Linux Solutions

I swear that this should be my last story about browsers before Christmas…

A password security test by Chapin Information Services, a security consultancy, has found that Google’s much complained about Chrome browser has tied in joint LAST place with the Safari browser.

In all 21 security tests were carried out on the browsers – which worryingly none of did particularly well.

Joint winner (?) of the tests was Firefox 3.0.4 and Opera 9.62 who both scored a terribly lame 7 out of 21, in an absolutely pathetic bunch of scores. Internet Explorer 7 fared much worse, with just 5 out of 21. Lagging way behind in the scores were Safari 3.2 for Windows and Google Chrome who both past a paltry two out of 21.

The tests measured how well browsers protected passwords and other details saved by users from phishing schemes and hackers. The security team inspected each of the browsers security architecture to find whether there were any noticeable flaws or vulnerabilities that hackers could use to steal a web users data.

Google Chrome seems to have felt the brunt of the security team’s tests after they pointed out three major flaws in the browsers security that were reportedly present in the beta, and were still present in the final version.

Chapin claims that Chrome fails to check the location of the password requests or the where they actually end up. In addition to this, invisible form elements can trigger password management functions in the browser without a user approving there information being filled in.

Richard Chapin, the company’s founder said, “These three problems, combined with seventeen others so far identified in Chrome’s password manager, form a toxic soup of potential vulnerabilities that can coalesce into broad insecurity.”

Chapin highlighted that Opera had the best level of performance of all the browsers tested at withstanding this type of attack. Mr Chapin says that he actually discovered a similar vulnerability in Firefox version 2 a couple of years back: “The Password Manager component of Firefox can be exploited to send a username and password combination to an attacker’s computer without the user’s knowledge,” they warned

Chapin’s tests are quite an eye opener, but as a person who doesn’t trust putting all my password in my browser anyway I don’t think I have to worry, that being said, I know a few people who are too lazy to manually type passwords in, and I reckon there is a lot more.

On a bizarre side-note, Google’s Chrome was the only browser to pass one test: “not filling in a form when auto-complete is set to off”.

Google’s not so quietly released beta of its Chrome browser is over, as the new version sheds its newbie skin and steps in to the light. The search giants vice president Marissa Mayer spilled the beans to Michael Arrington at LeWeb 2008, saying that the open source, browser which hit the ‘shelves’ over three months ago is due to be given its full release soon.

Google revealed that they are responding to demand for the browser from customers including OEMs. Whether the browser will be given a full release is uncertain, and the company has a habit of keeping its products in beta form for a long time – presumably that mistakes can be brushed over with the excuse – “ah, but its just the beta”.

Although the browser will run on both Windows and Linux-based systems, the Mac version of the browser remains elusive. And according to the reports, the browser is far from completion.

Also, in related news Google announced an early developer release of Native Client earlier this week that consists of a runtime, a browser plugin, and a set of GCC-based completion tools.

Native Client has the task of running native code from web-based applications on x86 Widows, Linux and Mac. The company revealed the Native Client on Monday for testing by the open source community, and want them to challenge the usability and security of the browser.

The company has proposed a ‘two sandboxes’ system, which are called the inner and outer sandboxes, which prevents untrusted modules from the web spreading throughout your system. Google’s model sees application calls made by using ptrace in Linux and Mac OS X. Access control lists have been proposed for Native Client on Windows.

Native Client wants code from web-based applications such as photo sharing and editing to run natively on you x86 machine.

Brad Chen, with Google’s Native Client Team, said: “For example, imagine that you run a photo-sharing website and want to let your users touch up their photos without leaving your site. Today, you could provide this feature using a combination of JavaScript and server side processing.”

“This approach, however, would cause huge amounts of image data to be transferred between browser and the server, leading to an experience that would probably be painfully slow for users who just want to make a few simple changes. With the ability to seamlessly run native code on the user’s machine, you could instead perform the actual image processing on the desktop CPU, resulting in a much more responsive application by minimizing data transfer and latency,” he added

Google is keen to ensure that application like this are “browser neutral”, allowing application and content creators to build their applications without having to work around browser compatibility issues that are rampant at the moment.

Some people have noted that Google’s Native Client looks to be a challenge by the company against Microsoft’s Windows desktop. But should Microsoft be worried?

All things considered, Native Client could provide more options for Windows-application developers that are keen to put their software online and freeing themselves from the desktop and allowing them to not be tied to Microsoft’s Silverlight browser-based plugin for video and audio. How far are Microsoft willing to work with Google making its Windows API’s open and available to the sandbox architecture.

Mozilla, creator of the world’s second most popular browser – Firefox, has released the second beta for the upcoming Firefox 3.1 browser to testers on Monday. This new release arrives hot on the heels of the last beta, released 7 weeks ago. The browser is available in 54 languages, Firefox 3.1 beta 2 includes some major changes compared to previous versions according to Mike Beltzner, who is involved in the development of Firefox.

“It’s not even been six months since we released Firefox 3 but what we’ve noticed is that the Web continues to move really, really quickly, and so do we. So, even before the release of Firefox 3, we’d already been working on what will become the next release of Firefox and when we took stock a couple of months after the release, we realized that we’ve done a couple of really, really impressive and incredible things,” he said

Beltzner said that the biggest difference to the browser is the improvement in speed. Firefox 2 was fast, Firefox 3 was faster and 3.1 looks to have the same sort of improvement, he claims.

“We’re going to be shipping a new Javascript engine called ‘TraceMonkey’ that’s going to really improve the performance of the browser, especially for Web applications, but overall throughout the Web you should start feeling once again a browser even faster than Firefox 3. The idea was instead of waiting for a long release cycle we’d make sure we got some of these improvements into the hands of users as soon as possible,” he said excitedly.

The introduction of “Private Browsing Mode”, more affectionately known as Pr0n Mode, allows users to browse the internet without leaving a trail of breadcrumbs behind them.

“[Firefox beta 3.1] has a more granular set of history deletion tools. It used to be that if you wanted to clear the history of your browser it was an all-or-nothing affair. Now you can say, ‘You know what, just erase the last couple hours of browsing history,’ or even ‘I want all traces of this particular Web site erased,’” Bletzner spelled out to LinuxInsider (who get all the best interviews).

As well as TraceMonkey, Mozilla has included some other notable enhancements, Beltzner said. Web Worker Thread is a technology layer improvement that allows developers to move some of the heavy processing of their sites away from the browser, reducing the weight on the browser, and improving performance. Other changes include improved Web Rendering support, added support for Acid3 and CSS properties, as well as the completion of the HTML 5 offline specifications. Results from the previous beta have seen Mozilla remove the irritating tap-switching and preview problems, which is great to see.

How the new browser will fare against the new Internet Explorer will be interesting to see. Comparisons have already been drawn between the Pr0n Mode and IE 8’s InPrivate function. And with the beta testers in full swing by now, Mozilla need to make sure everything works perfect if they want to lure people off of the world’s worst browser – Internet Explorer. What? You didn’t expect an impartial article on a Linux blog did you?

It seems that those pesky kids are up to know good once more. A band of scam artists have targeted the popular Firefox browser from Mozilla with a Trojan that activates on start-up of the browser and steals any username and passwords a user types in.

The password thieving piece of software is built in to a Firefox plug-in, according to BitDefender, a security firm based in Romania. The Trojan, ChromeInject-A is downloaded onto a Windows PC, that already has malware and spyware issues.

Once the file has burrowed its way on to the users hard drive, it lies in wait until the user opens Firefox. The malicious code looks for data exchanged between an infected machine an a list of pre-programmed banking sites across Europe, America and Australia.

As if you haven’t guessed by now, the virus is of Russian origin. All the stolen details get fed back to a server located in the country.

So far BitDefender say that confirmed incidents of the malware’s success are “very low”, so that attack is not classed as especially serious. It is worth noting however that the concept of this type of virus is very clever indeed. Latching on to the rising popularity of a browser, that allows user built software to be downloaded as a plug-in is novel, and Firefox had best be on high alert – even if this one has had little impact.

Attacks like this are certainly not unheard of. Just two years ago Firefox found itself with a dodgy plug-in that included the malware FormSpy, but it was caught out before any major damage was caused.

In related Firefox news, Amazon – the nets most popular retailer – hailed the arrival of its long awaited MP3 download service, but a group of code monkeys had something else to announce – the arrival of a Firefox plug-in that linked the company to PirateBay.

The Amazon Service sells albums from £3, and individual tracks for just 59p. However the plug-in form the coders allows you to browse the Amazon download store, and then download the songs for free – not including the cost of your connection.

The extension was not deliberate according to the designers:

“We are not affiliated with The Pirate Bay, and do not host or even link to any illegal content,” they wrote.

“This artistic project addresses the topic of current media distribution models vs. current culture and technical possibilities,” the creators said to TorrentFreak.

The plug-in claims to work on all of Amazons products, not just MP3s. The site was down for a period with the message: “The Ship was hit. We’re offline”

Users can use the add-on on any Amazon page, and a ‘download 4 free’ button sits on the toolbar. PirateBay claims to have 25 million peers.

Browsers have been making the headlines over the last few months. Mozilla’s Firefox 3 release exceeded all expectations when it had over 7 million first day downloads, Google launched its Chrome beta, Opera have just launched a mobile browser, and Internet Explorer 8 is on its way soon. My question is this: What happened to just going to a website?

It’s almost a challenge these days for the average computer user to go to a website, and see it the way it was meant to be seen. How many times have you looked at something through your shiny new Firefox browser and thought to yourself, this site looks fine, but as soon as anyone looks at it using IE7 it looks terrible, with its shoddy changes in resolution and its joy in mucking about with a nice CSS stylesheet.

And are we getting to the point where its style over substance? Firefox looks great I have to agree, and I’m using it right now but with updates every day, multiple add-ons available, what happened to just plain old back, stop, and refresh?

Many people would argue that Internet Explorers simplicity is the reason for its success. Yes, we all know about the security flaws, and I do think that it has the ability to make any website look terrible, but the vast percentage of users just want to point and click, and be happy with it.

I do like Firefox, and the new version has some funky features, but when I let my brother use my PC he was caught out by the fact it was different and it was giving him suggestions as he typed into the address bar, and do you know what – it really put him off it.

It seems that while my brother saw the benefits, there was just too much going on for him to feel comfortable using the browser. I tried to explain that it is simple, but that’s because I’m used to it by now. He said “you shouldn’t have to learn how to use a browser”, and you know what, he’s entirely right.

The reason for IE’s success is that its second nature to many users, the first time I used Firefox 2, I played around with the features for a bit, but if I’m being honest, I switched around between it an IE for a couple of weeks before I choose which one to continue using. There was no instant click as a new user. I had been told the benefits, but like my brother, I didn’t see the problem in sticking with what I know.

I took to the newest version of Firefox like a duck to water, its innovative features rock and I am pretty happy with everything, but the reason for it not quite reaching the front of the pack with regards to new users, is perhaps because of “the unkown”.

I’m probably one of the only open source fans looking forward to the arrival of IE8, but its mainly so I can have fun picking apart its flaws, but (and it’s a BIG but) if it works well, and has the improved security I may turn my back on Firefox for a while. Let battle commence!

After a few weeks of beta testing, Opera Mini 4.2 for mobile phones has officially been released, and with the recent news that Opera have opened a brand new server park, US users will see a 30 percent boost in speed.

The new release is the first version officially available for the Google Android mobile platform, and is also the first web browser alternative to the current browser on the open Android platform.

The new lightweight browser is pretty darn fast as it cuts out parts of pages that are not essential, and the new version adds more language versions and a choice of browser themes/skins to give it a more personable feel. Opera’s remote servers are set up to pre-process web pages, and the content is compressed to reduce the size of data transfer –enabling faster browsing. Although the main bulk of the speed increase will affect US users, Opera says that users worldwide should notice the difference. The browser will run on a multitude of java-capable handsets, including Nokia, Samsung and Sony Ericsson, and Windows Mobile.

The Opera browser is the most popular mobile browser in the world according to Opera Software, who said that 21 million unique users browed 5 billion pages in October 2008 alone.

Avi Greengart, research director of wireless devices for Current Analysis was interviewed by LinuxInsider and said that Opera, “is without question the world’s most popular aftermarket mobile Web browser,” but he couldn’t tell if it was the most used overall.

“Nokia sells an awful lot of phones with mobile browsers,” he added.

But is Opera Mini browser any good? I’ve personally used versions of Opera in my recent mobiles, and had Opera 4 beta on my Sony Ericsson W810i before I moved on to iPhone, but I liked how it worked on a handset that was never really designed to surf the web.

Greengart likes it too: “For devices with small screens or limited connectivity, no question – Opera Mini does the best job of quickly modifying the site for your tiny screen on its servers, and then sends just that data on to your phone. It is certainly my mobile browser of choice for feature phones,” he said.

Opera tried to convince iPhone to let users have Opera Mini 4.2, however the company were shown the door by Apple because the Opera browser was perhaps to close to Apple’s own Safari browser that’s built in to the phone. Of course other stories say that Opera had never actually submitted the browser to Apple’s App Store for approval, and as of yet there are no alternative browsers for iPhone users to download – highlighting the difference between the open source nature of Android, and the closed door of iPhone.

“As a general rule, Apple likes to control the user experience as much as possible. While Apple has opened up the App Store to all comers, there are a number of ill-defined gates to getting programs onto the iPhone. This appears to protect Apple’s own software development efforts for the platform, which means that users get a consistent Apple experience across major functions, but miss out on potentially disruptive innovations from others,” Greengart said.

“Google is taking the opposite approach, hoping that the development community can smooth over Android’s rough edges, fill in missing functionality, and potentially tinker with the OS itself,” he added.

“Right now, Android is mostly potential, and while I can reasonably know what the iPhone experience will be like a year from now, I can’t predict whether Android will be a whole lot better … or just the same,” he concluded.

In the meantime, you can get Opera Mini 4.2 in the Android Market as well as directly from opera.com and operamini.com. I might just have to get it and cram it on to my old W810i for fun – expect a review shortly.

The release of Internet Explorer 8 beta has been pushed back to a 2009 release. The “standards-compatible” upcoming edition of the browser will appear in beta form in the first quarter of the year, followed by a final release, according to IE8’s general manager Dean Hachamovitch on his blog.

Hachamovitch didn’t specify an exact release date for the new browser, but said that (for once) Microsoft is planning “to deliver the final product after listening for feedback about critical issues.”

“We will be very selective about what changes we make between the next update and final release. We will act on the most critical issues. We will be super clear about product changes we make between the update and the final release.”

Bill Veghte is the senior vice president of the Windows business group. Back in July, he promised Wall Street investors at Microsoft’s yearly Financial Analysts Meeting that IE8 was due out by the end of this year, but Hachamovitch said that although the beta is pushed back to early 2009, he stressed that the release candidate will be the final product.

The company is clearly worried about how the updated browser will be perceived. With some interesting features in the update such as the introduction of a tag that allows older websites – the ones designed to work in earlier IE versions – to be viewed correctly. This is a worry, as websites face a real possibility of being un-viewable to the user, as IE8 updates it legacy layout engine with CSS 2.1 and HTML 5.0 support.

Hachamovitch said the technical community “should expect the final product to behave as this update does.”

“We want them to test their sites and services with IE 8, make any changes they feel are necessary for the best possible customer experience using IE8, and report any critical issues (e.g., issues impacting robustness, security, backwards compatibility, or completeness with respect to planned standards work).

“Our plan is to deliver the final product after listening for feedback about critical issues,” Hachamovitch said.

For sure, the open source community will be keeping a watchful eye over proceedings, and I must admit that I am curious to find out what the IE8 team will come up with. Its going to have to be impressive after the previous versions was not all that and a bag of potato chips. More news when we have it.

Its not every day that I get to write about Mozilla, but with yesterday’s story about the non-profit organisation and its tax dodging efforts, today’s news that the organisation is warning Firefox users about rogue add-on’s just adds to the weeks problems.

Mozilla say that users should be wary of what they class as “experimental” add-ons, as they can cause some pretty major computer problems.

The reason for the Firefox browser’s success has to be down to not only the sleek and well balanced layout, but for the customising capabilities that other browsers just don’t have. Some of the add-ons make brilliant additions to your browsing experience, and give users more reasons to stay away from the epic fail that is Internet Explorer.

However, many of the problems lie in third-party development of these add-on’s. Take the recently released ‘China Channel’. This add-on allows users around the world to know what it feels like to surf the web in China, and got a ton of press when it was announced due to the sheer nature of the add-on. Now, why you would want to surf around a highly censored internet is beyond me, but I digress. The fact is that this browser add-on lets you roam around in fake China for a while, but when you invariably get bored and want to leave…you can’t.

The add-on’s pitch says on the Firefox add-ons page, “Take an unforgettable virtual trip to China and experience the technical expertise of the Chinese Ministry of Information Industry” – and so far over 1000 users were sucked in by the…er…hype?

vnunet.com ran a test on the add-on and found that the ages the China Channel were trying to restrict appear to be lost for good, even when the add-on is turned off. One other tester said that he had found an “uninstall bug”, and that all proxy settings were lost when he shut the browser down. “Unforgettable”, indeed.

Mozilla has small print to deal with this kind of situation:

“This add-on is meant for advanced users to test add-ons before they are made available and reviewed for general use. Many add-ons may be in prototype form. Experimental add-ons may be alpha, beta or pre-production in quality, performance and features. Caution should be used when installing experimental add-ons, as they have not been tested by an editor and may harm your computer configuration.”

As of yet the Firefox developers claim to be blissfully unaware of the add-on’s press coverage, but say they are going to look into the issue further to ensure no other users are affected.

With the release of the Mozilla Foundation’s 2007 financial report, questions have been raised by the IRS who are due to perform an audit on the non-profit organisation behind the massively popular Firefox browser.

Last year the Foundation received $66 million of its total $75 million revenue (88 percent) from search engine maestro’s Google, so the IRS are looking for blood over the organisations tax exempt status. Back in 2006, Mozilla got $59.5 million from Google – around 85 percent of the organisations revenue.

Google and Mozilla are part of a “you scratch my back, I’ll pay your bills” sort of agreement with the Google search bar firmly placed in the toolbar, and on the default homepage. Things were a bit rocky a couple of months back when Google unveiled the Beta-run of its Chrome browser, but Mozilla and Google hugged it out and sealed a deal that will last for a further three years. That deal will expire in November 2011.

In 2003, Mozilla received tax exempt status, which meant it didn’t pay any taxes in 2004’s revenue of $4,422,674. The organisation said the agreement with ‘a search provider’, “facilitates the dissemination of the Foundation’s browser, thereby increasing the accessibility of the internet.” Do I know exactly what they mean by that? Well not really if you must know.

In 2005, Mozilla created a for-profit operation, whereby multiple search engine contracts were transferred to the new Mozilla Corporation. When they made the change, Mozilla say they have a “tax reserve fund” set aside in-case the IRS come looking for the tax from 2004/05 – which they are.

The IRS has stated that they are launching a review: “We are early in the process and do not yet have a good feel for how long this will take or the overall scope of what will be involved.”

In the finance report, Mozilla claim that its search revenues should be classed as royalties, and therefore not be taxed, however, they are well aware that the IRS could see things differently. Mozilla has a bit of spare cash in its tax reserve - $14,832,000 at the end of 2007.

The report also says that an inquiry into the organisations tax exemption has begun due to Google supplying a large chunk of the Foundation’s revenue.

“While the Foundation did not automatically qualify as a public charity with public support at 33 per cent of total support, it believes that it qualifies as a public charity under the facts and circumstances test with public support over 10 per cent,” said the report

If the IRS finds Mozilla hs not been taxed correctly, the organisation says it will become a private charity, and release around 100,000 in taxes.

Late on Thursday evening the company that created the world’s second-favourite browser, Mozilla Corp. revealed its mobile version – code-named “Fennec” – taking the unusual step of offering it in version for desktop PCs and Macs, in order to collect feedback.

In-Keeping with the fox theme – a Fennec is a small fox that lives in the Sahara desert – the browser is built from the same Gecko code that drives the currently under-construction Firefox 3.1.

Mozilla announced the Fennec browser as “an early developer release” that was suitable for “resting purposes only” – they always say that for pre-betas, and according to Mark Finkle, the company wants as much feedback as possible.

To help reach the biggest amount of testers, the browser is available not only on the Nokia N810 Tablet, but is available for desktops and laptops running Windows, Mac OS X and Linux.

Finkle made the announcement on his blog:

“We are also releasing desktop versions of Fennec. That’s right, you can install Fennec on your Windows, OS X or Linux desktop too! We want you to be able to experiment, provide feedback, write add-ons and generally get involved with the Mozilla Mobile project, even if you don’t have a device.”

The Nokia N810 is not a mobile phone, but is actually more similar to an iPod touch. It runs the Maemo OS, which is based on the Debian Linux distro.

A Windows Mobile version of the Fennec browser is currently being built, but is not yet available for public testing.

Fennec offers touch-screen functionality, includes a pop-up blocker, a Firefox-style tab-browsing interface, a password manager, and the same address bar features that made Firefox 3 such a hit.

Mozilla is rather a latecomer to the mobile browser party. The Opera browser is certainly the best mobile browser out there at present and works on a range of handsets. Apples iPhone uses its own Safari browser.

However, this is not the first attempt by Mozilla to break the mobile browser market – the company’s Minimo was dropped back in November.

Check out Fennec Alpha 1 at Mozilla’s web site.