Archive for May, 2010

File Under: Uncategorized
May
25
2010

Devious ‘Tabnapping’ Attack Hijacks Browser Tabs

By

Traditional phishing attacks are reasonably easy to avoid, just don’t click links in suspicious e-mails (or, for the really paranoid, any e-mail). But Firefox Creative Lead Aza Raskin has found a far more devious way to launch an attack — by hijacking your unattended browser tabs.

The attack works by first detecting that the tab the page is in does not have focus. Then the attacking script can change the tab favicon and title before loading a new site, say a fake version of Gmail, in the background.

Even scarier, the attack can parse through your history to find sites you actually visit and impersonate them.

For example, using Raskin’s method an attacker can hijack your page, detect that you frequently login to Citibank’s website and impersonate that site, complete with a message about automatically ending your session and asking you to login again.

Because most of us trust our tabs to remain on the page we left them on, this is a particularly difficult attack to detect. As Raskin writes, “as the user scans their many open tabs, the favicon and title act as a strong visual cue — memory is mailable and moldable and the user will most likely simply think they left [the] tab open.”

The only clue that you’re being tricked is that the URL will be wrong.

Raskin has set up a demonstration on his blog post. Visit the page, switch to another tab and then notice that Raskin’s site will reload to look like the Gmail interface (Raskin uses an image for the demo, obviously easy to detect, but a real attack would offer a login page just like Gmail).

In my testing the attack worked in Firefox 3.6, 3.7a, Opera 10 and Safari 4. It did not work in Google Chrome on OS X when the tab was in the background, though it did work when I switched from Chrome to another application. Also, some browsers don’t change the favicon, though it’s possible that they could with a little tinkering to Raskin’s script.

So how do you stop this attack? Well, Raskin points out that Firefox’s coming Account Manager — which delegates tasks like logging in to the browser — is one possible fix, since it always looks at the URL, even if you don’t. Similar tools like 1Password would also work, provided you use them every time you login to a website.

The other fix is on the developer side, just make sure your site doesn’t load any remote scripts. Even if you trust the site your script is loading from, it’s possible that site could be compromised.

In the mean time, up your paranoia level and start paying attention to the URL bar.

A New Type of Phishing Attack from Aza Raskin on Vimeo.

See Also:

File Under: APIs, Backend, Programming, Web Services
May
20
2010

Google’s New Cloud Storage Service Takes on Amazon S3

By

googlecodeGoogle plans to go head to head with Amazon’s popular S3 cloud storage service with the new Google Storage for Developers. Like S3, Google’s new service offers developers a cheap, scalable way to store data online.

While it isn’t exactly the fabled “GDrive,” Google Storage for Developers certainly lays the groundwork for Google to create a user-friendly online storage service.

Google Storage for Developers offers a RESTful API, backups across multiple data centers and even has support for storing large files up to hundreds of gigabytes in size.

Google Storage for Developers is currently an experimental Google Labs project. For now the service is available by invitation only and limited to U.S. developers. You can head over to the sign up page to request an invite which will give you access to 100GB of data storage and 300GB per month of data-transfer bandwidth.

After your application hits those limits a pay-as-you-go scheme kicks in. The pricing is roughly analogous to Amazon’s S3 service. Google’s version will run you 17 cents per GB per month for simple storage, 10 cents per GB for uploading data and 15 to 30 cents per GB for downloads. There’s also a fee for the number of requests — $.01 per 1000 PUT, POST or LIST requests and $0.01 per 10,000 requests using GET or HEAD.

Unfortunately that’s just different enough from Amazon’s pricing structure (which decreases the per GB price as your usage goes up) that it’s hard to say which is cheaper. At first glance Amazon’s S3 service looks marginally cheaper for storage, but in the end the total cost — and which is cheaper — will vary depending on the nature of your web app and how you use either storage service.

Hopefully, now that there’s some competition in the cloud storage space, both services will eventually become even cheaper.

Google does offer some extra tools that Amazon doesn’t have — the BigQuery API and the Prediction API.

According the Google Code announcement, BigQuery is designed to explore the history of your data, and the more interesting Prediction API gives you access to Google’s machine learning algorithms which are designed to “make your apps more intelligent.”

The Prediction API can help make real-time decisions “such as recommending products, assessing user sentiment from blogs and tweets, routing messages or assessing suspicious activities,” says the Google Code blog.

For now there is no charge for using the extra APIs, though noting that in the announcement seems to indicate that, when Google Storage for Developers moves out of Labs, there will be an additional charge.

Because Google Storage for Developers is a beta Labs project, you won’t want to switch from Amazon’s services just yet, but if you’d like to take Google Storage for Developers for spin, head over to the sign up page and request an invite.

See Also:

Tags:
File Under: Browsers, Software
May
20
2010

Weave Update Offers More Speed, New Name

By

firefoxsync1Mozilla is rebranding its Weave Sync feature, which keeps your bookmarks, history and other Firefox data in sync across computers. As of version 1.3, Weave will be now be known as Firefox Sync.

The name change is intended to help less tech-savvy users understand what Weave does — namely, sync Firefox.

However, because Weave also works (somewhat) with SeaMonkey and Thunderbird, the name Firefox Sync may end up confusing some users. So far no word on whether there will be a Thunderbird Sync or SeaMonkey Sync.

Firefox developer Tony Chung announced the name change and the release of Firefox Sync version 1.3 (still in beta) on his blog.

The new version of the add-on isn’t just a rebranding, there are also quite a few new features coming to the add-on formerly know as Weave. The new Firefox Sync 1.3 features a new user interface, better response times during syncing, a backup feature for your bookmarks before the first sync and better support for Fennec, the mobile version of Firefox. Complete release notes with all of the changes in this version can be found on the Mozilla site.

Chung says that a final version of Firefox Sync will available later this month, though don’t expect to see the rebranded add-on joining Firefox proper for some time. According to Chung, the version of Weave that currently ships with Firefox 3.6 won’t be updated until the new Firefox Sync hits 2.0 (we assume it will probably do so before Firefox 4.0 ships later this year).

In the mean time if you’d like to test out the latest version of Firefox Sync, head over to the Mozilla Labs page (which still refers to the add-on as Weave) and look for the link to the “experimental” version in the green bar. As always, we recommend upgrading all instances of Firefox Sync before actually syncing your data.

See Also:

Tags:
File Under: APIs, Social
May
19
2010

Google Opens Up the Buzz API

By

Since you’re probably a little Googled out with the barrage of announcements coming out of I/O Wednesday, we’ll keep this one brief.

Google has publicly released an API for Buzz, its real-time social product for sharing status updates, comments, photos and other media on the web. Here’s an overview from Google’s DeWitt Clinton.

The Buzz API is still branded as a “Labs” release, so you can expect things to change over the coming weeks. But it’s already looking fully-formed. It offers full read/write support with Activity Streams, AtomPub, OAuth, PubSubHubbub and JSON. So if you have a website or app that lets users publish status updates, images, or any sort of activity using the actor/verb/object model, then you can integrate Buzz updates into your offering.

Authorization happens through OACurl — learn more about it with Google’s OACurl cookbook.

The bulk of the Buzz API features were discussed at a developer’s session on Wednesday afternoon. You can read notes taken by attendees by launching a Wave from the session (What is this, the future?).

See Also:

Tags: , , ,
File Under: Browsers, HTML5
May
19
2010

On Web Video Support, Safari Now Stands Alone

By

icon-gold

SAN FRANCISCO — When Google announced it would be releasing the VP8 video codec under an open source license, all of the major browser vendors jumped up to support it.

Well, all of them except Apple.

The WebM Project, a partnership between Google, Mozilla, Opera and dozens of other software and hardware makers, provides web developers a way of embedding video and audio in HTML5 pages without plug-ins, and without resorting to patent-laden technologies.

Watchers of the open web have been waiting for this development for some time. The HTML5 video playback experience varies greatly between browsers, with different browsers supporting different flavors of video, creating a poor user experience and forcing developers to rely heavily on plug-ins like Flash and Silverlight. Google was widely expected to take a step towards solving the video problem on the web with Wednesday’s WebM announcement.

Indeed, within minutes of the project’s launch here at Google I/O, links went up to new versions of Firefox and Opera with built-in support for WebM video. Chrome support will be coming in the next beta, due later this month. Microsoft says that Microsoft Internet Explorer 9, due to arrive as soon as the end of 2010, will support VP8 video playback if a user has installed the free codec on their copy of Windows. Adobe says Flash Player will also support it as soon as possible. Executives from Mozilla, Opera and Adobe were all on stage during Wednesday morning’s keynote to pledge their support.

But nobody from Apple appeared, and as of Wednesday afternoon, the company has made no such announcement about support for WebM video in Safari. When asked to comment on this story, Apple didn’t respond.

Of course, Apple has a great deal of time and money invested in a competing technology, H.264. Its Quicktime ecosystem is built on H.264, and it uses the video format for all of its content served through iTunes. It’s also the native format on iPads, iPhones and iPods.

Most video on the web — approximately two-thirds of it — is served in the H.264 format, but various licensing requirements make some nervous to use it. Apple owns patents around H.264 and benefits from the licensing fees that allow its use (so does Microsoft, and many other companies).

So, will Apple begin supporting a open source video codec that competes for space on the web with H.264?

“Stranger things have happened, but I’d be surprised if that happened soon,” says Christopher “Monty” Montgomery, creator of the Ogg container, an open source video and audio technology integral to the new WebM Project, in an e-mail to Webmonkey.

Apple has sent not-so-subtle threats about possible patent violation complaints being brought against supporters of open video codecs. In an e-mail to a blogger, Jobs warned that MPEG-LA, the licensing group that oversees H.264, was assembling a patent portfolio to “go after” open video codec makers.

“Unfortunately, just because something is open source, it doesn’t mean or guarantee that it doesn’t infringe on others patents,” Jobs wrote.

But Monty isn’t worried about the MPEG-LA suing him or anyone at the WebM Project.

“The recent saber-rattling by Jobs felt more like a message to his own troops than a warning shot to ours,” he says. “MPEG itself has always has an internal contingent that has pushed hard for royalty-free baselines from MPEG, and the missives about video codecs and patents were probably meant for them, not us.”

Google VP of product management Sundar Pichai says the company has done “a thorough legal analysis of VP8″ since acquiring it, and remains confident it can release the technology under an open source license without infringing on any patents.

The Safari browser is based on the same WebKit engine as Google Chrome, and the WebKit engine is open source. But codec support is not a component of the rendering engine, so even though Google’s browser supports VP8 and WebM content, it doesn’t provide an instant fix for Safari.

And of course, iPad and iPhone browsers run Safari, so WebM video won’t work on those devices until Apple adds support.

However, it wouldn’t be tough for Apple to implement WebM support. All of the technologies involved have been released under permissive open source licenses, and it’s already been rolled into three major browsers.

“It’s not a technical challenge,” says Google VP of engineering Linus Upson. “If you look at the other browsers that have already implemented VP8, it’s just been a matter of a few weeks.”

Google’s Upson and Pichai both say they hope all web browsers will support WebM’s efforts eventually.

See Also:

Tags: , , , , ,
« OLDER POSTS