Tuesday, 10 June 2014

Chrome to remove NPAPI

What is NPAPI?

It's the API used by browser plugins such as Java, among many others, to interact with a web browser. Unfortunately it has also been the method by which many pieces of malicious code have accessed user machines. Its full name is "Netscape Plugin Application Programming Interface" as it was first invented by Netscape before being adopted by other browsers to overcome the limitations of the web technologies at the time, an example of which would be playing videos, which wasn't possible then, or having interactive games.

Why remove it?

It's basically because it's not particularly needed any more, it was invented in the 90s to extend the browsers capabilities to as stated above which wasn't possible with standard web technologies of the time but with new web APIs a lot of this functionality is built into the browser and runs much faster and more securely.

From what I understand the architecture of these plugins caused a lot of browser hang ups & crashes, can't say I understand the technical reasons for this as I've never worked with NPAPI but I'd imagine that due to it not being 'baked' into the browser there was additional overhead with running them, that with limited resources available & possibly inefficient programming led to programs 'hanging' then crashing. Whatever the reason I remember experiencing a fair amount of plugin related browser crashes back when these were more popular.

The security issues of NPAPI

The security issue with NPAPI plugins is that they effectively have full access to your computer through the browser, in the same way that a installing a program in your computer does. The reason this is worse is because of the way it gets installed, the user gets a prompt to install something when the get to a website and out of habit just click the accept button rather than actually reading what they are accepting (can't find the article which had the research data for that at the moment), even if they did read it they may not fully realise what it is. This is opposed to an application which you purposefully download or install from a disc. I'm pretty sure way back in the past the user didn't even need to accept anything to install the plugin! I could be wrong on that though.

I'm not certain if this is still the case but it was possible to customise the message, which gave genuine developers the opportunity to explain to the user what they were installing & why but it also allowed other developers to make messages that impersonated more reputable companies, Adobe Flash Player was a prime source of this. More recently security vulnerabilities in Java have been the main method which attackers have been getting access to users computers, so much so that US Homeland Security has recommended users to disabled it unless they really need to use it. I won't describe these Java vulnerabilities as there have been several and Google will serve you better in getting information about them.

Another downside to NPAPI is that a lot of the extra security enhancements implemented in modern browsers such as sand boxing can't be implemented with NPAPI, or can't be implemented as well, due to its architecture. I cannot explain that much better as I don't understand its inner workings well enough.

Is Adobe flash affected by NPAPI deprecation?

In short no because Google have been working with Adobe for about two years to port Flash player across to Googles new cross-browser (although I don't think any other browser uses it yet) version of NPAPI called Pepper Plugin Application Programming Interface (PPAPI). I'm not familiar with it enough to say what the exact differences are but according to Google it's much more secure than NPAPI which is why they're replacing NPAPI with it.


I should point out that NPAPI is not the same as ActiveX in Internet Explorer, that's a different thing altogether specific to Microsoft. ActiveX goes beyond what NPAPI can do, I won't go into ActiveX here though.

Further reading

Saturday, 31 May 2014

Chrome origin chip


A lot of posts have been made about Chrome adding in what they're calling the "origin chip," which hides the whole URL from the user except the top level domain (TLD) which is the first time I know of that a desktop browser has done this. You can get the whole URL back by clicking the origin chip.

This was first introduced in Chrome Canary (v36 I think?) but is now in the main version too, it's not enabled by default though in either version so you'll have to go enable it yourself if you want to try it out, see the bottom of this post for instructions on how to do that.

Why the change

There are two big reasons I can think of to do this, to help prevent phishing attacks & help drive search traffic for them.

How will it stop phishing attacks?

Really good phishing attacks can be very convincing, they pick URLs which very closely match the real URL and with a quick glance the user cannot tell you're actually at a different domain Jake Archibald has a good example of this with the Halifax website, a British bank. With this new origin chip it would be really easy to spot that you're not on your banks real website once users knew what the origin chip was and represented.

Although I'm a bit sceptical that this will actually make phishing attacks any less likely for quite some time as I'm not sure that most users will actually understand what the origin chip is or how to spot a genuine or phishing URL, even though it would be easy to spot not everyone will know what to look for in the change.

How does it drive traffic to Google?

Well as the URL will no longer be displayed and now it just says "Search Google or type URL" all the time it may well encourage more searches, I cannot say that will actually be the case but I'm fairly certain Google would have made this change primarily to try & drive search traffic as that's their core business.

Is this a good thing?

I really have no idea, from what people are saying on the Internet it sounds good as it'll hopefully help prevent phishing attacks in the future (with the caveat I mentioned above) and that the URL isn't really needed to be displayed anyway. On the other hand I can't see any good reason to get rid of the URL other that the phishing reason but even then I'm not sure how helpful it is.

I hope Google do some user testing on this before pressing a head with it and putting it out to the masses or that someone else does as I'd be interested to read the research.

A bit of history

For those who don't know Google seem to have been playing around with the URL for quite some time, turning the URL box into an omnibox for both URL entry & search, before this browsers had a separate box for each then greying everything out after the TLD to make it more prominent and at one stage there was an option to hide the URL bar all together and just have it as a popup, I think why you hovered over a tab to make it appear? I can''t remember exactly and can't spot the option any more but that one didn't ever make it to being enabled by default on the main version.

How to enable this

Open up Google Chrome and go to chrome://flags/#origin-chip-in-omnibox for the option.

Further reading

Thursday, 27 February 2014

Usability Testing for Mobile

Recently I read an article from the Neilson Norman Group titled "Usability Testing for Mobile" written by Raluca Budiu and among many useful tips in the article it gave suggestions on what camera equipment to use for recording how the users interaction with the device. Among them was a desktop camera which had a long neck so it could be angled to capture footage of the user interacting with the device but still be out of the way, another was to connect a camera to the device but was partly dismissed a little as it added weight to the device which affected how users used & interacted with it.

Having read that I thought, why not use a head mounted camera? That is one which is mounted on the users head that way you will always get good footage of how the user is interacting with the device without adding the weight to the device or having to restrict them to sitting at a desk. Sure head cameras add weight to the users head but if the sessions aren't to long you don't notice it that much, I speak from experience of using a GoPro camera.

Anyone have any thoughts on this?