Securing Your Addon Updates with SSL
So, now you have to secure your self-hosted addon’s updates, but you don’t want to have to sign your update.rdf file nor your install.rdf file. I was in that boat, and I thought I’d share my solution with other addon developers out there to make your lives easier.
I recently switched over to Dreamhost as my hosting, and lucky for me they make using a third party SSL certificate quite easy. The great folks at StartCom offer free Class 1 certificates, which is all you need to secure your updates. StartCom certificates don’t work in IE, but they do work in Firefox, so they’ll work great for securing your addon updates. Please note that using SSL over HTTP does require that you get a unique IP address for your server, which usually costs more from most hosting companies, so it isn’t a completely free solution.
Let’s get started by applying for your Class 1 certificate here. Select “Class 1 Certificate”, and press Continue. On the next page, you’ll want to select “Server Certificate (With CSR generation)”, and press Continue. At this point, you’ll be asked to provide some personal details. These details won’t appear in the certificate.
Their certificate creation wizard will walk you through the next few steps. Here, you’ll create your private key, ssl.key, certificate signing request, ssl.csr, and your certificate (they might have to hand verify details, so the certificate might not be instant), ssl.crt.
Now you have everything that you need. With Dreamhost, these next few steps are dirt simple. First, you’ll have to decrypt your private key that was generated for you. This is where that password comes into play that you are supposed to remember! You’ll need to find some unixy box (you can ssh into your Dreamhost box) and run the following command (you’ll have to upload your private key to the remote machine as well):
openssl rsa -in ssl.key -out ssl.decrypt.key
Now you can safely fill out the fields on your domain/subdomain page. In the field titled “Certificate Signing Request”, copy and paste the contents of ssl.csr. In the field titled “Certificate”, copy and paste the contents of ssl.crt. Finally, in the field titled “Private Key”, copy and paste the contents of ssl.decrypt.key. Make sure you use the decrypted key, otherwise you’ll get an error about using a password protected private key. Now that you have filled these fields out, you’ll have a new field on the top of that page that you won’t see (someone at Dreamhost should fix this) that lets you select if you want https://www.* or https://*. Select whichever one you used for your certificate application, otherwise users will be presented with an error.
There’s one last step here and you can have HTTPS working on your server. You need to contact Dreamhost support to have them install the intermediate certificate from SmartCom, otherwise your users will get an invalid certificate error. So, download sub.class1.server.ca.crt and upload it to your home directory, then fill out a support request asking them to upload it. Their wiki page on SSL has more details on this. You should get an e-mail from them informing that everything is all setup. After that, you are ready to serve secure updates!
Dirty Santa & a Hillary Nutcracker
This year part of my family played a game called Dirty Santa with gifts. It was actually quite fun, and my sister and I had fun duct-taping the heck out of one of the gifts my family put in. It was the first one picked, and much hilarity ensued. My mom, who didn’t know that my sister and I did this, kept apologizing to the picker (she was unaware that we did this as well).
Anyway, when it came time for me to pick (I was lucky number seven), I picked a smallish package and started to open it. Someone was crazy enough to create a Hillary Clinton nutcracker (really – you can get one yourself here). I thought it was rather funny, but kinda useless (clearly, it was a gag gift). However, that got stolen by my Grandpa (which was strongly encouraged by me). I ended up getting a coffee maker out of it, which is pretty useless since I don’t drink coffee, but oh well. My Grandpa certainly enjoyed it though!
Snowboarding
Turns out that snowboarding is pretty fun. I went with some friends yesterday for the first time ever, and I had a really good time.
I first started off on the kiddie hill. We are talking about 25 feet and a really shallowly sloped hill. I quickly decided it was time to move onto something a bit steeper and longer to get a better feel for things (some party members went there first, and then went to the kiddie hill to get some more practice first).
When renting our snowboards, I decided that I was normal with my footing (that means left foot forward going down the hill), but about my third time down I established that I was in fact goofy (right foot forward). Of course, my board was setup for normal, and I didn’t bother adjusting it (it was apparently adjustable). It seemed to work out well regardless.
I never made it up to the bigger hills, but I think baby steps is a good approach here. I fell enough that I decided it was about time to call it quits (that, and I couldn’t think or see very clearly because I had just whacked my head pretty good). I did fall a lot, and I’m paying for it today. Totally worth it though. :)
eTLD Meet mozStorage?
While talking with Edward last night about searching in the download manager, we came across an interesting idea. Instead of trying to guess a good substring of the URI to do a LIKE comparison for searching, we could process it with nsIEffectiveTLDService (there’s no devmo page for this sadly) after we query the DB. We then realized that that is not the most efficient way to do this, so we thought, “Hey, we can add functions to the database! We can just hook up eTLD that way!” Then it dawned on us on just how bad that could get, especially if we implemented that in JS like the download manager’s UI is in. We’d be crossing xpconnect quite a bit, and searches are already kinda slow. As a result, that idea got canned. We started thinking about how it could be done in C++ with the download manager component, which wouldn’t be as bad. That’s when I started to really think about this.
Places does some search stuff with the Awesomebar. I’m not sure if they do some guessing like we were thinking about doing, or if they post process it, or something entirely different. But, what if mozStorage automagically provided functions for you to perform eTLD things on strings in the DB? Storing URI’s in their string form seems to be fairly common in many of our sqlite databases. So, I’m looking to see what people think about providing some SQL functions that make people’s lives easier:
SELECT eTLD_GetPublicSuffix(referrer) AS suffix FROM moz_downloads
Where referrer is a column in the DB that stores an nsIURI. I don’t find this one so useful, but…
SELECT eTLD_GetBaseDomain(referrer, 1) AS referrer_search FROM moz_downloads WHERE referrer_search LIKE ?1
Again, with referrer being a column in the DB that stores an nsIURI. In this case, if the uri were “http://mxr.mozilla.org/seamonkey/source/netwerk/dns/public/nsIEffectiveTLDService.idl”, it’d return mxr.mozilla.org, and that is what would be searched by the LIKE expression. I can see this being potentially useful to many consumers, so I’m putting out feelers to see what people’s thoughts are. What do you think?
Breaking the Limit
Did you ever have one of those situations where you’ve hit your limit before you realized anything was wrong? It doesn’t even have to be a situation where you have a low limit either. It has happened to me a few too many times lately, and I find it quite bothersome. I used to be of the opinion that I was very aware of these type of things and could address issues before I hit my limit. That has not been the case lately, and it has me quite worried.
Now, it could be a number of things that is preventing me from picking up on this stuff. For starters, I’m under a lot of stress with finals and end of the semester events. Maybe because I’m so stressed out I’m completely missing the signals I’d normally pickup. Another possibility as that the events/people/person/situations that are pushing me to my limit are uncharted or mostly uncharted areas, and I simply don’t have the experience to pick up on when I’m about to cross my limit. Of course, it could just be that I’ve lost my touch and don’t notice these things anymore either.
Regardless of why and how, it’s a serious problem. When I do hit my limit, I’m not a very nice person, or at least not a very nice person towards the person(s) that got me to/past the limit in the first place. I’d rather not be like that, because it’s not like me to be a mean person (that is not to say that I don’t have my mean streaks). Sadly, when I am mean, I feel that it greatly overshadows all the nice things I’ve done for people since the last “mean” cycle. That seems to imply that me being mean happens often, or on some regular cycle, which isn’t the case. It’s just that as of late it’s happened a bit more than I’d like to admit.
I’m not really looking for solutions to this problem from others. This post was really just me venting, while I try to identify indicators that I was rapidly approaching my limit so this doesn’t happen again. Hindsight is a great tool here. Here’s hoping that I can do that quickly rather than slowly…