

The Firefox 3.5 fiasco - felixmar
http://weblogs.asp.net/fbouma/archive/2009/07/09/the-firefox-3-5-fiasco.aspx

======
tptacek
Although the interminable feeling the author had while waiting for Firefox 3.5
to start up mirrored my own feeling of waiting for him to get to the f'ing
point, he's absolutely right: Firefox should just be using the system's secure
random number generator on each platform. If you have a vulnerability in
/dev/random or CryptGenRandom(), you have a massively more important finding
than Firefox crypto.

~~~
codyrobbins
This is exactly the reason, as a general rule of thumb, why I don't like end-
user software packages that are designed to be cross-platform. While I find
Firefox 3.5 on OS X to be way faster than Firefox 3.0, it still doesn't hold a
candle to Safari. It may as well be written in Java. For something as
fundamental as a web browser, which I'm using all day long, it can't take 30
seconds to open a new window, freeze up and start thrashing halfway through
rendering a page, or crash twice a day. (All of which Firefox 3.0 did, and
which made me decide to move to Safari.) On top of the performance, the fact
that Firefox uses a fake skinned XUL look-alike interface on each platform is
the straw that breaks the camel's back, at least for me.

Port the renderer cross-platform, and write separate native apps for each
target platform. The amount of complication and cruft that must be in the
codebase for making a massively complex software package like Firefox work
cross-platform, and the amount of basic OS-level functionality that must have
to be reimplemented from scratch because it isn't available on some particular
target platform, is probably no small contributor to its performance woes.

~~~
lamnk
Of course Safari loads faster than Firefox on OS X, as IE loads faster in
Windows. Their libraries are preloaded by OS ...

Native apps for each platform may give performance boost, but maintaining a
consistent UI will be a lot harder

~~~
blasdel
That's the point: _we don't want consistent UI_

If we want native UI, it's obviously going to have major inconsistencies
between platforms!

~~~
__david__
Well that's not 100% true because the main interface for Firefox on Mac OS X
looks more like Safari than it does Firefox on Linux.

I think they've actually done a really good job making it look like a native
app instead of just a port from some other OS.

~~~
blasdel
It's not about _looks_ , but about _behavior_.

Fun Fact: In Safari since version 3, the <input> elements aren't actually
native widgets anymore, as NSButton et. al. couldn't support a bunch of the
CSS attributes. They are now rigorous behavior-level reimplementations!

A widget that looks native but behaves differently is terrible! At least when
it looks alien you don't expect it to behave natively.

------
owyn
To summarize for those who have less spare time than I:

Some firefox developer had a Very Bad (tm) idea to seed a random number
generator by scanning the Windows Temp folders, which is now causing a 30 secs
to over a minute pause in start up for a lot of users (particularly those that
use IE, which creates a LOT of temp files). Yikes.

~~~
OperaLover
At least the _good news_ about the Bad Idea(tm) is that this should be a very
small fix for 3.5.x.1 - as opposed to some competing browsers invested
development that ignored/contradicted _standards_ , requiring complete re-
do's.

------
billzeller
If you want to see the code that does this:

EnumSystemFiles: [http://mxr.mozilla.org/mozilla-
central/source/security/nss/l...](http://mxr.mozilla.org/mozilla-
central/source/security/nss/lib/freebl/win_rand.c#182)

...called by rng_systemJitter: [http://mxr.mozilla.org/mozilla-
central/source/security/nss/l...](http://mxr.mozilla.org/mozilla-
central/source/security/nss/lib/freebl/win_rand.c#359)

...called by rng_systemFromNoise: [http://mxr.mozilla.org/mozilla-
central/source/security/nss/l...](http://mxr.mozilla.org/mozilla-
central/source/security/nss/lib/freebl/sysrand.c#74)

...called by RNG_SystemRNG: [http://mxr.mozilla.org/mozilla-
central/source/security/nss/l...](http://mxr.mozilla.org/mozilla-
central/source/security/nss/lib/freebl/win_rand.c#509)

...called by (among others) rng_init: [http://mxr.mozilla.org/mozilla-
central/source/security/nss/l...](http://mxr.mozilla.org/mozilla-
central/source/security/nss/lib/freebl/drbg.c#379)

~~~
andrewf
My best guess.. RNG_SystemRNG first tries to use a deprecated API
(<http://msdn.microsoft.com/en-us/library/aa387694(VS.85).aspx>), then
CryptoAPI, then this temp file entropy gathering approach. But if the
deprecated API is _broken_, rather than absent from the DLL, then it will fall
back to scanning temp files without ever trying CryptoAPI.

------
gizmo
Maybe it's just me, but I consider this a (serious) security issue as well.
The contents of temp files, which Firefox shouldn't even have access to, will
now float around in the process memory of Firefox, even after the memory has
been deallocated.

Firefox should never, ever, ever, open any file outside its own app directory,
user preferences directory, or cache directory.

And a reasonably secure OS shouldn't even allow Firefox to open any of those
files.

~~~
teilo
Not necessarily. If this is a typical seeding algorithm, at most there would
be one block of data in memory, used for hashing. And one would also think
they are smart enough to zero it out before deallocating it. It IS a security
library, after all.

------
felixmar
I used Procmon to monitor Firefox at startup and it indeed traverses my entire
temp folder and Internet Explorer's cache folder.

------
jrockway
One bug is a "fiasco"? How about the 15 years the web has been set back by
supporting broken browsers like IE6? Oh, well at least it starts up quickly...

The real issue here is how hard it is to be a consumer of open source software
on Windows. On Debian, if I wanted to fix this, I would just "apt-get source"
the relevant package, make the change, and have Debian build me a new package
with the fix. On Windows, this is apparently not possible, as there is no
package management system to install the compiler and source code for you, and
the apps check themselves to make sure that you don't modify them.

(I also like how the virus / spyware situation is so out of hand on Windows
that you can't even recompile libraries without your own computer assuming you
are hacking yourself. Nice.)

Why do people still use Windows?

~~~
ErrantX
maybe not a fiasco but a serious bug. Im using IE8 at the moment till a fix
appears - it's just faster.

~~~
wvenable
Speed isn't everything. For the love of all web developers everywhere, pick
any browser (Safari, Chrome, Opera, or Firefox) and dump IE. We would greatly
appreciate it.

~~~
ttrashh
I'm not sure when you last used IE but IE8 is as good as the others listed.
Their marketing department can suck my ass though.

------
blasdel
It gets worse security-wise -- their recommended fix is to delete all your
caches, removing the entropy seed from their RNG:
[https://support.mozilla.com/tiki-
view_forum_thread.php?comme...](https://support.mozilla.com/tiki-
view_forum_thread.php?comments_parentId=381674&forumId=1)

And if clearing the caches doesn't affect entropy quality, it's even stupider
-- why bother to read them in the first place?

------
voidpointer
Well yes, it's a bug but it's hardly a fiasco. Something like this should be
caught in pre-release testing. Still, most users have their browsers running
all the time anyway so a slow startup is not really that critical. I've seen
far more serious bugs being taken far more lightly.

~~~
dave_au
I'd more alarmed by the fact that they've thrown something new into the mix
security-wise than the effect on startup time.

If the system pseudo-random number generator has no problem, what's the use
case for not using it? And if it does have a problem I'm sure they would have
told someone :)

I just don't know why you add another moving part to the security system if
you could avoid it, especially since it seems like a reasonably safe bet that
people have had more eyes move over / experience with the alternative.

~~~
voidpointer
Yeah, it's a stupid bug. Most bugs are once you find them.

I also agree that this got into the security layer is probably the most
worrisome part of the whole story. Maye this could build a case for mandatory
code reviews for security related modifications.

------
fno
I wish the Firefox developers would focus on bug fixing for the next big
release. There are so many bugs that are not fixed for many years. For example
alt-text on images not correctly shown or disable-output-encoding on XML/XSLT
being ignored. Instead that add more and more features. The awesome bar
already made me switch to Opera, I miss some extensions though so I do keep an
eye if Firefox gets "better" for me.

~~~
aceofspades19
Whats so bad about the awesome bar?

~~~
FooBarWidget
No idea, it's one Firefox's killer features I miss in other browsers.

That said, Firefox 3.5 allows one to VERY easily disable the awesomebar:
Preferences -> Privacy -> Location Bar.

~~~
blasdel
Awesome, and they even exposed in the UI rather than burying it in
about:config.

Their arrogance of baking into the browser what is essentially a bundled
extension was ridiculously annoying. My favorite added misfeature: it
blacklists URLs with the 'about' protocol handler.

I had been disabling / detuning it piecemeal with extensions + settings to
make it less obnoxious. I've come to like most of the completion features most
of the time, but the visual presentation and interactive behavior is just
fucking awful.

At least it's not as bad as Epiphany: it sorts only in direct chronological
order (oldest first!), and in true GNOME style is not customizable in any way.
Why the fuck would you ever want that?

------
skip
And this is precisely why the most recent Firefox install I have is from the
2.x series. It used to be that Firefox (then Firebird) was the lean and mean
cousin of bloated Netscape. Alas, age has taken it's toll and the amount of
built in crud in Firefox that has nothing to do with downloading had display
HTML documents is overwhelming...

~~~
ScottWhigham
Hmmm - looking back, I'm not sure why I'm on 3.0x. Were there new features?
JSON backups - whoopee! Other than that, from a user's perspective, I'm not
sure there is anything better. 2.x was fine by me too.

~~~
pbhj
I quite like the awesome bar now (was that in 2.0?); some CSS3 support too.
Bookmarking tagging, update checking are good as well. Improved SVG support I
use occassionally for viewing.

Other than that I suppose faster javascript and optimisations through use of
sqlite for history/bookmarks is good.

Probably a few other things if I thought about it.

Main features are in add-ons for me, firebug, yslow, noscript, adblock,
seoquake,download toolbar, greasemonkey.

I keep a separate clean profile, without all the footer-bar ("clutter bar")
icons for the wife to use whilst surfing

------
jcsalterego
line-height: 0.1em ftl

(gross exaggeration)

~~~
ironkeith
As soon as I see eye filth like that I go right to my readability bookmarklet:

<http://lab.arc90.com/experiments/readability/>

80% of the time, it works every time.

~~~
rms
There's also always View -> Page Style ->No Style

~~~
troels
And Ctrl + (Repeat until satisfied)

~~~
rms
Definitely... I have Verdana as my default font and I Ctrl+ and Ctrl- my way
all over the web.

~~~
shiranaihito
How about setting a suitable default zoom level? That way you only have to
sometimes decrease it.

( At least Opera supports this, don't remember about Firefox )

~~~
semiquaver
At least the last time I set up a computer for an elderly relative, it
required an extension, I think it's called Default Pagezoom.

------
schizoidboy
The "thread dump" feature should be an absolute requirement for any language
runtime environment. Java has perfected this with the SIGQUIT signal. Thread
dumps give you readable stacks of all threads with a simple user command (kill
-3 on Linux/Unix, although a bit more difficult on Windows), without having to
install symbol files, install additional software, run "scary" commands (for
end users), etc.

This is a textbook example of taking a few thread dumps, a few minutes apart,
immediately showing what is going on. IBM has one of these as their
Performance or Hang "MustGather" script:

[http://www-01.ibm.com/support/docview.wss?uid=swg21115785...](http://www-01.ibm.com/support/docview.wss?uid=swg21115785&aid=4)

.NET thread dumps suck -- you have to use adplus to attach and they're not
easy to read. Native programs (e.g. C/C++) work better with symbols and are
just too scary for end users. DTrace on Solaris with Ruby/Python/PHP
extensions is nice, but too cumbersome to install, and again too scary for end
users.

I'm not aware of built-in thread dumps-by-signal in other non-Java languages
(please note in a comment if there is), but this feature is so basic and needs
to be baked in to every runtime environment and easy enough for end users to
use.

Firefox, being a native program, is in a bad problem determination position
here and the haphazard nature of the problem determination process in the
forum and bug report shows that. I suggest Firefox create something like IBM's
MustGather scripts (starting with a performance one such as IBM's hang
MustGather -- <http://www-01.ibm.com/support/docview.wss?uid=swg21115785>
[click "Show Details" for the steps]). A hang MustGather should go through the
process of installing symbol files, getting the thread stacks, submitting the
information, etc. This will allow users to at least feel like they can do
something valuable to help the developers fix the problem.

------
rdoherty
FYI Mozilla does have an open blocker bug about this problem:

<https://bugzilla.mozilla.org/show_bug.cgi?id=501605>

------
weegee
I find Safari 3 to run very well on Windows, and I've been using it at home
lately. It passes the Acid3 test at 100 percent.

