Someone emailed me asking where this month’s update was today, so I thought I might as well answer here as well. I generally build and release each monthly Flagfox update within a day or two of Maxmind posting its updates. (with AMO approval sometimes taking an extra bit of time) For the past couple months Maxmind has been releasing its IPv6 data much later than its IPv4 data. Flagfox needs both, so the updates to Flagfox have had to wait a bit. Updates will still be released roughly a month apart, but for now it looks like they’ll be released about a week later into the month than they used to be.
The Flagfox 4.2.2 update released today has a couple minor but important things in it that I might as well mention here.
First and foremost, this update is required for all users of Firefox 18.0 and later as well as SeaMonkey 2.15 and later. The API I was using to check to make sure Flagfox didn’t do any DNS requests it wasn’t supposed to when behind certain proxies went away. I’ve switched to using the async API instead of the now removed sync one. This supports all older application versions currently supported so nobody should notice any change here. It might be possible that users with more complex proxy setups on their network might’ve been having some issues from using the sync API but I’ve never gotten any complaints about the performance here. I’m pretty sure these users were likely to be getting a message from Flagfox saying it couldn’t work behind the proxy as set up, anyway.
The other notable change in this update is a switch to HTTPS for the following default actions:
- McAfee SiteAdvisor
- SSL Checker
- Google (search within current domain)
I’ll consider updating more actions to use encryption in the future as sites add support. As SPDY increases in adoption I’m hoping we’ll see many more sites served over HTTPS with SPDY, but for now pretty much only Google supports it.
I have written my third Firefox extension and uploaded it to AMO. Config Descriptions is a neat little utility addon that loads up all the source comments for default application preferences and shows them in about:config so you can have a clue as to what the prefs actually do without always having to look them up online. Not all prefs have a comment and a few comments are headers for a group and not particularly useful, but for most that it can show it’s quite useful. The extension is restartless and only a little over 4KB. You can download Config Descriptions 1.0 from AMO now.
Config Descriptions 1.0 supports Firefox 10.0+ and SeaMonkey 2.7+.
If you give it a try please post any comments, suggestions, or problems here.
Config Descriptions 1.0 has passed AMO editor review and is now public.
Flagfox 4.2.0 has been released and is now available on Mozilla’s Add-ons site for download and update.
Flagfox 4.2 is mostly behind the scene changes to get rid of some delays on startup and page change. Flagfox should be a little bit more snappy now.
Changes in Flagfox 4.2:
- IPv4 & IPv6 address location database updates for August 2012
- Backend changes to improve responsiveness:
* Removed dependency on Addon Manager API to access IPDB files on startup; Flagfox starts up faster and shouldn’t break when Firefox breaks here
* Replaced old polling loop (4Hz) with a new location change progress listener; Flag updates are now done without delay; now fully idle when not used
- Got rid of special icon for about:blank (nobody could tell what it was, anyway)
- Changed Firefox EOL warning to show once for users with less than Firefox 10
- Added a few more commonly resold TLDs to mismatch note exception list
- Dropped Firefox 3.5 & SeaMonkey 2.0 support;
removed special cases for them
- This Flagfox version supports Firefox 3.6+ and SeaMonkey 2.1+
If you are one of the 20 thousand or so still lingering on Firefox 3.5, please update. I just can’t continue supporting such an old version anymore and Firefox 3.6 is considered a “minor” update to Firefox 3.5, which you should’ve installed by now. Yes, I’m aware that Debian stable still uses a version of the Iceweasel Firefox fork based on Firefox 3.5, but Debian is being stupid in this regard. Firefox 3.6 was supported for ages after 3.5, which is long since dead and not getting security updates from Mozilla. If you’re using Debian stable or any other distro based on it, you should be running a Firefox build downloaded from mozilla.org. If you need a version of Firefox that only gets a major update a year or so, then use Firefox 10.0 ESR. Everyone else should be using Firefox 14.0 or later.
Sometime last month, around the time that some major breaches of user databases from some popular sites were making the news, I got to thinking about password strength. Fred Wenzel’s post about storing user passwords is a great read on the topic, and one little part struck me: for unsalted quick hashing algorithms, if the hash is leaked then even completely random alphanumeric passwords up to 10 characters long are readily crackable. I realized it was time to change my passwords as most of them, while not something a person could guess, were easily crackable if a hash were to be leaked in a user database breach. So next step was to come up with some good strong passwords. There are some sites out there that will test one for you, but if you’re paranoid like me then you’re obviously not going to type your actual password in there. I wanted something I could test locally and I was already aware of the basic theory of entropy with regard to passwords so I did a little more research and wrote my own little password checker. Sure, I could’ve probably hunted for an addon to do this, but I wanted something simple and it was a neat little project that sounded like fun to write. Gerv posted on the this exact topic today, so I thought I might as well post my little checker for those who want it.
Note that my checker has a few nice properties:
- Its strength assessment is based on calculated entropy, not purely whether or not you include upper and lower case characters, numbers, and/or symbols. Adding one of these cases adds to the possible characters available and increases the entropy, but the final number is based on this math and not whether or not you follow any particular practice. The end result is that it will correctly tell you that adding two characters to an alphanumeric password is better than adding case-sensitivity.
- It has a high standard; it will likely label passwords that might be considered good elsewhere as not good enough.
- It’s simple, local, and entirely contained in a data URI. This means you can read the code yourself very easily and verify it’s not going to send it anywhere.
But it has a few disadvantages too:
- It doesn’t check for common and easily guessable passwords or patterns. It’ll only give you a rating against a brute-force attack from a computer with no hints. Passwords are rarely truly random and people writing programs to crack them know this. The lessons of what stupid stuff to not put in your passwords are not addressed here.
- It doesn’t handle Unicode well. It could add new character categories for other languages’ alphabets and syllabaries, but for now if you have anything other then alpha-numeric-symbolic it will give you an overly optimistic strength rating. Also, it goes by each byte not each character, so a multi-byte character is counted as multiple characters.
- I’ve only tested it in Firefox thus far.
It’s not perfect, but as long as your password is alpha-numeric-symbolic and not easily guessable by someone it will give you a good analysis of password strength.
Note that you can bookmark the checker page directly, at which point the whole thing is stored in the bookmark itself. This is sometimes called a bookmarklet. I’ve re-encoded it with base64 and put it behind a TinyURL because WordPress can’t link to it as-is.
I decided I might as well put a license on my code so I went with MPL2 if anyone wants to use it.
For anyone who was wondering how to easily make data URIs, I recommend the The data: URI Kitchen. I used the nicely meta Self-contained data: URI Kitchen, which is itself contained in a data URI (but is text only).
Flagfox 4.1.x supports: Firefox 3.5+ & SeaMonkey 2.0+
Flagfox 4.2.x supports: Firefox 3.6+ & SeaMonkey 2.1+
Once upon a time I had to keep bumping version numbers to keep up with support, but since Firefox 10 addons generally default to compatible. My current policy is as it was the last time I posted to this under-used blog. I regularly use and test Flagfox in the Aurora Firefox channel and still bump the install.rdf versions to keep up with it when I package the monthly Flagfox updates. Flagfox should generally work in nightlies as well, though if it breaks I might not notice for a bit unless someone else tells me.
In my last post, way too long ago, I said I was going to drop support for Firefox 3.5 for Flagfox 4.2 whenever I get around to writing it. Well… I haven’t yet, but I still mean it (probably). I now support 8 EOL major versions of Firefox, which means that should I decide to write anything major I’m really going to want to axe most of that support to do so. If I write a Flagfox 4.2 then Firefox 3.5 support will be dropped, but when I write a Flagfox 5.0 I’m probably just going to drop Firefox 3.5, 3.6, and all 4.0 – 9.0 support, leaving Firefox 10 ESR as the minimum. No, I have no clue when this would be; I’ve yet to make the time to write a new major version in a while. As I continue to maintain Flagfox 4.1.x with minor fixes, locale updates, flag icon updates, and of course IPDB updates, I will of course not be dropping any application support, thus increasing the number of (dead) Firefox and SeaMonkey versions I support every 6 weeks.
Flagfox 4.2 has been released so Firefox 3.5 and SeaMonkey 2.0 are no longer supported. Future versions of Flagfox 4.x will probably continue to support Firefox 3.6.