Category Archives: internet

Mozilla Firefox and a DNS security dilemma

Mozilla is proposing to make DNS over HTTPS default in Firefox. The feature is called Trusted Recursive Resolver, and currently it is available but off by default:

image

DNS is critical to security but not well understood by the general public. Put simply, it resolves web addresses to IP addresses, so if you type in the web address of your bank, a DNS server tells the browser where to go. DNS hijacking makes phishing attacks easier since users put the right address in their browser (or get it from a search engine) but may arrive at a site controlled by attackers. DNS is also a plain-text protocol, so DNS requests may be intercepted giving attackers a record of which sites you visit. The setting for which DNS server you use is usually automatically acquired from your current internet connection, so on a business network it is set by your network administrator, on broadband by your broadband provider, and on wifi by the wifi provider.

DNS is therefor quite vulnerable. Use wifi in a café, for example, and you are trusting the café wifi not to have allowed the DNS to be compromised. That said, there are further protections, such as SSL certificates (though you might not notice if you were redirected to a secure site that was a slightly misspelled version of your banking site, for example). There is also a standard called DNSSEC which authenticates the response from DNS servers.

Mozilla’s solution is to have the browser handle the DNS. Trusted Recursive Resolver not only uses a secure connection to the DNS server, but also provides a DNS server for you to use, operated by Cloudflare. You can replace this with other DNS servers though they need to support DNS over HTTPS. Google operates a popular DNS service on 8.8.8.8 which does support DNS over HTTPS as well as DNSSEC. 

While using a secure connection to DNS is a good thing, using a DNS server set by your web browser has pros and cons. The advantage is that it is much less likely to be compromised than a random public wifi network. The disadvantage is that you are trusting that third-party with a record of which sites you visit. It is personal data that potentially could be mined for marketing or other reasons.

On a business network, having the browser use a third-party DNS server could well cause problems. Some networks use split DNS, where an address resolves to an internal address when on the internal network, and an external address otherwise. Using a third-party DNS server would break such schemes.

Few will use this Firefox feature unless it is on by default – but that is the plan:

You can enable DNS over HTTPS in Firefox today, and we encourage you to.

We’d like to turn this on as the default for all of our users. We believe that every one of our users deserves this privacy and security, no matter if they understand DNS leaks or not.

But it’s a big change and we need to test it out first. That’s why we’re conducting a study. We’re asking half of our Firefox Nightly users to help us collect data on performance.

We’ll use the default resolver, as we do now, but we’ll also send the request to Cloudflare’s DoH resolver. Then we’ll compare the two to make sure that everything is working as we expect.

For participants in the study, the Cloudflare DNS response won’t be used yet. We’re simply checking that everything works, and then throwing away the Cloudflare response.

Personally I feel this should be opt-in rather than on by default, though it probably is a good thing for most users. The security risk from DNS hijacking is greater than the privacy risk of using Cloudflare or Google for DNS. It is worth noting too that Google DNS is already widely used so you may already be using a big US company for most of your DNS resolving, but probably without the benefit of a secure connection.

Let’s Encrypt: a quiet revolution

Any website that supports SSL (an HTTPS connection) requires a  digital certificate. Until relatively recently, obtaining a certificate meant one of two things. You could either generate your own, which works fine in terms of encrypting the traffic, but results in web browser warnings for anyone outside your organisation, because the issuing authority is not trusted. Or you could buy one from a certificate provider such as Symantec (Verisign), Comodo, Geotrust, Digicert or GoDaddy. These certificates vary in price from fairly cheap to very expensive, with the differences being opaque to many users.

Let’s Encrypt is a project of the Internet Security Research Group, a non-profit organisation founded in 2013 and sponsored by firms including Mozilla, Cisco and Google Chrome. Obtaining certificates from Let’s Encrypt is free, and they are trusted by all major web browsers.

image

Last month Let’s Encrypt announced coming support for wildcard certificates as well as giving some stats: 46 million active certificates, and plans to double that in 2018. The post also notes that the latest figures from Firefox telemetry indicate that over 65% of the web is now served using HTTPS.

image
Source: https://letsencrypt.org/stats/

Let’s Encrypt only started issuing certificates in January 2016 so its growth is spectacular.

The reason is simple. Let’s Encrypt is saving the IT industry a huge amount in both money and time. Money, because its certificates are free. Time, because it is all about automation, and once you have the right automated process in place, renewal is automatic.

I have heard it said that Let’s Encrypt certificates are not proper certificates. This is not the case; they are just as trustworthy as those from the other SSL providers, with the caveat that everything is automated. Some types of certificate, such as those for code-signing, have additional verification performed by a human to ensure that they really are being requested by the organisation claimed. No such thing happens with the majority of SSL certificates, for which the process is entirely automated by all the providers and typically requires that the requester can receive email at the domain for which the certificate is issued. Let’s Encrypt uses other techniques, such as proof that you control the DNS for the domain, or are able to write a file to its website. Certificates that require human intervention will likely never be free.

A Let’s Encrypt certificate is only valid for three months, whereas those from commercial providers last at least a year. Despite appearances, this is not a disadvantage. If you automate the process, it is not inconvenient, and a certificate with a shorter life is more secure as it has less time to be compromised.

The ascendance of Let’s Encrypt is probably regretted both by the commercial certificate providers and by IT companies who make a bit of money from selling and administering certificates.

Let’s Encrypt certificates are issued in plain-text PEM (Privacy Enhanced Mail) format. Does that mean you cannot use them in Windows, which typically uses .cer or .pfx certificates?  No, because it is easy to convert between formats. For example, you can use the openssl utility. Here is what I use on Linux to get a .pfx:

openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out yourcert.pfx

If you have a website hosted for you by a third-party, can you use Let’s Encrypt? Maybe, but only if the hosting company offers this as a service. They may not be in a hurry to do so, since there is a bit of profit in selling SSL certificates, but on the other hand, a far-sighted ISP might win some business by offering free SSL as part of the service.

Implications of Let’s Encrypt

Let’s Encrypt removes the cost barrier for securing a web site, subject to the caveats mentioned above. At the same time, Google is gradually stepping up warnings in the Chrome browser when you visit unencrypted sites:

Eventually, we plan to show the “Not secure” warning for all HTTP pages, even outside Incognito mode.

Google search is also apparently weighted in favour of encrypted sites, so anyone who cares about their web presence or traffic is or will be using SSL.

Is this a good thing? Given the trivia (or worse) that constitutes most of the web, why bother encrypting it, which is slower and takes more processing power (bad for the planet)? Note also that encrypting the traffic does nothing to protect you from malware, nor does it insulate web developers from security bugs such as SQL injection attacks – which is why I prefer to call SSL sites encrypted rather than secure.

The big benefit though is that it makes it much harder to snoop on web traffic. This is good for privacy, especially if you are browsing the web over public Wi-Fi in cafes, hotels or airports. It would be a mistake though to imagine that if you are browsing the public web using HTTPS that you are really private: the sites you visit are still getting your data, including Facebook, Google and various other advertisers who track your browsing.

In the end it is worth it, if only to counter the number of times passwords are sent over the internet in plain text. Unfortunately people remain willing to send passwords by insecure email so there remains work to do.

Passwords: time is being called

Prompted by a piece on Charles Arthur’s Overspill blog I took at look at LeakedSource which has a database of leaked usernames and passwords.

There are two main ways for passwords to leak. One is that a web site had its user database hacked and stolen. The other is that malware on a user’s machine steals all the passwords stored in your their web browser and sends them off to hackers.

This last has become a huge problem. Passwords and logins are an inconvenience, and many of us love being able to have the browser store them, giving near-automatic login for favourite sites. Thanks to the magic of cloud, we can also have them sync across all our devices automatically. Nice.

Unfortunately, if you ever had a nagging sense that this is not security best practice, you were right.

I have been on the internet since the late eighties and have hundreds of logins. Many were created under protest – you have to log in to read our article, or get support, or download our trial. The nature of my work is that I often need to research things quickly, and new logins come with the territory. I found several results when searching for my email on LeakedSource. Some I knew about: LinkedIn, Adobe, MySpace, Tumblr (this last only recently revealed); others I had not thought about. I signed up for Xsplit, for example, though I have not used it for years, and did not realise that the passwords had been stolen.

image

In my case, all the accounts are ones that either I do not care about, or for which the passwords were changed, or both. That is not the end of it though. There is potential embarrassment if someone logs into, say, a forum posing as you and starts posting spam or abuse. Further, if you use the same password elsewhere a determined hacker can attempt other logins, that have not been hacked, and try their luck. There may also be information stored with the logins, such as date of birth, address, secret questions and so on, which could help in password recovery attempts or identity theft. If someone manages to crack into your email account, the vulnerability is much greater since many passwords can be reset simply via emailed password recovery links.

Well, we have known for years that passwords alone are a poor way to protect security. The situation has escalated though, with huge databases of email addresses, usernames and passwords widely available.

What does that mean? A few observations.

  • The only sane way for anyone moderately active on the internet to manage their passwords is with a password manager. You should create an unique password for every login and store them in an encrypted password manager. It’s not perfect; someone may manage to hack your password manager. But it is the best you can do for most sites.
  • Using a Facebook, Google or Twitter login for small sites that support it is probably better than creating new credentials, if those new credentials do not follow best practice. On the other hand, this means the consequences of losing the master login being hacked are greater; and the site may cajole you into posting links on Facebook, Google or Twitter to promote itself. I do not like the idea of building dependence on one of these advertising giants into my daily internet usage; but there it is.
  • Follow a de minimis approach in completing information when registering for sites. In my case, nothing that is not a required field normally gets completed.
  • Do not rely on your fancy system for creating unique passwords for each login, like three letters from the site name plus your first telephone number or whatever. If you can work it out, a hacker can as well.
  • Be aware of the risks of saving passwords in the web browser. Personally I rarely do so. In particular, it’s probably a bad idea for sites where you can spend money, Amazon, eBay, PayPal and the like.
  • Secret questions are not there to help your security. They are there to undermine your security and to reduce the chance of you calling support. They are in effect supplementary passwords. I suggest making up new secret questions for each site that insists on them, and storing them in your password manager. Example: best gibber: flogalot. Putting stuff like mother’s maiden name, first school and so on is identity theft heaven.

How do we fix this? Nobody seems to know. Some things are improving. 2-factor authentication is more widely available and you can use it on many of the main sites now. Unencrypted logins (ie HTTP rather than HTTPS) are now a rarity though I still see them.

Still, if the problem gets worse, there is more incentive for it to get better.

Twitter: will longer tweets spoil the platform?

Twitter is a strange thing. Founded in 2006, it was initially promoted as a way of communicating with friends about what you are doing right now. It did not appeal to me. Who wants to know all that trivia? Who wants to publish it? Lots of people now on Facebook, apparently. But I digress. I joined Twitter eventually and discovered its two key features, first brevity, and second the ability to choose who you follow and not see tweets from anyone else. It is ideal for broadcasting or consuming news and comment, and that is how I use it. I particularly value it because it is not Google, and provides a way of making things known that is independent of Google’s all-powerful search algorithms.

Now CEO Jack Dorsey has tweeted about the lifting the 140 character limit:

At its core Twitter is public messaging. A simple way to say something, to anyone, that everyone in the world can see instantly.

We didn’t start Twitter with a 140 character restriction. We added that early on to fit into a single SMS message (160 characters).

It’s become a beautiful constraint, and I love it! It inspires creativity and brevity. And a sense of speed. We will never lose that feeling.

We’ve spent a lot of time observing what people are doing on Twitter, and we see them taking screenshots of text and tweeting it.

Instead, what if that text…was actually text? Text that could be searched. Text that could be highlighted. That’s more utility and power.

What makes Twitter, Twitter is its fast, public, live conversational nature. We will always work to strengthen that. For every person around the world, in every language!

And by focusing on conversation and messaging, the majority Of tweets will always be short and sweet and conversational!

We’re not going to be shy about building more utility and power into Twitter for people. As long as it’s consistent with what people want to do, we’re going to explore it.

And as I said at #flight, if we decide to ship what we explore, we’re telling developers well in advance, so they can prepare accordingly.

(Also: I love tweetstorms! Those won’t go away.)

Of course he really tweeted the above as an image:

image

Will this wreck Twitter? What he has in mind, I suspect, is that tweets become expandable, so you can tweet as much as you like but by default only 140 characters, or a heading of your choice, appears in the feed. In fact this often happens already, except that the link is to an external site, rather than to Twitter.

Twitter’s problem has always been how to monetize the service. The original concept was almost useless for this, until Twitter added “promoted tweets”, which you see whether or not you want them. In 2011 Twitter added images, making it a richer platform for advertisers, and providing an easy way to bypass the character limit. Vine videos, other video acquisitions (SnappyTV in 2014, Perisccope in March 2015) mean that more video appears on Twitter. Brevity is still a feature of Twitter, but much undermined, and likely to diminish further.

The removal of the character limit will enable Twitter to host more content itself, rather than being a place where people post links to other sites. This will keep users on Twitter (or in its app) for longer, which means more opportunities to advertise.

If these steps make Twitter worse for users like myself though, we might use the site less, which is not good for advertising income.

At this point I am resigned to Twitter getting worse, as it has done for the last few years. Nevertheless, I will carry on using it until something else appears which is better. I see little sign of that, so Twitter still has me for the moment.

I also see that Twitter has to be viable in order to thrive. Making customers fee-paying does not work, so advertising has to be the solution.

Microsoft CEO Satya Nadella introduces Microsoft Office for iPad, talks up Azure Active Directory and Office 365 development

New Microsoft CEO Satya Nadella has announced Office for iPad at an event in San Francisco. Office General Manager Julie White gave a demo of Word, Excel and Powerpoint on Apple’s tablet.

image

White made a point of the fidelity of Office documents in Microsoft’s app, as opposed to third party viewers.

image

Excel looks good with a special numeric input tool.

image

Office will be available immediately – well, from 11.00 Pacific Time today – and will be free for viewing, but require an Office 365 subscription for editing. I am not clear yet how that works out for someone who wants full Office for iPad, but does not want to use Office 365; perhaps they will have to create an account just for that purpose.

There was also a focus on Office 365 single sign-on from any device. This is Azure Active Directory, which has several key characteristics:

1. It is used by every Office 365 account.

2. It can be synchronised and/or federated with Active Directory on-premise. Active Directory handles identity and authentication for a large proportion of businesses, small and large, so this is a big deal.

3. Developers can write apps that use Azure Active Directory for authentication. These can be integrated with SharePoint in Office 365, or hosted on Azure as a separate web destination.

While this is not new, it seems to me significant since new cloud applications can integrate seamlessly with the directory already used by the business.

Microsoft already has some support for this in Visual Studio and elsewhere – check out Cloud Business Apps, for example – but it could do more to surface this and make it easy for developers. Nadella talked about SDK support for iOS and other devices.

Microsoft hardly mentioned Android at the event, even though it has a larger market share than iOS. That may be because of the iPad’s popularity in the enterprise, or does it show reluctance to support the platform of a bitter competitor?

Microsoft is late with Office for iPad; it should perhaps have done this two years ago, but was held back by wanting to keep Office as an exclusive for Windows tablets like Surface, as well as arguments with Apple over whether it should share subscription income (I do not know how that has been resolved).

There was also a brief introduction to the Enterprise Mobility Suite, which builds on existing products including Azure Active Directory, InTune (for device management) and Azure Rights Management to form a complete mobility management suite.

Nadella made a confident performance, Office for iPad looks good.

What is coming up at Build, Microsoft’s developer conference next week? Nadella said that we will hear about innovations in Windows, among other things. Following the difficulties Microsoft has had in marketing Windows 8, this will be watched with interest.

Google forks WebKit into Blink: what are the implications?

Yesterday Google announced that it is forking WebKit to create Blink, a new rendering engine to be used in its Chrome browser:

Chromium uses a different multi-process architecture than other WebKit-based browsers, and supporting multiple architectures over the years has led to increasing complexity for both the WebKit and Chromium projects. This has slowed down the collective pace of innovation – so today, we are introducing Blink, a new open source rendering engine based on WebKit.

Odd that not long ago we were debating the likelihood and merits of WebKit becoming the de facto standard for HTML. Now Google itself is arguing against such a thing:

… we believe that having multiple rendering engines—similar to having multiple browsers—will spur innovation and over time improve the health of the entire open web ecosystem.

Together with the announcement from Mozilla and Samsung of a new Android browser which, one assumes, may become the default browser on Samsung Android phones, there is now significant diversity/competition/fragmentation in the browser market (if you can call it a market when everything is free).

The stated reason for the split concerns multi-process architecture, with claims that Google was unwilling to assist with integrating Chromium’s multi-process code into WebKit:

Before we wrote a single line of what would become WebKit2 we directly asked Google folks if they would be willing to contribute their multiprocess support back to WebKit, so that we could build on it. They said no.

At that point, our choices were to do a hostile fork of Chromium into the WebKit tree, write our own process model, or live with being single-process forever. (At the time, there wasn’t really an API-stable layer of the Chromium stack that packaged the process support.)

Writing our own seemed like the least bad approach.

Or maybe it was the other way around and Apple wanted to increase its control over WebKit and optimize it for the OSX and iOS rather than for multiple platforms (which would be the Apple way).

It matters little. Either way, it is unsurprising that Apple and Google find it difficult to cooperate when Android is the biggest threat to the iPhone and iPad.

The new reality is that WebKit, instead of being a de facto standard for the Web, will now be primarily an Apple rendering engine. Chrome/Chromium will be all Google, making it less attractive for others to adopt.

That said, several third parties have already adopted Chromium, thanks to the attractions of the Chromium Embedded Framework which makes it easy to use the engine in other projects. This includes Opera, which is now a Blink partner, and Adobe, which uses Chromium for its Brackets code editor and associated products in the Adobe Edge family.

The benefit of Blink is that diverse implementations promote the importance of standards. The risk of Blink is that if Google further increases the market share of Chrome, on desktop and mobile, to the point where it dominates, then it is in a strong position to dictate de-facto standards according to its own preferences, as suggested by this cynical take on the news.

The browser wars are back.

What is mobile security? And do we need it?

I attended Mobile World Congress in Barcelona, where (among many other things) numerous security vendors were presenting their latest mobile products. I took the opportunity to quiz them. Why do smartphone users need to worry about security software, which many users were glad to leave behind with their PC? I observed that whereas I have often heard of friends or contacts suffering from PC malware, I have yet to hear anyone complain about a virus on their mobile or tablet.

I got diverse answers. NQ Mobile, for example, told me that while mobile malware is relatively uncommon in the USA and Europe, it is different in China where the company has a strong base. In China and some other territories, there are many Android-based mobiles for which the main source of apps is not the official Google Play store, but downloads from elsewhere, and malware is common.

Do you have an Android phone? Have you checked that option to “allow installation of non-Market apps”? One mobile gaming controller I received for review recently came with a free game. Guess what – to install the game you have to check that option, as noted in the documentation.

image

When you allow non-Market apps, you are disabling a key Android security feature, that apps can only be installed from the official store which, you hope, has some level of quality checking from Google, and the likelihood that malware that does slip through will be quickly removed. But what will users do, install the game, or refuse to disable the feature? I am reminded of those installation manuals for PC devices which include instructions to ignore the warnings about unsigned drivers. Most of us shrug and go ahead.

Nevertheless, for those of us not in China mobile malware is either uncommon, or so stealthy that few of us notice it (an alarming thought). Most of the responses I received from the security vendors were more along the lines that PC-style malware is only one of many mobile security concerns. Privacy is another one high on the list. When you install an app, you see a list of the permissions it is demanding, and sometimes the extent of them is puzzling. How do we know whether an app is grabbing more data than it should, for unknown purposes (but probably to do with ad targeting)?

Some of the mobile security products attempt to address this problem. Bitdefender Mobile Security includes an application audit which keeps track of what apps are doing. Norton Mobile Security scans for apps with “unusual permissions”.

Web site checking is another common feature. Software will attempt to detect phishing sites or those compromised with malware.

Perhaps the biggest issue though is what happens to your lost or stolen device. Most of the mobile security products include device tracking, remote lock and remote wipe (of course, some smartphones come with some of this built-in, like iOS and Find My iPhone).

If you do lose your phone, an immediate worry is the security of the data on it, or even worse, on an SD card that can be removed and inspected. Your contacts? Compromising photos? Company data? Remote wipe is a great feature, but could a smart thief disable it before you are able to use it?

Some products offer additional protection. NQ mobile offers a Mobile Vault for data security. It has a nice feature: it takes a photo of anyone who enters a wrong passcode. Again though, note that some smartphones have device encryption built-in, and it is just a matter of enabling it.

Windows Phone 8 is an interesting case. It includes strong Bitlocker encryption, but end users cannot easily enable it. It is enabled via Exchange ActiveSync policies, set through the Exchange Management Console or via PowerShell:

image

Why not let users set encryption themselves, if required, as you can on some Android phones? On Apple iOS, data encryption is automatic and can be further protected by a passcode, with an option to wipe all data after 10 failed attempts.

Encryption will not save you of course if a rogue app is accessing your data and sending it off somewhere.

Mobile security can feels like a phoney war (ha!). We know the risks are real, that smartphones are just small computers and equally vulnerable to malware as large ones, and that their portability makes them more likely to go astray, but most of us do not experience malware and mainly worry about loss or theft.

Businesses are the opposite and may care more about protecting data than about losing a device, hence the popularity of mobile device management solutions. The fact is though: some of that data is on the device and being taken everywhere, and it is hard to eliminate the risk.

Is mobile security a real problem? I hardly need to say this: yes, it is huge. Do you need anti-virus software on your phone? That is harder to answer, but unless you are particularly experimental with the apps you install, I am not yet convinced.

The frustrating part is that modern smartphones come with integrated security features many of which are ignored by most users, who find even a simple passcode lock too inconvenient to bother with (or perhaps nobody told them how to set it). It is hard to understand why more smartphones and tablets are not secure by default, at least for the easy things like passcodes and encryption.

App and privacy issues are harder to address, though maintaining properly curated app stores and only installing apps from there or from other trusted sources is a good start.

Browser monoculture draws nearer as Opera adopts WebKit, Google Chromium

Browser company Opera is abandoning development of its own browser engine and adopting WebKit.

To provide a leading browser on Android and iOS, this year Opera will make a gradual transition to the WebKit engine, as well as Chromium, for most of its upcoming versions of browsers for smartphones and computers.

Note that Opera is not only adopting WebKit but also the Google-sponsored Chromium engine, which is the open source portion of the Google Chrome browser.

What are the implications?

The obvious one, from Opera’s perspective, is that the work involved in keeping a browser engine up to date is large and the benefit, small, given that WebKit and Chromium are both capable and also close to de facto standards in mobile.

This last point is key though. If everyone uses WebKit, then instead of the W3C being the authority on which web standards are supported, then the WebKit community becomes that authority. In the case of Chromium, that means Google in particular.

On the desktop Microsoft’s Internet Explorer and Mozilla Firefox both have substantial market share, but in mobile both iOS and Android, which dominate, use WebKit-derived browsers. BlackBerry is also using WebKit in its new BlackBerry 10 OS.

There is already a debate about web pages and applications which make use of webkit-specific tags, which often implies a degraded experience for users of other browsers, even if those other browsers support the same features. A year agao, Daniel Glazman, co-chairman of the W3C CSS working group, wrote a strongly-worded post on this issue:

Without your help, without a strong reaction, this can lead to one thing only and we’re dangerously not far from there: other browsers will start supporting/implementing themselves the -webkit-* prefix, turning one single implementation into a new world-wide standard. It will turn a market share into a de facto standard, a single implementation into a world-wide monopoly. Again. It will kill our standardization process. That’s not a question of if, that’s a question of when.

Therefore, Opera’s decision is probably bad for open web standards; though web developers may not mind since one fewer browser variation to worry about makes their life easier.

People commonly raise the spectre of Microsoft’s Internet Explorer 6 and the way it effectively froze web standards for several years, thanks to its dominance. Might WebKit’s dominance repeat this? It is doubtful, since the IE6 problem would not have been so great, except that Microsoft decided it would rather promote its own platform (Windows) rather than the web platform. The WebKit community will not do that.

On the other hand, for rivals like Microsoft and Mozilla this is a concern. Something as important as web standards should ideally be vendor-neutral, so that big companies do not use standards as a means of promoting their own platforms and making other platforms work less well. In practice, it is rare that standards are truly vendor-neutral; the big vendors dominate standards groups like the W3C for exactly this reason. That said, it would be true to say that the W3C is more vendor-neutral than WebKit or Chromium.

Leaving all that aside, another question is what value Opera can add if it is building on the same core as Google and Apple. That is a matter I hope to clarify at the Mobile World Congress later this month.

Adobe’s Roy Fielding patches Apache to ignore IE10 Do Not Track privacy request

Adobe’s Roy Fielding, who is also the original author of the W3C’s Tracking Preference Expression draft, has patched Apache, the open source web server, to ignore the Do Not Track header sent by Microsoft’s Internet Explorer 10, the browser in Windows 8:

image

Under the heading “Apache does not tolerate deliberate abuse of open standards,” Fielding’s patch sets Apache to remove the Do Not Track request header if IE10 is the web browser.

Fielding’s argument, one presumes, is that IE10 breaches clause three in the Tracking Preference Expression draft:

Key to that notion of expression is that it must reflect the user’s preference, not the choice of some vendor, institution, or network-imposed mechanism outside the user’s control. The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed.

However the document goes on to say (highlighting is mine):

We do not specify how tracking preference choices are offered to the user or how the preference is enabled: each implementation is responsible for determining the user experience by which a tracking preference is enabled. For example, a user might select a check-box in their user agent’s configuration, install an extension or add-on that is specifically designed to add a tracking preference expression, or make a choice for privacy that then implicitly includes a tracking preference (e.g., Privacy settings: high). The user-agent might ask the user for their preference during startup, perhaps on first use or after an update adds the tracking protection feature. Likewise, a user might install or configure a proxy to add the expression to their own outgoing requests.

Here is what happens in Windows 8 after startup. This is among the first screens you see when installing Windows 8, before you get full access to the operating system:

image

One of the settings specified is “Turn on Do Not Track in Internet Explorer. If you click Learn more about express settings you get this:

image

If you click Customize you get this:

image

Does this respect the user’s preference? It seems to me a reasonable effort. The only objection I can see is if you consider that any user agent that defaults to setting Do Not Track on cannot be respecting the user’s preference. The draft specification does not state what the default should be.

It is also worth noting that clause 3 in the Tracking Preference Expression draft has changed; the wording about “not the choice of some vendor” was inserted in the 7th September draft, after Windows 8 was released to manufacturing. Here it is in the latest (March 2012) W3C Working draft:

Key to that notion of expression is that it must reflect the user’s preference, not the preference of some institutional or network-imposed mechanism…

Even if you agree with Fielding’s views on browser defaults, quietly patching the world’s most used web server to ignore the IE10 setting looks hard to defend, especially on a matter that is far from clear cut. Fielding is personally involved, not only as the author of the Tracking Preference Expression document, but also as an employee of Adobe, which specialises in digital marketing and may be more aligned with the vendors and their brands which may want to track user activity wherever their ads appear, rather than with end users.

Of course Apache is an open source project and Fielding’s patch has attracted the attention of the Apache community and may not survive.

It is also possible that a future draft of the Tracking Preference Expression document will state that Do Not Track must be off by default; but even if it does, patching the web server to ignore the browser’s header strikes me as a contentious solution.

Finally, it is worth noting that sending the Do Not Track header has little effect on whether or not your activity is tracked, since its meaning is unclear and respecting its value is a a choice made by third-parties, so this is a debate with little practical impact for the time being.

Amazon Glacier: archiving on demand at low prices

Amazon has announced a new product in its Amazon Web Services cloud suite. Amazon Glacier is designed for archiving. According to the service description, you get redundant storage over “multiple facilities and on multiple devices within each facility” with regular data integrity checks, giving annual durability which Amazon works out somehow as 99.999999999%.

Storage pricing is $0.011 per GB / month. So keeping a cloud-based copy of that 1TB drive you just bought is $11.00 per month or $132 per year. Not a bad price considering the redundancy and off-site problem that it solves, as long as you can live with sub-contracting the task.

For comparison, Amazon S3, which is designed for day to day storage, costs  $0.125 per GB for the first 1TB, falling to $0.055 per GB for 5000 TB or more, or $0.037 per GB for what Amazon calls “reduced redundancy storage”. Glacier is less than one third of the price.

Note that Glacier is not suitable if you need to get at the data quickly:

You can download data directly from the service using the service’s REST API. When you make a request to retrieve data from Glacier, you initiate a retrieval job. Once the retrieval job completes, your data will be available to download for 24 hours. Retrieval jobs typically complete within 3-5 hours.

In other words, you cannot retrieve data directly. You have to ask for it to be made available first. Glacier is not a cheap alternative to S3, other than for archiving.

There are additional charges for retrieving data beyond 1GB per month, $0.12 per GB falling to $0.050 per GB for over 350 TB, or less for very large retrievals. It is well known that beyond a certain amount, it is quicker and cheaper to send data on the back of a truck than over the internet.