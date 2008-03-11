reply
Certificate expiration seems like one of the most ridiculous aspects of TLS. Its only use case (apart from generating more money for CAs) seems like "we somehow can't revoke the certificate, but if we wait it'll expire".
Cryptography does not work that way.
> It's pretty trivial to set up cert renewal, so why didn't they?
That holds true today, with Let's Encrypt; their short expiration date seems to exist largely to force people to automate it, and in that regard it seems quite effective. But prior to that, many CAs did not have scriptable automated processes to renew certificates.
> Cryptography does not work that way.
But it kind of does. Imagine if we were still using certificates signed with DES and MD5 hashes because they were available perpetually. Certificate expiration at the very least means that whenever you renew you're keeping up to date with whatever vulnerabilities have been exploited in the past 3-5 years.
It also keeps CRLs short and concise as those certificates that have expired do not need to be included.
We don't rely on expiration or revocation for that; we rely on clients and servers refusing to use insecure algorithms.
That is all that matters to me
Edit: The page for the addon has a comment saying it does work with multiprocess, so I just forced it on. I'm on Linux, and I don't know of an about:config key to disable ctrl+q
about:support shows you if multi-process is enabled " Multiprocess Windows".
You can? Where? (Of course, it may be a version thing.)
That's not enough though. In about:addons all my add-ons are listed as compatible, but about:support still says that multiprocess is "disabled by add-ons". So YMMV.
EDIT: The gotcha is that the current release uses a whitelist of only about 20 extensions. If you have anything else, you need to force-enable the feature, even if your extensions are supposed to be compatible.
https://hg.mozilla.org/releases/mozilla-release/file/FIREFOX...
The two most notable are 1password and Self Destructing Cookies
I use 1Pass for everything but I use Chrome right now. I've been eyeing Firefox again (it used to be my primary browser) but that kinda kills the deal for me. I'll probably start integrating it slowly. I can't imagine 1Pass will hold out for too long.
https://discussions.agilebits.com/discussion/67388/browser-e...
https://bugzilla.mozilla.org/show_bug.cgi?id=1042195
https://lastpass.com/lastpassffx/
[1] https://wiki.mozilla.org/Electrolysis#Testing
i.e. Multiprocess Windows 1/1 (Enabled by default)
When multiprocess was announced several years ago, my main worry was that it would be a Chrome clone with one process per tab and become sluggish like Chrome (my general use of browsers is a minimum of 10 tabs and on certain machines a lot, lot more). Finding a balance between responsiveness, security and stability is what I'd prefer. I personally don't see many stability issues in Firefox even without multiprocess. So I'm happy with this progress even though it may seem slow to dime people or that Firefox isn't keeping up with Chrome (the latter is meaningless for my use since Firefox and it's extensions provide a lot more).
So I'm happy with this progress even though it may seem slow to some people or that Firefox isn't keeping up with Chrome (the latter is meaningless for my use since Firefox and its extensions provide a lot more).
But in general I share your observation - runs very smooth.
1Password doesn't require a cloud sync. I just use the local wifi sync. I'm less worried about data breaches as a result.
1Password lets me save more than browser passwords: especially on mobile where I have lots of apps to log into, which shares a password with a desktop website.
Also, I store additional data (like bank info, account numbers, etc) in 1P, and browsers don't have UX for that, even if the back end could be useful for that.
It also doesn't lock me into a browser.
Firefox Sync encrypts all of its data; a data breach on the server would only result in a pile of email addresses and encrypted blobs.
> 1Password lets me save more than browser passwords: especially on mobile where I have lots of apps to log into, which shares a password with a desktop website.
Fair enough. All the mobile apps I use just stay logged in once you log in once.
> Also, I store additional data (like bank info, account numbers, etc) in 1P, and browsers don't have UX for that, even if the back end could be useful for that.
Hadn't occurred to me to store non-passwords in a password manager. That seems like something a Firefox extension could provide on top of the Firefox password manager, which would make a nice substitute for a locally encrypted file. I wouldn't mind using that to store things like security questions/answers.
It does, however, download JavaScript served by Mozilla when you log into your Firefox Account, which means that Mozilla can cause your password to be sent to them unencrypted, if they so choose. This in turns means that a disgruntled employee, Mozilla the organization and any government which is able to compel Mozilla the organization or key employees can get access to your password at any time, rendering Firefox Sync completely untrustworthy.
Or, if you prefer, you could run a self-hosted version of Firefox Accounts on your own server.
I do wish it could save other passwords, though.
This being said: if their Sync platform works for you, great. Here are my reasons why I choose 1Password as my password manager:
1. It's made by a company that focuses exclusively on this one product. It's their raison d'être, not a side project.
2. They're old-fashioned in a way: they provide me with something, and I give them money for it. 1Password is not cheap, but very good value for money - for me.
3. I've been using it for over half a decade now. 1. and 2. together give me a good reason to believe I can continue to do so for a long time to come. This is in stark contrast to Mozilla, who have been throwing stuff against the wall for quite a while now and abandoning it whenever things do not pan out
4. Various sync options. I'm not required to trust any one "cloud" provider when it comes to privacy, security or continued availability
5. The 1Password vault format can actually be opened in a browser. Even if by some strange fluke I find myself without a client, I can simply download the file on pretty much every machine and still access my passwords
6. UI. 1Password is very well thought out, and that's an important thing for me for something I use about a couple dozen times every day.
While I cannot swear to it, I think I only paid twice over the last six years - the initial purchase plus one paid upgrade some time in the middle. I actually hope to pay for the next one; not only because of what I consider to be fair, but because I want them to do well and be around a long, long time.
And when it comes to security, I've seen HN's resident crypto luminary tptacek give it his thumbs-up. This is something I am not able to properly assess on my own, so his word is good enough for me.
Just because you pay for something, it doesn't make the business model sustainable. 1Password may be a solid product, but it's in essence a key-value store, which means that there isn't much AgileBits can do to improve it in order to get people to upgrade to a version 7. Heck mobile users would get that for free anyway. And btw, you're probably on macOS, because there is no Linux version, the stable Windows client sucks (version 4) and their new beta client (version 6) is read-only for usage without an account.
In other words they have a potential problem: their market is not that big and the standalone version requires convincing people to upgrade for sustainability. And this puts their new subscription model in a new perspective. Which is cool and all, except that would you really pay $3 / month on a yearly contract ($3.6 actually with VAT included) for a password manager? I wouldn't. You can bring up the coffee comparisons of course, but I have other more important subscriptions to pay for that have priority (e.g. phone, email, storage, hosting, domains, etc).
As for the endorsement of tptacek, if you care about the words of an HN user, he has endorsed only the standalone product, not the online enabled version to which they are now transitioning. Which no sane expert would endorse actually, given the problem of needing to enter your password in a web interface for account management.
Now don't get me wrong, I think 1Password is a good product, but then you compared it with Firefox and Firefox is open source with its development being done in the open, with contributions by third parties as well, which means that no matter what, it will stick around for as long as people want it. Firefox is also one of our champions for open standards, being essentially an open platform for app development. Now this puts it in another league entirely.
I use passwords outside Firefox. Ergo, a password manager tied to Firefox is inherently too limited.
Also multiprocess Firefox seems to struggle in GUI perf, it's jerky. Old firefox may be slow but it was a bit predictable. Here less.
Edit: I'm talking about Windows. Don't know about other platforms.
Two year old github issue but yet any development to be seen or reported :/
But yeah, I'd love to see vimperator or pentadactyl supporting this, and no, I neither have the time nor the skillset to fix it myself.
How are you dealing with all of that?
I installed a V 51 developer edition to test out multi-process, and when multi-process was on, my bookmarks that modify the dom did not work. Any one else noticed anything similar?
http://www.chengyinliu.com/whatfont.html
How can one check if some extension is marked as such?
I'm using Firefox beta (which is now 51.0b9) and I noticed that Firefox now splits a separate "Web" process. Is that the indication that multiprocess is enabled?
I also set in the past in about:config
browser.tabs.remote.autostart = true
If you are on an old version, check for the string "Multiprocess staged rollout". If it is true, you do have e10s enabled.
And for checking extension compatibility install this extension, https://addons.mozilla.org/en-US/firefox/addon/add-on-compat...
How to force it on: https://wiki.mozilla.org/Electrolysis#Force_Enable
(you have to search the extension you want)
I've almost never had a security issue or crash on Firefox with a hundred tabs and maybe fifty extensions, it's still faster than chrome with 10 tabs.
Seriously, I understand the need for competition in the browser, and wish there was a viable alternative to chrome on things that aren't Windows, but the failure of Firefox to keep pace is really disappointing.
Slow and lacking basic features for years almost makes Firefox feel like the new IE, but at least we can be thankful that not many people are stuck with it.
To put this in perspective, Firefox has lagged on multi-process for 8 years. Everyone's beloved IE6 only had 5 years of ruining the internet before it was replaced.
It's always been incredibly hackable, in the classic sense. That ability and the legacy of tools built on top of firefox was an important feature that they have largely maintained.
Chrome not only didn't have a legacy but still may break things for developers and sometimes just shrug off their complaints. It's a powerful browser, but it's focused on the needs of the parent company.
It was started, then put on hold for a couple of years because it seemed insurmountable, and then started again. It's taken a huge amount of work, and thus a huge amount of time. But it's mostly done now and the benefits are reaching users.
Trying to overhaul the entire architecture of a browser with a huge extension ecosystem (and over a decade's worth of baggage associated with that) is hard.
(Disclaimer: user of Chromium,Chrome,FF,Midori,K-Meleon,various Operae,IE and "not-IE-whatever-it's-called",elinks and other stuff)
One process per tab since forever. (Well, more like one process per window, because there weren't tabs at first).
More seriously—it's somewhat sad to see Chrome get all the credit for this, when it's undoubtedly the case that both IE and Chrome were working on this at the same time.
I am just curious, and not trying to hate on Firefox. But I think most (?) non-tech people use Chrome. So maybe I am asking, what is the point of Firefox if the shares are so low?
Again, not trying to hate on it, but I am just curious for the reasons, which I am sure are valid.
Second, Mozilla is a non-profit, so the incentives are different that the usual ones. Basically Mozilla wants to help the open web. A 13.5% browser can do that in many ways: drive new standards, provide an alternative to browsers from profit-driven corporations, provide an alternative implementation so the web doesn't end up as a monoculture, etc. etc.
[1] http://gs.statcounter.com/
We need competition or we will suffer as end users.
Chrome's time will also come eventually. It's not a matter of if, but when. Vivaldi and Brave are growing and coming along very nicely. Brave is actually spearheaded by the ex CEO of Mozilla before he was fired for some nonsense.
https://brave.com/
His statement: https://brendaneich.com/2014/03/inclusiveness-at-mozilla/
Mozilla FAQ regarding this: https://blog.mozilla.org/blog/2014/04/05/faq-on-ceo-resignat...
[edit: Clarity]
I also just found this bit, that explains how some browsers might be over or under estimated, because of how their internals work[2]. So we really don't know what the market shares really are.
[0]http://gs.statcounter.com/#browser-ww-yearly-2008-2016
[1]https://www.w3counter.com/globalstats.php
[2]https://en.wikipedia.org/wiki/Usage_share_of_web_browsers#Ac...
It seems their share is shrinking quite fast though.
It seemed valid, but maybe not. Do you know a better source?
EDIT: Others have provided better sources!
DDJ: You're well known for writing very good reference implementations for SGML and XML Standards. How important is it for these reference implementations to be good implementations as opposed to just something that works?
JC: Having a reference implementation that's too good can actually be a negative in some ways.
DDJ: Why is that?
JC: Well, because it discourages other people from implementing it. If you've got a standard, and you have only one real implementation, then you might as well not have bothered having a standard. You could have just defined the language by its implementation. The point of standards is that you can have multiple implementations, and they can all interoperate.
You want to make the standard sufficiently easy to implement so that it's not so much work to do an implementation that people are discouraged by the presence of a good reference implementation from doing their own implementation.
DDJ: Is that necessarily a bad thing? If you have a single implementation that's good enough so that other people don't feel like they have to write another implementation, don't you achieve what you want with a standard in that all implementations — in this case, there's only one of them — work the same?
JC: For any standard that's really useful, there are different kinds of usage scenarios and different classes of users, and you can't have one implementation that fits all. Take SGML, for example. Sometimes you want a really heavy-weight implementation that does validation and provides lots of information about a document. Sometimes you'd like a much lighter weight implementation that just runs as fast as possible, doesn't validate, and doesn't provide much information about a document apart from elements and attributes and data. But because it's so much work to write an SGML parser, you end up having one SGML parser that supports everything needed for a huge variety of applications, which makes it a lot more complicated. It would be much nicer if you had one SGML parser that is perfect for this application, and another SGML parser that is perfect for this other application. To make that possible, the standard has to be sufficiently simple that it makes sense to have multiple implementations.
[1] http://www.drdobbs.com/a-triumph-of-simplicity-james-clark-o...
I think Mozilla employees choose to continue working on Firefox for similar reasons, though with more idealism: they have an interest in the browser market not being dominated by commercial vendors.
You are spot on on why Mozilla employees work on Mozilla.
Source: I'm a Mozilla employees working on Firefox :)
EDIT also, to come back to DanBlake's question about whether Firefox now "run[s] each tab in its own process yet": no it doesn't; the architecture that was chosen is a process pool, available to all tabs. I won't elaborate much as you can find blogposts where Mozilla engineers detail why this design; IIRC it boils down to: it fulfills the security/performance objectives, and avoids a bit of overhead caused by the one-process-per-tab approach.
A quick parsing of https://wiki.mozilla.org/Electrolysis yields "Memory Usage of Firefox with e10s Enabled" [1] and its followup "Are they slim yet?" [2], with [1] closing with these words:
"Simply put: the more content processes we use, the more memory we use. On the plus side it’s not a 1:1 factor, with 8 content processes we see roughly a doubling of memory usage on the TabsOpenSettled measurement. It’s a bit worse on Windows, a bit better on OSX, but it’s not 8 times worse. Overall we see a 10-20% increase in memory usage for the 1 content process case (which is what we plan on shipping initially). This seems like a fair tradeoff for potential security and performance benefits, but as we try to grow the number of content processes we’ll need to take another look at where that memory is being used."
Some comments at https://billmccloskey.wordpress.com/2013/12/05/multiprocess-... also hint at pre-existing discussion on the one-process-per-tab subject, but sadly without linking to it. You'd probably followup with a mailing lists search.
[1] http://www.erahm.org/2016/02/11/memory-usage-of-firefox-with...
[2] http://www.erahm.org/2016/02/12/are-they-slim-yet/
--
As for "What's the best way for a non-contributor to follow Firefox development?", I follow https://planet.mozilla.org/ , and if that's too much of a firehose to your taste, maybe try https://hacks.mozilla.org/
