Presidential Candidate Website Survey

I surveyed the website security and a few other website technology factors for the candidates for US president.  Here is what I found.

Epic fail candidates:
Jim Gilmore, Bobby Jindal, George Pataki – they all ask for donations on an insecure page or one vulnerable to POODLE.   I would say these would be a much better insecure server story but none of these are considered major candidates.

Actually support IPv6:
Only Donald Trump, Ted Cruz, Rand Paul, Marco Rubio.

10/21 sites use cloudflare as their CDN!  It looks like their is a difference in the plan/traffic tiers some of the candidates are in:
2 endpoints – Ted Cruz, Rand Paul, Mike Huckabee, Bernie Sanders, Jim Webb, Larry Lessig5 endpoints – Marco Rubio, Carly Fiorina, Jeb Bush, Donald Trump

Now, CloudFlare  gives you IPv6 and HTTPS for free, but apparently a lot of candidates aren’t bothering to turn them on?

The seemingly most complicated setups go to Hilary Clinton and Chris Christie. I’m not sure they are good setups – they show up as inconsistent to ssllabs.  I’m guessing they spent the most money/time on them though.

Other interesting stats
Wordpress – 11/21
Hosting: Amazon AWS – 4/21 – Linode 2/21
Redirects to HTTPS by default for main site – 16/21 (yay! this is the assumed default now – the candidates who don’t are Rick Santorum, George Pataki, Lindsey Graham, Jim Gilmore, Lincoln Chafee)
HSTS – 3/21 have it on, but only Ted Cruz has it on in a consistent way

I’m guessing those who aren’t getting good website advice aren’t getting good campaign advice in general.  Not having HTTPS by default seems like it’s a good indicator for you not being a serious candidate.   I’m curious if the republican candidates with IPv6 enabled indicates anything about their tech teams and what impact that might have as the field progresses.

Disclaimer: I’m supporting Bernie Sanders and have volunteered to help them tech wise. All the test I did were pretty simple using SSLLabs , IPv6 Test and W3Techs.

You can find the raw data in this spreadsheet – presedentialwebsites

Happy Birthday to you – MP3 Decoding Patent

According to Wikipedia  (and a related patent analysis site) MP3 decoding is now patent free in the US!  Also last night Happy Birthday was determined to be in the public domain!

Happy Birthday to you!
Happy birthday to you!
Happy birthday to that MP3 Decoding Patent!
Happy birthday to you!

Theoretically that  means we can include MP3 decoding by default in Ubuntu and other Linux distros.  I’ll leave that to legal teams to decide…

The Mozilla We’ve Got

This is a follow-up to The Mozilla I want from 2014 (same headings).  (I do post bugs and mailing lists links, but please don’t pile on them, that really doesn’t help)

DRM – Mozilla being played?

Nope, just non-Windows users being played so far [1]. I should have guessed with it being Adobe’s DRM that is being used that maybe Linux wouldn’t see the best support. It’s also depressing to me that Mozilla has given up on calling it what it is in some cases [2].


Abandon the DoNoTrack header, provide actual options

Mozilla has doubled down on DoNotTrack and our trying to get more companies to respect it with an add-on that blocks trackers if it’s not respected.  To be fair the EFF thinks this isn’t a lost cause either.. do they know something I don’t know here?  If anything it could be called DoNotMakeItAsObviousWeAreTrackingYou, that’s possible.

They’ve added DuckDuckGo as a preinstalled search engine!  Woot!

Push advertisers off of Flash (generally a good idea, but also will help with privacy – no flash cookies, etc) – Absolutely no progress on this[1] -The web is moving away from Flash and plugins but Mozilla is standing pretty still on pushing for it.  Guess Mobile and Chrome will get define this space.


SSL 3.0 – When will it go away?

That’s hilarious.  Really.   5 months or so after Mozilla removes the option to disable SSL 3.0 they have to make an add-on to disable it do to SSL 3.0 no longer being secure.

Could we just decide now to disable TLS 1.0 in 2018 or something? Maybe start warning about it in a year or so.  We know it has weaker security than TLS 1.2, so why wait until we have to do it in a panic?

Mobile – Firefox OS

I bought a ZTE Open C and it’s a cheap phone and had issues.  I’ve since given up on it and bought a ZTE Maven (Android 5.1) which I’m enjoying.  To be fair they both cost me about the same, but the Maven is a much better phone.

Mozilla hasn’t shipped a new version of Firefox OS since I bought the phone… Firefox 1.3 Released on 2014-03-17 is still the latest version (it’s 2015-08-01 today).  So much for the promised quarterly releases.  This isn’t even the harder “how long will you support this specific phone”, it’s just your schedule of releases.


Mozilla Adding unwanted things?

I really don’t mind Yahoo! Search (the new search widget rocks for using multiple search engines, imho), but adding Pocket just doesn’t make any sense to me.. oh well.

Signing add-ons I actually like and fully support.  What I didn’t like in that discussion was the idea that we can wait to figure out something for the enterprises, because they will be on the ESR release.   I’d prefer we try to bring everyone to be happy on the main release instead of making enterprises feel they really need to be on the ESR.

And Contributing!?

I’ve actual gotten my first (very very simple) patch into Firefox since my last blog post.  I’m hoping to do a bit more specifically around gstreamer.

Unfortunately, I’m feeling more like Chrome/Chromium provides a better and more secure out of the box experience for the average user today (Netflix, Flash updating, dropped NPAPI, much better video chat).   This is especially true on Linux.  It does help that Google has a specific platform (Chromebooks) that justifies investing heavily in it.

There is a lot of exciting stuff in the works (GTK3, wayland, electrolysis) and I’m going to at least stay around to see how that pans out.

Debug performance issues with strace

Have you ever been asked why is this program running so slowly?  Or why does it take 15 seconds to startup?

Strace might be the tool for you.  It’s a system call tracer which let’s you see what this program is requesting from the system. For example, if you run ls to a directory some key thins will be:
getdents(3, /* 47 entries */, 32768)    = 1928  (Get entries from a directory)
write(1, ..   (write out to stdout the output of ls)

You can add timing information to get more of an idea of what’s happening, I usually add:
-tt  (print absolute timestamps in usecs, very useful for comparing to nmap output for instance)
-T  (print time in each syscall)
-ff (follow forks, if it spawns other processes this will you separate them out to different files)

So run it all `strace -tt -T -ff ls’ and now it looks like:
14:09:10.747357 getdents(3, /* 48 entries */, 32768) = 1952 <0.000056>
14:09:10.747724 write(1, .....) = 57 <0.000031

Absolute time  syscall 

When using this on anything non-trivial, I suggest exporting it to a file (-o file).  You can also try analyzing it live as the long delays should cause strace output to stop.

I’ve got the strace output, it’s huge!  Now what?

Let’s start at the first one, which will be the lowest number, output_name.10001 for example. Check the time stamp at the top and the bottom, does it cover the time frame where you are investigating?  If so, dig in and find where the jump in time was.

In this example it was:
09:13:32.329980 write(1, "[2]... ", 7)  = 7 <0.000033>
09:13:32.330041 wait4(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 4}], 0, NULL) = 14963 <4512.975521>
10:28:45.305644 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=14963, si_status=4, si_utime=0, si_stime=0} ---
10:28:45.305907 write(1, "[1]... ", 7)  = 7 <0.000036>

Or in other words, it’s really in that child process 14963 so let’s open up output_name.14963
Scroll throw to the first jump in time and we see:
09:13:20.418886 connect(5, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("")}, 16) = -1 ETIMEDOUT (Connection timed out) <127.317319>
... about 30 lines...
09:15:28.738327 connect(5, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("")}, 16) = -1 ETIMEDOUT (Connection timed out) <127.253925>
... many more lines here ...
10:26:37.977564 connect(5, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("")}, 16) = -1 ETIMEDOUT (Connection timed out) <127.326639>

So it’s timing out trying to connect to an IP address and then trying again over 10 times.  Using strace will help you the most when the wait is caused by something on the system level (disk, networking, etc).