Category: News

Fakespot becomes part of Mozilla, bringing trustworthy shopping tools to Firefox 

Posted on by Michael G

For close to thirty years, commerce has been at the core of how people use the Internet. Convenience and ease have multiplied over the years as people have benefited from the unprecedented economies of scale emerging from the digital marketplace. This global ecommerce scale-up has also created new challenges for consumers, such as how to […]

The post Fakespot becomes part of Mozilla, bringing trustworthy shopping tools to Firefox  appeared first on The Mozilla Blog.

An Update on the Lock Icon

Posted on by Michael G

Editor’s note: based on industry research (from Chrome and others), and the ubiquity of HTTPS, we will be replacing the lock icon in Chrome’s address bar with a new “tune” icon – both to emphasize that security should be the default state, and to make site settings more accessible. Read on to learn about this multi-year journey.

Browsers have shown a lock icon when a site loads over HTTPS since the early versions of Netscape in the 1990s. For the last decade, Chrome participated in a major initiative to increase HTTPS adoption on the web, and to help make the web secure by default. As late as 2013, only 14% of the Alexa Top 1M sites supported HTTPS. Today, however, HTTPS has become the norm and over 95% of page loads in Chrome on Windows are over a secure channel using HTTPS. This is great news for the ecosystem; it also creates an opportunity to re-evaluate how we signal security protections in the browser. In particular, the lock icon.

The lock icon is meant to indicate that the network connection is a secure channel between the browser and site and that the network connection cannot be tampered with or eavesdropped on by third parties, but it’s a remnant of an era where HTTPS was uncommon. HTTPS was originally so rare that at one point, Internet Explorer popped up an alert to users to notify them that the connection was secured by HTTPS, reminiscent of the “Everything’s Okay” alarm from The Simpsons. When HTTPS was rare, the lock icon drew attention to the additional protections provided by HTTPS. Today, this is no longer true, and HTTPS is the norm, not the exception, and we’ve been evolving Chrome accordingly.

For example: we know that the lock icon does not indicate website trustworthiness. We redesigned the lock icon in 2016 after our research showed that many users misunderstood what the icon conveyed. Despite our best efforts, our research in 2021 showed that only 11% of study participants correctly understood the precise meaning of the lock icon. This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon. Misunderstandings are so pervasive that many organizations, including the FBI, publish explicit guidance that the lock icon is not an indicator of website safety.

When shown Chrome UI in research studies, users would look at the padlock to evaluate the trustworthiness of a hypothetical ecommerce site. We showed the site controls to experiment participants. The overlaid heat-maps represent the click patterns of respondents who were asked to indicate any information which was perceived helpful in the scenario.


The lock icon is currently a helpful entry point into site controls in Chrome. In 2021, we shared that we were experimenting with replacing the lock icon in Chrome with a more security-neutral entry point to site controls. We continued to mark HTTP as insecure in the URL bar. Users in the experiment opened the site controls more, and they didn’t express any confusion that can follow major UI changes.

Site controls currently accessible from the lock icon.

Based on these research results from ourselves and others, and the broader shift towards HTTPS, we will be replacing the lock icon in Chrome with a variant of the tune icon. We think the tune icon:

  • Does not imply “trustworthy”

  • Is more obviously clickable

  • Is commonly associated with settings or other controls 

We plan to replace the lock icon with a variant of the tune icon, which is commonly used to indicate controls and settings.


Replacing the lock icon with a neutral indicator prevents the misunderstanding that the lock icon is associated with the trustworthiness of a page, and emphasizes that security should be the default state in Chrome. Our research has also shown that many users never understood that clicking the lock icon showed important information and controls. We think the new icon helps make permission controls and additional security information more accessible, while avoiding the misunderstandings that plague the lock icon.

The new icon is scheduled to launch in Chrome 117, which releases in early September 2023, as part of a general design refresh for desktop platforms. Chrome will continue to alert users when their connection is not secure. You can see the new tune icon now in Chrome Canary if you enable Chrome Refresh 2023 at chrome://flags#chrome-refresh-2023, but keep in mind this flag enables work that is still actively in-progress and under development, and does not represent a final product.

Same page controls, new icon. The lock continues to exist as a precisely scoped entry point to connection security information, but with a new top-level access point.


We’ll be replacing the lock icon on Android at the same time as the broader desktop change. On iOS, the lock icon is not tappable, so we will be removing it entirely. On all platforms, we will continue to mark plaintext HTTP as insecure.

As HTTPS has become the norm, replacing the lock icon has long been a goal both of Chrome and the broader security community. We’re excited that HTTPS adoption has grown so much over the years, and that we’re finally able to safely take this step, and continue to move towards a web that is secure-by-default.



– By David Adrian, Serena Chen, Joe DeBlasio, Emily Stark, and Emanuel von Zezschwitz, and the rest of Chrome Trusty Transport from the Chrome Security team


How to use the F-Droid libraries, like CalyxOS

Posted on by Michael G

When we built the next-generation F-Droid client, we rewrote
our code to fit into re-usable libraries, so other projects can make use of
F-Droid technology with minimal hassle.

The libraries

So far, we have published three libraries. Two of them are written in
Kotlin multi-platform, so they can be used outside Android as well. For
example, you could use them to write a command line or even an iOS client.

Check out their
README
for how to include them in your project.

Download library

This library includes everything you need to download F-Droid repositories
and the APKs and images included in them. It handles resuming of downloads,
repository mirrors and takes care of the special HTTP cases that an F-Droid
client can encounter.

The Android version of the library also takes care of rejecting TLS older
than 1.2 as well as weak ciphers. It prevents DNS leaks when using Tor as a
proxy and uses a short TLS session timeout to prevent tracking and key
re-use. If you use Glide as an image loader, it also comes with a special
ModelLoader to be used with Glide.

Please see the API
docs for details.
Check how F-Droid switched to the download
library for
an example.

Index library

The multi-platform index library gives you everything you need to handle
F-Droid repository indexes. Of course, there’s a parser for reading and
representing the indexes internally. For version 1 indexes, there is also a
creator which F-Droid uses to create its own nearby swap repositories. Both
versions have a signature verifier, so you can always make sure that the
repository is properly signed before working with its data.

Apart from these basics, the library also has many useful classes that help
you to choose the best translation based on the user’s locale, to check if
an app is compatible with the current device, and to check if an app has an
update available in the repository index. There are classes for processing
streams of index data, so you don’t need to load the entire index into
memory which can be an issue on devices with little RAM. If you prefer to
work only with the version 2 format internally, the library features an
index converter which can convert version 1 format into version 2.

F-Droid clients wishing to make use of version 2 delta updates, also find
helpful classes for this, so they don’t have to re-invent the wheel
themselves.

Please see the API docs
for details. Check how F-Droid switched to the index
library for
an example.

Database library

In case you need to persist F-Droid repository information in your Android
app, this library is for you. It stores F-Droid related information such as
repositories, apps and their versions. Then allows you to query and search
for them. Under the hood, it uses a Room database which in turn uses
sqlite.

Besides database related classes, this library currently also includes
classes related to updating repositories, so that information fetched from
the internet (using the downloader library) can be streamed directly into
the database.

Please see the API
docs for details.
Check how F-Droid switched to the database
library for
an example.

CalyxOS

The first known user of these new libraries is CalyxOS which is already
using them in two of their apps. Thanks to the libraries, they can focus
their development effort on the apps themselves and don’t need to
re-implement the F-Droid related bits.

The first app is used as part of their setup wizard that shows up after
initial install. It allows the user to install additional apps on an opt-in
basis, so they don’t need to ship as non-removable system apps. The benefit
for CalyxOS is that they can load these apps from an F-Droid repository in
the internet without needing to ship APKs as part of their ROM keeping its
size minimal.

This is their
method
to get an index representation from a file, making use of the index library:

fun getIndex(file: File): IndexV2 = file.inputStream().use { inputStream ->
    IndexParser.parseV2(inputStream)
}

The second app uses F-Droid to keep its own essential apps up to date. With
a minimal UI, its main purpose is to regularly check for updates and install
them in the background, once available.

The app makes use of the UpdateChecker of the index library to check if
updates are available:

private fun getUpdate(packageName: String, packageVersions: List<PackageVersionV2>): PackageVersionV2? {
    val packageInfo = packageManager.getPackageInfo(packageName, GET_SIGNATURES)
    return updateChecker.getUpdate(packageVersions, packageInfo)
}

(Full code
example)

Both of these
apps don’t need
to persist any data, so they only use the download and the index library.

The library work was funded by the FFDW-DVD grant

Alessandra Sublet sort du silence après de longs mois d’absence : “un nouveau départ” étonnant !

Posted on by Michael G
Johnny Star: Merci beaucoup d’avoir regardé!
Si vous souhaitez plus de nouvelles, abonnez-vous à la chaîne!
CLIQUEZ ICI POUR INSCRIRE: https://goo.gl/aNWbA4
Alessandra Sublet sort du silence après de longs mois d’absence : “un nouveau départ” étonnant !
Musique est protégé des droits d’auteur par: https://www.ntmediastudio.com/
Musique de fond utilisée dans vidéo de cette chaîne: https://www.youtube.com/channel/UCIZ8_Xpxgn_lONAp32IEJqA
Tous les risques n’auront pas la saveur du succès quelle sera le titre du premier spectacle d’Alessandra Sublet qui goûte déjà l’aventure ce mercredi 26 avril l’ancienne animatrice de télévision a annoncé sa reconversion sur son compte Instagram dans ce pot elle partage donc la fiche de son nouveau projet accompagné d’une légende explicative sur la teneur de ce spectacle une longue absence pour un nouveau départ et une aventure qui me tenait à cœur a-t-elle écrit sur ses réseaux je suis très heureux de vous retrouver bientôt différemment tous les risques n’auront pas la saveur du succès c’est une longue réflexion que j’ai eu sur notre faculté à faire des choix sur les chemins de vie que nous empruntons [Musique] en somme surtout ces obstacles qui jalonnent notre existence et que chacun doit essayer de surmonter pour trouver son propre épanouissement après avoir présenté pour le petit écran les émissions incroyables talents et l’amour et dans le pré Alessandra Sublet a entamé une traversée du désert mais c’est bien sûr les planches que l’ancienne animatrice a décidé de faire son grand retour avec tous les risques n’auront pas la saveur du succès lancienne présentatrice de M6 se lance dans une nouvelle aventure dont nous espérons que le titre ne reflète pas le futur du projet supérieur à supérieur à Alessandra Sublet élément de sa galaxie ou voir à Alexandra Sublet joué dans son post Instagram Alessandra Sublet a indiqué quel serait présente au festival d’Avignon et dans la capitale cet au Théâtre du Chêne Noir dans le 19e arrondissement officiera l’ancienne animatrice de M6 du 7 au 29 juillet 2023 nos audaces ne mènent pas nécessairement à la réussite mais je crois qu’il est important de les suivre pour progresser et se réaliser rendez-vous du 7 au 29 juillet @estivalope Avignon au théâtre @2 Arduino noir rose merci @ Jean-Marc Dumontet pour ta confiance @françois relans pour cette photo @ antonybazartiste pour cette affiche@an [Musique] Bouvier 0 4 4 pour la mise en scène merde article écrit en collaboration avec 6 médias crédits photos Rachid Belak [Musique] S [Musique]