelist, where the user can mark a site as being legitimate and have the site look special thereafter (in ways that can't be spoofed by a site). For example, it could replace "//www.wainwrightbank.com/" in the URL with "My Bank" in bold, if I've told it how to recognize "My Bank". Then I can tell there's something wrong if I end up at "www.wainwright.org", which is a perfectly good website, but is not my bank.

Based on this mechanism, it could allow the user to identify other necessary features of the site, like using a signing certificate whose key fingerprint is printed on the user's bank statements.

Pet names re-invented

Posted May 30, 2006 1:46 UTC (Tue) by AnswerGuy (subscriber, #1256) [Link]

Essentially you've re-invented the "pet names" concept. These allow the user to see a visually distinctive (color+icon+text) for those sites which are specifically *known* to the user.

JimD

Pet names re-invented

Posted May 30, 2006 2:21 UTC (Tue) by iabervon (subscriber, #722) [Link]

True. I still wish browsers would implement it, since it's pretty simple and easy for users to understand, while actually solving the problems.

Pet names re-invented

Posted May 30, 2006 21:34 UTC (Tue) by zooko (subscriber, #2589) [Link]

Indeed! It makes me sad that Firefox is spending their time on such techniques as blacklisting, and they are not, as far as I know, implementing this:

http://usablesecurity.com/2006/02/08/how-to-prevent-phish...

Does anyone reading this have contacts in the Firefox community?

Firefox Bon Echo Alpha 3 milestone released

Posted May 30, 2006 1:50 UTC (Tue) by error27 (subscriber, #8346) [Link]

I agree. The UI is tricky but the idea is obviously good.

Banks could do more to fight phishing themselves. My idea is that your bank would ask you to upload an image. It would save a cookie and every time you go back the picture you uploaded would be on the front page. If you didn't have a cookie saved, you would enter your username first then it would show you the picture then you would enter your username.

Obviously phishers would ask your for your username, contact the bank then display the picture. The thing is the bank would be able to track it and if the same IP address asks for a bunch of usernames then the bank knows that's a phishing site and it will get black listed.

Futile half measures!

Posted May 30, 2006 6:22 UTC (Tue) by AnswerGuy (subscriber, #1256) [Link]

Most of the anti-phishing approaches are futile half measures.

Why don't we we build a working key management and key exchange infrastructure and really solve the problem?

For the vast majority of users today there are only two import personal applications: e-mail and browsing. Something like GPG should be integrated into the MUA and client side certs should be used with browsers. When I open an account at my bank they should offer to dump a GPG key and generate an SSL client cert for me --- putting them unto a small USB thumb drive (complimentary with every new account). Heck ... make it one of those nifty biometric fingerprint reader/thumb drives.

Now I take that home and there's a little video and info pamphlet on my USB key and some little utilities to help me install the client certs and keys around into my application. The rest of the space on the drive can used for general storage, of course.

JimD

Futile half measures!

Posted May 30, 2006 18:45 UTC (Tue) by MortFurd (guest, #9389) [Link]

How's this look for a secure solution to online banking:
http://www.hbci-zka.de/english/

Phishing? Not in my house. I don't use a browser to bank, so Phishing doesn't work.

GNUCash does HBCI, and Linux supports darned near all of the card readers (though not all of the card types.) The card does the encryption, but only when I give it the PIN. There are extra secure card readers (with a numeric keypad to enter the PIN) for systems where you can't trust the system so that trojan or keyreader infested systems can't be used to clean out your account. If your account is empty, you sure by gosh did it yourself.

Secure, public/private key encryption (RSA,) an open standard, supported by open software - and used by over 2000 banks. What more could you want? Just one thing:
For banks in other countries to get up off of their duffs and do something right.*

*PS: The german banks are currently in the process of weakening HBCI to allow crappy software and lazy users to use the insecure PIN/TAN system again. Not gonna happen here. I'm sticking with my card and GNUCash.

Firefox Bon Echo Alpha 3 milestone released

Posted May 30, 2006 8:15 UTC (Tue) by jamesh (subscriber, #1159) [Link]

You can put rules in the chrome/userContent.css file that will only activate for a given domain name, which might do what you want. You could change the background colour for your bank's website subtly so that it is recognisable. Something like:

@-moz-document domain('mybank.com') {
    body {
        background: yellow !important;
    }
}

A phishing website would not activate the CSS rule, so would be distinguishable. As you are the only one using the rule, it'd be difficult for the phisher to target you.

Firefox Bon Echo Alpha 3 milestone released

Posted May 30, 2006 13:41 UTC (Tue) by krash (subscriber, #2689) [Link]

Btw. The link for the Linux download appears to be some sort of executable. The actual download link for Linux can be found on the announcement site at http://developer.mozilla.org/devnews/index.php/2006/05/26...

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.