gpoul's Out Of Memory Blog

Earlier today the Mozilla project released the first Extended Support Release (ESR) of Firefox. The ESR is based on Firefox 10, which was also released today. If you wanted a Firefox version that’s not updating all the time, but is stable to use and gets security updates for at least a year, you might want to check out the Firefox ESR FAQ, which also contains the download links, and give it a try.

Not sure how many of you have already upgraded to Firefox 5, but you’ll probably have heard about Firefox moving to a rapid release process. They basically want to increment their version number every 6 weeks. Initially I thought this was a good thing, because who really cares about version numbers?

After reading a bit more about this on various blogs I now realize that this change might have a negative impact on corporate deployments due to the fact that Firefox will discontinue security patches for those old versions, which makes compatibility testing and large-scale roll-outs a real hassle.

A member of the IE team, Ari Bixhorn, wrote on his blog that Microsoft offers a long-term support strategy for their browser. As much as I would hate going back to IE, because it would mean platform dependency, but is Microsoft now becoming the sane option? I hope Firefox will reconsider and change their release process. For a company to maintain their own Firefox fork is just not really a sustainable – or financially sane – proposition.

Update 6/30: Mozilla starts to think about how to support Enterprises.

Update 1/14/2012: Mozilla announces that it plans to make Firefox 10 the base for an Extended Support Release targeted at corporate users.

Update 2/1/2012: Firefox released its first Extended Support Release (ESR) today.

February 3, 2011: “A critical point in the history of the Internet was reached today with the allocation of the last remaining IPv4 (Internet Protocol version 4) Internet addresses from a central pool. It means the future expansion of the Internet is now dependant on the successful global deployment of the next generation of Internet protocol, called IPv6.” – Available Pool of Unallocated IPv4 Internet Addresses Now Completely Emptied

Anyone who worked with web applications, dealt with web security, or single sign-on will certainly have learned that HTTP cookies, while a simple concept, have many complex intricate behaviors that even differ between browser implementations. What’s making things worse is that there is no real written specification that documents the design behavior. In his recent post on HTTP cookies and protocol design Michal Zalewski outlines many of these intricacies and design behaviors and I’m sure you’ll learn about a few you haven’t seen before ;-)

Google announced Google Public DNS a few days ago.

I don’t really understand why I’d want to use it or why this project is a good idea for Google, but now we have one more DNS server for testing purposes that has an IP address that is easy to remember :-)

For the last week we were only getting 4Mb/s to one of our test servers, which was actually supposed to have 100Mb/s rates. Transferring installation media is really a lot of fun that way. After hoping for the last week that the problem would go away on its own, we finally came to the conclusion that this is probably not going to happen any time soon.

So we played with a whole bunch of cables, two switches, one p5 550 with VIO, and a T61p, until we figured out what’s wrong. It just took us a whole day to figure it out, but it feels good that we did.

The root-cause was that auto-negotiation was disabled on the ethernet interface. Usually this is a good thing. This time it was not. Go figure.

I’ve seen quite a few data centers. I don’t really like them most of the time, but some of them might arguably look cool. – But the data center built by Stockholm ISP Bahnhof is just insane.

If photos are not enough for you, you can get more details in an article written about the data center. [via mbaierl.com]

Looks like Amazon will launch a CDN-like offering in the (near?) future. I guess we’ll have to wait a bit to find out if this is really something that can compete with companies like Akamai or not. For everyone who’s not seriously considering a CDN today an Amazon CDN will not be particularly interesting, because why would you use it instead of S3?

Update 11/26: The new CDN launched recently and it’s called CloudFront.

I’m not sure this whole BGP MITM vulnerability hasn’t been blown way out of proportion. A few more details than mentioned in the articles can be found in the defcon presentation. [via arstechnica]

The whole point for the Internet is for communication to work and as mentioned in the article someone who redirects even a portion of the Internet traffic, even for a small prefix, is crazy to begin with. Not only because it will be noticed but more likely because you’re duplicating traffic because you need to resend the outbound packets for people not to notice that you’re intercepting traffic.

We’ve told people for years that their data on the Internet, if unencrypted, is not safe and never will be. The Internet is a dumb network and it will stay that way. I just can’t imagine each router validating a cryptographic signature on a BGP announcement for each AS in the AS-path. How should that work? It would be interesting to measure the impact that would have on the processor time required.

It’s also interesting to think about the trust-chain and information that would be required to not only know if an announcement really originated in a given AS but also if that AS is authorized to announce that network.

If people are not able to configure BGP filtering correctly how do we think they’re going to be able to deploy any cryptographic solution correctly to even get it to work on a global level? – Not to mention that certificates will expire and need to be replaced.

btw: this has also been blogged about by Bruce Schneier and Dan Kaminsky.

Looks like the NSA had some DNS troubles recently. I didn’t know that this also happened to YouTube; I read in IPJ that there was a YouTube problem related to a BGP announcement, but maybe that’s a different incident.

I don’t really get why the article states that it’s embarrassing for the NSA. – After all the most secure server is one that is offline and I hope not too much critical business at the NSA is done using e-mail over the Internet, but it might be annoying to call the next pizza place instead of ordering it online ;-)