Mozilla Foundation activities, week ending 2006/04/07
This is my report on activities of the Mozilla Foundation for the week ending April 7, 2006. A lot of what went on last week won't be announced until subsequent weeks; of the other stuff the most notable activities related to the Mozilla Foundation web site and a PKI conference I attended.
Projects for the week
Here's a partial listing of what I and others at the Foundation did the week ending April 7:
mozillafoundation.org. Zak Greant has been doing minor fixes to the Mozilla Foundation pages on mozilla.org, and creating a new set of pages for mozillafoundation.org (not yet online).
Next actions: I'll work with Zak to get my own access to his mozillafoundation.org prototype, and add various documents to it (e.g., the CA certificate policy).
PKI R&D Workshop. I attended the PKI R&D Workshop at NIST in Gaithersburg MD, and participated on a panel discussion on browser security. Note also that Bob Relyea of Red Hat spoke about work by Red Hat and Sun to support elliptic curve cryptography in the NSS crypto library and hence in Firefox and other Mozilla-based products, as well as in server products from Red Hat and Sun. For more information see Bob's presentation; the rest of the workshop presentations and papers are also available online.
Next action(s): None at this time.
Here's what I'll be doing and where I'll be in the coming months.
- I'll be in Mountain View in June for a Mozilla Foundation board meeting.
This concludes the report.
Financial Cryptography mentioned this post in "News and Views - Mozo, Elliptics, eBay + fraud, na´ve use of TLS and/or tokens...":
Firefox, the free open-source Web browser from Mozilla Corp., quietly gained enough users in March to finally grab 10% of the Web browser market, according to a report released yesterday by Web audience-measurement firm NetApplications.com. Funny, I thought that happened long ago.... On the even better news front, Frank Hecker is now posting weekly diaries of action at the Mozilla Foundation. This is an excellent idea, as they are stuck between a rock and a hard place - a non-profit with lots of money and no obvious way to govern it. Here's a snippet of some relevance to FC but the real news is that Mozilla do seem to be taking the search for governance seriously. PKI R&D Workshop. I attended the PKI R&D Workshop at NIST in Gaithersburg MD, and participated on a panel discussion on browser security. Note also that Bob Relyea of Red Hat spoke about work by Red Hat and Sun to support elliptic curve cryptography in the NSS crypto library and hence in Firefox and other Mozilla-based products, as well as in server products from Red Hat and Sun. For more information see Bob's presentation; the rest of the workshop presentations and papers are also available online. Presumably Red Hat and Sun are interested in supporting the NIST Suite B because of potential USG sales. It will be interesting to watch how this falls out - will the endorsement of NIST (and in the background, the NSA) push elliptic curve cryptography forward to adoption? Or will the patent free (and therefore cheap) alternatives we already have maintain their open dominance? A great post by Cubicle on fraud over at eBay. He talks about how the company has drifted and postured to the point where they are now providing infrastructural support for scammers - because it is the scammers that pay their fees. Cubicle has it right. Either you take on fraud by the horns, or it takes you on in very nasty ways. eBay and PayPal chose the latter course, and will always provide a high-cost, low reliability experience for the users. Luckily they got there in an environment when the competition wouldn't stay the course, but things have changed in the payments business lately. Signs are that they recognise the party's over, and Paypal are madly diversifying their base into credit cards and cell/mobile payments. http://business.guardian.co.uk/story/0,,1751793,00.html http://news.com.com/irs+to+search+paypal+records+for+tax+evaders/2100-1030_3-6060920.html Security Is Harder Than You Think, by John Viega and Matt Messier Many developers see buffer overflows as the biggest security threat to software and believe that there is a simple two-step process to secure software: switch from C or C++ to Java, then start using SSL (Secure Sockets Layer) to protect data communications. It turns out that this na´ve tactic isn't sufficient. In this article, we explore why software security is harder than people expect, focusing on the example of SSL. Viega and Messier talk about how using SSL to get security is likely to be a bit of a fantasy. I'd agree - saying that you use TLS for your security model has generally correlated with a lightweight approach. Likewise, Bruce Schneier writes in Interactions of the ACM that two factor tokens are "too little, too late." Although people are now happy to point out that the SSL, certificate infrastructure, and the browser security model out there is like swiss cheese, there still seems to be a sense that if the developers and the implementers just read the right books and just did the job fully, then we would have security ... I think the major point here is that ACMQueue and Interactions are happy to print articles pointing out the flaws which is probably a necessary step if we are to move forward....