The Archives

Internet, Mobile, Security, Software, Technology
An Open Letter to Mobile Browser Developers
March 22nd, 2011 (10 months, 3 weeks ago) by Jeff | Permalink | 1 Core Dump

If you’ve been following my Twitter account at all, you’ve probably noticed by now that I’ve become an avid mobile device (i.e. smartphone) user, and a fan of Android in particular. This isn’t just a passing phase for me, nor is this a technology fad that’s just going to fade away. Mobile technology is really taking off, and I wouldn’t be surprised if a paradigm shift won’t occur—if it hasn’t already—where more people will be using smartphones and mobile devices to access the Internet and other online services than using a full desktop or laptop. There are other contenders vying to be our one-and-only window to the digital world, like set-top boxes, digital TVs, and such, but nothing is as personal and portable as the smartphone and its bigger brother, the tablet.

That said, I’m not in the camp that believes that the Web is dead and that mobile apps are the way of the future. I’ve expressed my feelings on that here before. Apps won’t and can’t be the end-all, be-all interface to data and the mobile Web will always have a place. Thus the mobile browser is one of the most important apps a smartphone can have. That said, most browsers on smartphones are anemic, underpowered, and severely lacking in important functionality. Smartphone manufacturers and OS authors want us to believe that we can leave the laptop behind and work entirely from that wondrous miracle in our pocket, but fail to deliver the tools we need to make that dream a reality.

My case in point: client-certificate authentication. As a very brief summary, the entire industry of e-commerce rests entirely on a set of encryption technologies such as HTTPS, SSL, TLS, etc., that allow secure, private communication between a client (such as an online shopper) and a server (an online store). The server authenticates itself to the client by using a digital certificate, signed by a trusted certificate authority which has investigated and authenticated the server as a legitimate entity. The client can rest assured that the server belongs to the authenticated entity because the certificate uses strong public-key cryptography to provide a chain of trust back to the authenticating authority. Without this technology in place, we wouldn’t be able to tell legitimate businesses such as online retailers and banks from the phishing scams so prevalent on the Web. (This doesn’t always solve problems between the keyboard and the chair, of course, but it is effective as long as the wetware interface is working properly.)

But digital certificates can be used to authenticate the client as well as the server. Many businesses and governments use client certificates to authenticate users to secure systems. For example, I use a government-issued Smart Card to authenticate with my client’s servers. On this card is chip that contains my digital certificate, signed by a private certificate authority. When I authenticate with the client’s services, the private key on the card creates a digital signature which the server can authenticate against my public key, the inverse of what happens between the online shopper and the store front. Thus, I can trust the validity of the government’s certificate and know I’m connecting to their servers and no one else, and they in turn can validate that I (or the person who has my card) am who I say I am and let me in. I use a similar technology with GPF, although I import my certificates directly into the browser rather than use an external card. I created my own private certificate authority and issue client certificates to each browser I wish to use to access my admin interfaces. That way, I know only certain machines can access those portions of the site, offering a lot more security than just a simple password can provide.

This isn’t a new technology. SSL has been around almost as long as the Web itself, and it wasn’t long before the model was flipped around to authenticate clients to servers as well as servers to clients. This is a tool used by businesses every day all over the world. Every desktop browser supports client certificates because they are a standard. Any browser that doesn’t support them is likely to be overlooked or ignored in favor of browsers that do.

Yet the support for client certificates on mobile devices is appallingly absent. I know the built-in Android browser doesn’t support it, and I created an issue in Google’s official Android issue tracker to complain about it. Android supports client certs for WiFi authentication, but not in the browser, e-mail, or any other key service vital to secure business communications. Supposedly support for this functionality is going to be added in future versions of Android, but that doesn’t help me or any of the millions of current Android users until it comes time to upgrade our devices. I’ve read in various places that the iPhone supports client certs, but I’ve never been able to get any of the solutions to work with my iPod Touch (essentially an iPhone minus the annoying contract and poor service of AT&T). The only success I’ve had in this area has been with Firefox Mobile, which is pretty much a Firefox 4 release candidate smooshed and crunched down to fit on a mobile device. It’s bloated and a lot slower than Android’s built in browser and there’s no handy UI for importing certs like there is on the desktop, but if you take a sledgehammer to it and do some manual file tweaking, you can import your client and CA certs into the certificate database and use it effectively.

Seriously, guys… you want your devices and mobile OSes to be taken seriously by businesses as tools to take our work out of the office and on the road. Yet, you don’t give us the essential tools required to take advantage of this amazing freedom. Sure, you tell us “there’s an app for that”, but frankly, there isn’t. I’ve looked, and they’re not there. Apple won’t let third-party browsers compete with Safari on iOS and none of the Android add-on browsers support client certs either. Only Firefox, a desktop browser masquerading as a mobile app, comes close, and it takes a bit of technical wizardry to do something that should be a quick five second import. Someone’s got to step up to the plate and make some progress here, or no business that really understands security is going to take the mobile space seriously.
Personal, Technology
Geeky Christmas loot
December 31st, 2007 (4 years, 1 month ago) by Jeff | Permalink | Dump Core

Sorry for the dry spell, all. With the holidays I’ve been largely offline with the exception of keeping up with my daily webcomic reading and uploading new comics into the queue. (Yay!) I hope everyone had a happy holiday, no matter what holiday(s) you celebrate, and I wish everyone a slightly premature Happy New Year (or, if you celebrate Chinese New Year, either a very belated one or a slightly advance one).

Firstly, in case you haven’t seen it or don’t subscribe to the RSS feed, make sure to check out the latest GPF News post. Some important updates are mentioned there. I’ll expound upon one of those in a separate post here.

I thought I’d share with you my list of “geeky Christmas loot” for this year. I don’t do it to brag, but more just to share. I always like hearing about other’s newest geek toys, and I love sharing the same with others. So maybe if I share about some of my new playthings, others will chime in and share as well.

Perhaps my favorite gift this year was not one that I received, but one that I gave, and technically it wasn’t even a Christmas gift. My wife (“kmd” on the forum) has a birthday in December, and I always try to make it special for her. Being a December baby can be tough as many people either buy you one slightly larger gift to cover both the birthday and Christmas or worse, completely overlook your birthday altogether. So I try to make her birthday extra special, take her out to a nice dinner, and just give her as best a day as I can. This year, I gave her one of the brand new third-generation iPod Nanos. One of things that made this special is that it appeals to her geek side; she too is a programmer, and sometimes I know she feels “overshadowed” by me in all things tech among folks who know both of us. It’s also significant because most of her geeky gadgets are my hand-me-downs; when I get something new (like a new Palm), she usually ends up getting the old one. So now she has a brand-new geek toy all her own, as well has her entire “Weird Al” Yankovic collection in her pocket wherever she goes. (I also got her the one “Weird Al” album she didn’t have on CD, so now she has his entire discography in digital form.)

As for me, my geek gifts were numerous and plenty. My parents had a definite Doctor Who theme: I got the third series of the new Doctor Who; the transition between two of my old-time favorite Doctors, Tom Baker and Peter Davison; a Tardis 4-port USB hub; and a “You Never Forget Your First Doctor” T-shirt. There were several other DVDs amongst the list, including one of Pixar short films. My wife surprised me with a terabyte(!) external USB hard drive (because you can never have enough disk space).

But probably the credit for the most unexpected and most played-with gift this year has to go to my sister-in-law and her husband. For now I’m suffering from an affliction I only heard about while growing up: Nintendo thumb. I am now an owner of a Nintendo Wii.

Well, I guess I’m having less problems with “Nintendo thumb” as I am with “Wii shoulder”. I’ve suffered tendinitis in my left thumb for quite a while now (it kept me from drawing for an entire month back in 2002) and I actually think the workout it’s been getting from the Wii has been somewhat therapeutic. But several hours of Wii Sports, especially bowling and baseball, had me running for the pain relievers the next day. Man, am I getting old. I’m doing better now, though. I never had a popular gaming console while growing up (or an unpopular one, for the matter); while most of my friends were playing with their ColecoVisions, Intellivisions, or NESes(eseses), I was hacking away in BASIC on my Tandy CoCo. (Gee, that didn’t date me at all, did it?) So this this was an entirely new experience for me. We quickly ran out and purchased a second controller (“wiimote”) and “nunchuk” and added a game or two to the ones that accompanied the system as separate gifts. The system has been loads of fun, although I must admit I’ve done far less comicking this past week than I had hoped.

So… what nifty geek trinkets did you get/give this holiday? And do you have any suggestions for utterly awesome kick-butt Wii games that I supposedly must absolutely, positively have or my life will be incomplete? Dump core below.