More on Amazon Silk

A small Amazon Silk FAQ is now available on Amazon’s web site. Questions regarding privacy are at the bottom so hopefully you won’t read far enough down to see them.

There you will find Amazon taking the opportunity to tell you how awesome Silk is and then direct you to the Amazon Silk Terms and Conditions if you’re still interested in this silly privacy nonsense. However there is one small, but important piece before we move on to the ToC:

What about handling secure (https) connections?

We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g. https://siteaddress.com).

Amazon Silk will facilitate a direct connection between your device and that site. Any security provided by these particular sites to their users would still exist.

If you use Amazon Silk then Amazon will be able to see everything you do over HTTPS. This is bad. Very, horribly, bad. And should be a red flag for anyone considering purchasing a Kindle Fire. Now about that ToC document.

Straight away they give you the section on privacy and tell you that the Silk ToC includes the Amazon Privacy Notice. They’ve even gone and underlined it for you to make sure you see it. Curiously they don’t actually link to the document. Isn’t that a bit odd? I’ll help you out in a way Amazon.com won’t and point you to the Amazon.com Privacy Notice here.

The basic idea of the Silk ToC is that they keep your information for “generally” no longer than 30 days and that everything you do over the web using Silk Amazon.com sees. Couple that with the privacy notice and Amazon has given themselves the right to look at and analyze everything you do over the web with Silk.

However, there is one piece of news in the ToC:

You can also choose to operate Amazon Silk in basic or “off-cloud” mode. Off-cloud mode allows web pages generally to go directly to your computer rather than pass through our servers. As such, it does not take advantage of Amazon’s cloud computing services to speed-up web content delivery.

So it will be possible to use Silk without putting Amazon between you and the web. It’s unfortunate this option is buried in Amazon’s documentation and I suspect this option will be just as buried in Silk, but it is there. And that’s good, because the Kindle Fire does not support Android Market which makes installing an alternative browser a bit problematic.

If I were in the market for an Android tablet I don’t think Silk would turn me off the Kindle Fire, however I am the type who likes to have as much control over my own hardware as possible and I don’t feel I would have complete control over a Kindle Fire in much the same way I don’t feel I’d have complete control over an iPad. Therefore I would probably look elsewhere.

Amazon Silk

Today Amazon.com launched three new versions of their Kindle e-reader including a color tablet called Kindle Fire. In terms of hardware it’s about what you’d expect to see from something competing with the Barnes & Noble NookColor that’s launched a year later; it’s slightly better, but nothing that stands out as revolutionary.

But included with the Fire is a new web browser called Amazon Silk. And Amazon would like you to know this is a new and different browser from anything you’ve seen before.

So what’s the big deal about Silk? All you web requests go through Amazon’s servers which will handle retrieving all the content for you and optimize it wherever possible (e.g. a 3mb jpeg that’s sized to 300×200 pixels will be resized by Amazon before being sent to you as a 50k jpg). Because Amazon’s servers are sitting on some of the fattest pipes on the interwebs, it’ll be able to pull down and deliver all this content to your Kindle significantly faster and more efficiently than if your browser was doing the work all by itself.

Sounds pretty nice, but I’m a bit of a pessimist.

I wonder if the image resize example given in the above video might have unexpected consequences. For example there may be web applications that purposely load a large image into your browser and allow you to zoom in and out and move around the image. Will Amazon’s services understand that scenario and know to not shrink the image? I can think of a few examples that use image clipping and revealing the full image when hovering over the clipped area using CSS. Will Amazon know that the clipped area is not the only part of the image being displayed? Perhaps only known situations are optimized rather than Amazon using software to guess.

My biggest worry, however, is that all your web browsing is now going through a third-party. If Amazon is making requests on your behalf it will need to preset session cookies to those sites your browsing. What happens when you need to log into a system over SSL? Does Silk make the HTTPS request through Amazon’s? Does that mean all your passwords will be, at some point, on Amazon’s servers? What happens if they’re ever compromised? Does Amazon log and can they track your browsing history? What happens when I try to go to Barnes & Noble to buy something online through Amazon’s servers? Some web sites use session-hijacking prevention by comparing looking at things like your IP address. Amazon’s servers, as they point out in the video, are all over the world. Will my IP address stay the same throughout a session or will it change as requests are routed through different Amazon servers? Some web applications might break because of that.

Amazon must be logging your browsing with Silk. Imagine a scenario where someone posts some illegal material through Amazon Silk. Authorities will track down the IP which will lead them back to Amazon. Amazon must then have some mechanism to identify the user who posted the illegal material otherwise Silk becomes a giant anonymous proxy machine.

I’m very wary of Amazon Silk. I do not think I would never use it unless forced into a situation where no alternative was available. I don’t want some third-party sitting between me and the web sites I interact with, watching and recording everything I do.

Texture & Transparent Maths

This is the kind of post that would benefit greatly from the addition of screenshots, but I’m far too lazy so you’re going to have to put a lot of this into your head and create your own screenshots.

Now that’s out of the way, let’s talk about a situation that came up over the weekend. I was looking at a particular layout I’ve developed and lamented that the solid color background felt a little too empty. What it needed was some kind of texture to make it more visually interesting, but no so much that it takes attention away from the actual content of the page. What immediately came to mind were the linoleum tiles of an old grocery store I went to years ago which had solid color tiles with little dots of black and white color. I thought something like that might just pull off the trick of making things a little more visually interesting without taking away focus from the content of the page. So I needed to make some dots.

Continue reading →

SSL/TLS Broken and Disabling Javascript Fixes It

In a few days a flaw or attack on SSL/TLS (the stuff that protects your passwords and personal data as it goes across the internet) will be presented at Ekoparty.

The attack requires the attacker be in position to intercept and inject into the data between the client and server, otherwise known as a man-in-the-middle attack. The attack appears to use javascript to send out known plaintext over an encrypted channel and allow attackers to then crack the encryption key using that known plaintext.

The simplest solution to protect yourself is to disable javascript.

As a web developer I look at things like noscript, cross-site scripting, and exploits like this as reasons to believe that users of my web site may not have javascript enabled. Therefore it is vital that javascript not be a critical component to using any site I manage. That doesn’t mean never use it, it only means that your web site still be usable without it. Treat it like Flash, or Java, or any other function that isn’t explicitly defined in the HTML or CSS specs. These things can make life easier for the user, but should never be a requirement.

This latest exploit, with the immediate message to end-users being disable javascript until a fix is ready, puts those web developers who rely on javascript to provide critical function to their site in a bad position. Don’t be one of those developers.

Eventually the practice of at least a white-list approach (see noscript) to Flash, Javascript, etc., if not completely removing them from the browser, will become the norm for even basic web users. It may not happen this year, or even in the next five years, but it’s very likely to happen as attacks on the web layer continue to grow.

printf(“Hello, world!\n”);

I haven’t been blogging much because I really haven’t had much to say. Browsers have gotten to a point where most people are using something that doesn’t require extensive or creative CSS hacks to work with basic CSS-driven layouts which was my bread-and-butter for the middle part of the last decade.

I recently did a bit of contract work which inspired me to work on a new layout which then inspired me to do some spring cleaning and share with you a bunch of old designs I’ve started over the last five years, but never got around to finishing. So hang on, there’s a bunch of new stuff to get through.
Continue reading →