Informática: fichamentos / clippings / recortes de não-ficção.
Nonfiction Litblog.
Curador é Mestrando em Computação, Especialista em Governança de T.I., Tecnólogo em Redes, Técnico.
Informática: fichamentos / clippings / recortes de não-ficção.
Nonfiction Litblog.
Curador é Mestrando em Computação, Especialista em Governança de T.I., Tecnólogo em Redes, Técnico.
Recruiting begins in September, and we hire on a rolling basis through March. While there is no set application deadline, openings are limited, so we encourage you to apply early. [...] Mozilla has ten offices around the world, and nearly half of us work remotely from our homes or a coworking space.
Did you know that some of [Firefox] contributors are students, who are sponsored or given course credit to make improvements to Firefox? [...] If you’re interested in getting involved, consider signing up to Mozilla’s Open Source Student Network and keep checking for opportunities at Google Summer of Code, Outreachy, codetribute. Finally, you should consider applying for an internship with Mozilla. Applications for the next recruiting cycle (Summer 2020) open in September/October 2019.
Mozilla interns had always worked on-site. But [...] remote collaboration was already part of Mozilla [...], with nearly half the company working remotely even before the pandemic struck. “Because we were already so distributed, transitioning interns’ day-to-day work was actually relatively easy.” [...] By Friday, March 20, Frances and her teammates had an entirely remote program in place [...]. [...] What Mozilla learn[ed] in 2020 could help make future programs accessible to a much wider range of people for years to come: “Because we’ve tested this model, we may be able to expand to a more global internship program, where things like time zones won’t be an issue.”
FTP [...] predates the Web and was not designed with security in mind. Now, we have decided to remove it because it is an infrequently used and insecure protocol. After FTP is disabled in Firefox, people can still use it to download resources if they really want to, but the protocol will be handled by whatever external application is supported on their platform.
We're doing this for security reasons. FTP is an insecure protocol and there are no reasons to prefer it over HTTPS for downloading resources. Also, a part of the FTP code is very old, unsafe and hard to maintain and we found a lot of security bugs in it in the past.
We added the telemetry probes in bug 1579507 [1] to see how many users still use FTP. The usage was pretty low as you can see in bug 1570155 [2].
It's not right to waste smart network engineering time on decades old legacy code and it's likely even harder to justify a rewrite.
The File Transfer Protocol (FTP) [is] one of the oldest protocols in use today and has a number of security issues. The fundamental underlying problem with FTP is that any data transferred will be unencrypted and hence sent across networks in plain text, allowing attackers to steal, spoof and even modify the data transmitted. To date, many malware distribution campaigns rely on compromising FTP servers, downloading malware on an end users device using the FTP protocol. Further, FTP makes HSTS protection somewhat useless, because the automated upgrading from an unencrypted to an encrypted connection that HSTS promises does not apply to FTP.
Mike Hoye, Mozilla's lead IRC decomissioner, on his personal blog "blarg?". Brace For Impact. March 6, 2020.
Last Monday we decommissioned IRC.Mozilla.org for good, closing the book on a 22-year-long chapter of Mozilla’s history as we started a new one in our new home on Matrix. [...] About three weeks ago [...] we turned on federation, connecting Mozilla to the rest of the Matrix ecosystem.
Mike Hoye, Mozilla's lead IRC decomissioner, on his personal blog "blarg?". Synchronous Text. April 26, 2019.
I wasn’t in the room when IRC.mozilla.org was stood up, but from what I’ve heard IRC wasn’t “chosen” so much as it was the obvious default, the only tool available in the late ’90s. Suffice to say that as a globally distributed organization, Mozilla has relied on IRC as our main synchronous communications tool since the beginning. For much of that time it’s served us well, if for some less-than-ideal values of “us” and “well”.
Like a lot of the early internet IRC is a quasi-standard protocol built with far more of the optimism of the time than the paranoia the infosec community now refers to as “common sense”, born before we learned how much easier it is to automate bad acts than it is to foster healthy communities.
Mike Hoye, Mozilla's lead IRC decomissioner, on his personal blog "blarg?". The Evolution Of Open. November 9, 2018.
IRC’s [...] ongoing borderline-unusability is a direct product of a notion of openness that leaves admins few better tools than endless spammer whack-a-mole. [...] “Working in the open”, [back in the days] where computation was scarce and expensive, meant working in front of an audience that was lucky enough to:
go to university or college;
whose parents could afford a computer at home;
who lived somewhere with broadband; or
had one of the few jobs whose company opened low-numbered ports to the outside world.
What it didn’t mean was [today's]:
doxxing;
cyberstalking;
botnets;
gamergaters;
weaponized social media tooling;
carrier-grade targeted-harassment-as-a-service; and
state-actor psy-op/disinformation campaigns rolling by like bad weather.
The relentless, grinding day-to-day malfeasance that’s the background noise of this grudgefuck of a zeitgeist we’re all stewing in just didn’t inform that worldview, because it didn’t exist. [...] We’re definitely not going to find any answers [to what we mean by "open" and its implications for community members] that matter to the present day, much less to the future, if the only place we’re looking is backwards.
TLS 1.2 included a pretty wide variety of cryptographic algorithms (RSA key exchange, 3DES, static Diffie-Hellman) and this was the cause of real attacks such as FREAK, Logjam, and Sweet32.
TLS 1.3 instead focuses on a small number of well understood primitives (Elliptic Curve Diffie-Hellman key establishment, AEAD ciphers, HKDF).
Porquanto o TLS 1.2 ainda seja amplamente empregado na Web, não foi desabilitado por padrão e, de momento, não possui previsão para sê-lo:
As part of our ongoing effort to deprecate obsolete cryptography, we have disabled all remaining DHE-based TLS ciphersuites by default.
Convém lembrar que criptografia forte não é uma panaceia. Ela serve a um dado propósito, e a outros não. É útil para evitar aulteração e quebra do sigilo dos dados enviados/recebidos (se não for burlada de alguma forma), mas não gera anonimato, por exemplo .
3DES (“triple DES”, an adaptation of DES (“Data Encryption Standard”)) was for many years a popular encryption algorithm. However, as attacks against it have become stronger, and as other more secure and efficient encryption algorithms have been standardized and are now widely supported, it has fallen out of use. Recent measurements indicate that Firefox encounters servers that choose to use 3DES about as often as servers that use deprecated versions of TLS.
As long as 3DES remains an option that Firefox provides, it poses a security and privacy risk. Because it is no longer necessary or prudent to use this encryption algorithm, it is disabled by default in Firefox 93.
The majority of websites already support HTTPS, and those that don’t are increasingly uncommon. Regrettably, websites often fall back to using the insecure and outdated HTTP protocol. Additionally, the web contains millions of legacy HTTP links that point to insecure versions of websites. When you click on such a link, browsers traditionally connect to the website using the insecure HTTP protocol.
[...]
HTTPS-Only Mode [is] a brand-new security feature available in Firefox 83 [(released on November, 17 2020)] [...] [that] ensures that Firefox doesn’t make any insecure connections without your permission. When you enable HTTPS-Only Mode, Firefox tries to establish a fully secure connection to the website you are visiting. Whether you click on an HTTP link, or you manually enter an HTTP address, Firefox will use HTTPS instead.
Once HTTPS becomes even more widely supported by websites than it is today, we expect it will be possible for web browsers to deprecate HTTP connections and require HTTPS for all websites.
Efeitos colaterais
For the small number of websites that don’t yet support HTTPS, Firefox will display an error message that explains the security risk and asks you whether or not you want to connect to the website using HTTP.
It also can happen, rarely, that a website itself is available over HTTPS but resources within the website, such as images or videos, are not available over HTTPS. Consequently, some web pages may not look right or might malfunction. In that case, you can temporarily disable HTTPS-Only Mode for that site by clicking the lock icon in the address bar.
Muito útil também para se esquivar de vigilância na rede, como, por exemplo, de um administrador de rede cujo firewall não tem a capacidade deep-packet inspection. A criptografia do HTTPS, nesse caso, evitará que as páginas acessadas fiquem registradas no log, ficando registrados apenas os endereços IP dos servidores ou o nome de domínio do site acessado.
Convém ter em mente, porém, que é absolutamente essencial dispor de TLS (criptografia) moderno para o HTTPS fazer alguma diferença, do contrário não passaria de um auto-engano.
