I’ll confess that I’ve been a little sceptical about the Mozilla Popcorn.js effort over the last year or so. Putting twitter feeds beside a video doesn’t feel particularly interesting. The mozillapopcorn.org site says “Popcorn makes video work like the web”, but I haven’t understood what that means until now. It means 2 things. Firstly, a radially different video-on-the-web experience, where content and video are interleaved. Where video insn’t relegated to being a box on the page with a set of controls. Even simple things like being able to add a ticker to the bottom of the video which contains other ‘page’ content allows the video to be given much greater prominence. And secondly, it’s about the ‘view-source’ nature of the web, and extending this to video effects. Popcorn.js isn’t ‘editing’ the video, but applying effects and overlays in a non-destructive way. This makes it possible for people to come along and discover and learn how things were done. It’s early days for much of this, but I now at least understand why there’s so much excitement as it might have a profound impact on the future web.
Archive for the 'Uncategorized' Category
Mozilla Popcorn (JS)
Published November 6, 2011 Uncategorized Leave a CommentTags: #mozfest, mozfest mozilla popcorn
The DigiNotar, Comodo, and other recent CA incidents has made it clear that the current CA/SSL model requires at least some reinforcement. An enhanced form of HSTS has been under discussion for a while, and this week an initial submission was made to the IETF’s websec group. It would work by allowing an HSTS response to ‘pin’ an HSTS enabled domain to a list of root certificates, end entity certificates, or public keys used from end entity certificates. This allows, for example gmail.com to say that for the next 6 months, only certificates from a set of CAs should be trusted by a browser. While it’s not a panacea, it would help detect and prevent SSL MITMing like that detected in the DigiNotar case. There is a bootstrap problem (the first time someone visits a site, the browser can be fooled), but incremental improvement and defence in depth is the order of business here. If you’re not careful, pinning could have negative consequences, and the spec is careful to minimise these – notably that if you limit yourself to a single CA, you can effectively be extorted when your existing certificate expires, as you have no choice but to pay for a new certificate from the pinned CA.
It’s this flexibility which introduces what I think is a difficult to solve problem. If you’re running a non-SSL site, and an attacker can gain access to your DNS (as recently happened to theregister.co.uk and others), they can ‘pin’ your users to a public key which you don’t have the private key to, and which isn’t revocable. At that point, you either rely on the browser vendors to somehow decide that you really do own your site, and push some kind of special unpin message to all browsers, or you pay up to the attacker to buy the private key, from which you can have a cert issued, and which you can then use to serve your site, and probably downgrade from pinning and HSTS.
In this case, we’ve essentially shifted trust from CAs to DNS registrars, who inevitably have less security expertise. Without HSTS+pinning, theregister.co.uk just had to wait for the registrar to correct the whois records, and for the DNS to propagate. With pinning, a similar registrar failure could have a much longer lasting impact. There are variants to this attack which simply require acting as a MITM, but in those cases, gaining a CA cert for a target domin is considered much harder.
This attack essentially targets the bootstrap phase which we already knew wasn’t secure. After a few days pondering solutions to the problem, the solutions I can come up with essentially further weaken the bootstrap phase, but enable pinning over the long-term without these problems for non-secured sites.
My proposal is to soften the effect of the ‘pin’ for 72 hours from when a domain is first pinned. If, in that period, a certificate which doesn’t correspond to the pin is encountered, the browser must apply heuristics to determine what to do. This may include user input or communication with white/blacklist services. It must not blindly obey the pin.
Why is it important to put this into the spec? If I think about the costs of setting up a truly secure and trustworthy blacklist/unpin service, the task is as complex as running a CA. I think it’s unreasonable to expect that browser vendors will want to get into that business. And even if they did, the time it might take for them to correctly identify the domain owner and correct pinning status would likely be lengthy. Any site owner setting a pin would be rightly upset if their site was incorrectly unpinned. Providing a short window (at the already weak boostrap phase) where a lower set of expectations is codified would provide cover to implement sensible heuristics and low-bureaucracy services to mitigate the worst of the problem, without implying that those same services would be appropriate for a general pin revocation scenario.
After more than five years working in the IBM Hursley Software Lab, I’ve decided that it’s time to move on. I’ve enjoyed my time in Hursley greatly and learned a lot, but in order to further grow my career, I’ve decided to leave the connectivity middleware space. I’ve worked with a lot of talented developers and architects in Hursley and around the globe on a variety of interesting projects and products, and I hope I cross paths with many of them in the future, and wish them all the best.
So what does the future hold? Well, a move away from a software product vendor to a company which uses technology and software in support of (and to drive) its business. Also a move from the leafy Hampshire countryside to Canary Wharf. On a date TBC in the not too distant future, I’ll start work as a software engineer at Morgan Stanley.
I’m really excited and looking forward to working with a new team on new challenges and learning a lot more about the finance industry.
I’ve been asked a few times in the last couple of months whether I’d buy an iPad. My stock response has been probably not, but we’ll see what happens when I try one. That happened today. I bought an iPad.
So far I’m very happy with it. Its great for web browsing, watching videos, and I’ve got a couple of interesting apps for it. I’m also really happy with the quality of the onscreen keyboard. Having used an iPhone, I’d been sceptical that the iPad keyboard would be much better. I was wrong. It’s still not as good as a real keyboard, but it’s a huge improvement.
I often ponder what to take to a meeting – nothing, laptop, notebook+pen are the popular options. Nothing has the disadvantage that it looks like you’ve come unprepared to take notes, which I think can be a taken as a bit disrespectful. Laptop has the advantage that it allows you to do anything you can do at your desk. This is also its curse. You can all too easily get sucked into responding to an e-mail or IM rather than paying full attention to the meeting you’re in. So a notebook+pen are a solid 3rd option. They say ‘I’m prepared to listen, pay full attention, and take notes’.
If you ever take a look at a notebook I take into a meeting, you’ll notice that the last notes are from a meeting at least a month previous, probably with someone ‘important’. Also likely is that they were written, never to be read again. This is the curse of the notebook in my office.
My ‘theatre’ notebooks on the other hand get used a lot more frequently, get modified and updated, and the information used to make decisions. In short, they’re useful, and I enjoy and benefit from the format.
The ‘theatre’ meetings are, of course, out of work time so laptops are less appropriate, but there’s another reason why they get used in such different ways. The main reason is the ‘clean desk’ policy in operation at work. This means that whenever I leave my desk, any written material needs to be locked away. Frankly, this is too much hassle for me to actually use a notebook at work. Having to unlock a drawer every time I want to look at some notes and check if the drawer is locked again with everything in it whenever I leave my desk isn’t worth my time. It’s far easier to use a laptop which auto-screen-locks, and is a single thing to lock/unlock (to/from the desk) when I move around.
It was taking a look at my notes for a recent show that made me realise that I’m missing out at work. There are a bunch of benefits to the notebook+pen experience which I’m missing at work. The ones that stand out are the ease of drawing, sketching, annotating, and sharing.
Sadly, I don’t see relaxation of the clean desk policy as likely. I guess I need to hope that phones and laptops evolve to make drawing, sketching, annotating, and sharing as easy as paper.
As someone who’s regularly frustrated by ‘scientists say…’ reports on BBC Breakfast, happening into a talk at OpenTech by Ben Goldacre was a pleasure and a revelation. Go, watch the video, and if you enjoy it, go buy the book ‘Bad Science’. That’s what I did, and I’m very happy I did. As someone pretty fluent in the scientific method and critical thinking, I found the examples really interesting, the encouragement to really analyse what’s said in the media motivating, and the realisation there are lots of other frustrated people out there utterly relieving.
