Mozilla Releases Firefox 17.0.1

The Mozilla organization has released a new version, 17.0.1, of its Firefox browser, for all platforms: Linux, Windows, and Mac OS X.   This release fixes a bug related to font rendering in Windows, and a problem with the private browsing mode (this is a potential security problem).  More details are available in the Release Notes.

You can get a copy of the new version via the built-in update mechanism (Help / About Firefox / Check for Updates), or you can get an installation package from the downloads page.

Google Releases Chrome 23.0.1271.95

Google has released a new stable-branch version, 23.0.1271.95, of its Chrome browser, for Linux, Windows, Mac OS X, and Chrome Frame.  Thixs release fixes two security vulnerabilities, both of which Goggle classifies as High risk.   Further details are available in the Release Announcement.

Because of its security content, I recommend that you update your systems as soon as you conveniently can.   Windows and Mac users can get the new version via the built-in update mechanism; Linux users should check their distribution’s repositories for the new version.

Google Releases Chrome 23.0.1271.91

Google has released a new stable-branch version, 23.0.1271.91, of its Chrome browser, for Linux, Windows, Mac OS X, and Chrome Frame.  This version fixes a rendering bug on Windows Server 2003, and a problem with Flash audio.  It also fixes six identified security vulnerabilities, two of which Google rates as High severity.  Further details are available in the Release Announcement.

Because of its security content, I recommend that you update your systems as soon as you conveniently can.   Windows and Mac users can get the new version via the built-in update mechanism; Linux users should check their distribution’s repositories for the new version.

Preventing Catastrophic Threats

Earlier this month, just after the US national elections, the Federation of American Scientists [FAS] held a symposium in Washington DC on “Preventing Catastrophic Threats”, at which a group of speakers presented recommendations to the new administration on responding to catastrophic threats to US national security.

Distinguished experts will address the policy and technological aspects of conventional, nuclear, biological, and chemical weapons, biotechnology, nuclear safety, electricity generation, distribution, and storage, and cyber security. At the symposium, these experts will present their recommendations for preventing and reducing risks from catastrophic threats, and for developing an effective energy policy.

The recommendations presented at the symposium have now been collected in a report, Recommendations to Prevent Catastrophic Threats, which is available to read or download [PDF, 44 pp.] on the Web.  The report is a collection of 13 policy memos, each written by one or more authorities on the topic; it also contains introductory material, and information about the authors.  The topics of the memos are:

1. Radiological and Nuclear Terrorism
2. Urgent Steps to Reduce Nuclear Dangers
3. Nuclear Weapons and Nuclear Power
4. Options for Nuclear Force Reduction
5. U.S. Nuclear Weapons Policy
6. Preventing and Mitigating Cyber Attacks
7. The Changing Biological Threat
8. Curbing the Threat from Illicit Small Arms and Light Weapons
9. Goals for Chemical and Biological Nonproliferation and Disarmament
10. Debunking Energy Security Myths
11. Science Diplomacy, Science Partnerships, and U.S. National Security
12. Energy Policy in the New Administration
13. R&D Investment to Commercialize Green Energy Technologies

I haven’t yet read through all the contents, and I can’t guarantee that I, or anyone, will agree with absolutely every recommendation in this report.  What I have read, though, does strike me as largely sensible advice, provided by knowledgeable people.  I think the report is a valuable resource, especially for those of us in the reality-based community, and it provides a good overview of some very important issues.

Strict Transport Security Adopted as Web Standard

Most Web users are familiar with the secure version of the basic HTTP protocol, denoted by https: at the start of a URL,and typically marked by a small padlock icon in the browser.  The secure protocol provides for identification of the site, using a cryptographic certificate, and encrypts all communications between the user’s browser and the server.   This helps assure the user that (s)he is interacting with the desired site, and not an impostor; it also provides protection against session “sniffing” (otherwise trivially easy on wireless networks) and man-in-the-middle attacks.  Many sites, from banks to Facebook, offer HTTPS connections.  But people still have to use them, although some sites (GMail, for example)  allow the user to set a preference to always use HTTPS.

Another step in the direction of better security has just been taken, according to an article in the Australian publication, Computer World.  The Internet Engineering Task Force, a group responsible for setting Internet technical standards, has just approved a standard [RFC 6797] for HTTP Strict Transport Security (HSTS).  

This specification defines a mechanism enabling web sites to declare themselves accessible only via secure connections and/or for users to be able to direct their user agent(s) to interact with given sites only over secure connections. This overall policy is referred to as HTTP Strict Transport Security (HSTS).

Essentially, the standard allows a site to declare that it will only allow secure connections, and a method for browsers to conform to that policy.

The new standard fixes some loopholes and bad design choices in the original HTTPS standard.  For example, when a browser attempts to set up an HTTPS connection, it will generally issue a warning message if there is some problem with the site’s cryptographic certificate; but the user can choose to proceed anyway.   In many cases, this is OK; the certificate problem is not serious.  Unfortunately, though, sometimes the problem really is serious; this is a Bad Thing if users have become accustomed to just clicking “OK”.  With HSTS, the browser will just refuse to make the connection.   This may seem draconian, but users are typically not well qualified to evaluate certificate problems, so this approach amounts to “better safe than sorry”.  The new standard also addresses a variety of other security issues.

At present, not many sites have support for the new HSTS standard (though PayPal, Twitter, and some Google sites do).  I hope that, with the adoption of the formal standard, more sites will provide support for a mechanism that can significantly improve security.

Thunderbird 17.0 Released

Yesterday, in addition to the release of Firefox 17.0, Mozilla released version 17.0 of its Thunderbird E-mail client, for Linux, Mac OS X, and Windows.  The new version incorporates a number of bug fixes and performance improvements.  It also fixes 12 identified security vulnerabilities;  Mozilla rates the importance of five of these as Critical, and seven as High.  Also, as with Firefox 17.0, Mac OS X 10.5 (Leopard) is no longer supported.  More details are available in the Release Notes.

Because of the security fixes incorporated in this release, I recommend that you update your systems as soon as you conveniently can.  You can use the update mechanism built into the software (Help / About Thunderbird / Check for Updates), or you can get a complete installation package from the Thunderbird download page.