Monday, January 26, 2009

Noscript’s uneasy relationship with bookmarklets

imageWhenever I install Firefox for the first time, my first add-on is always the venerable Noscript extension. If you’re unfamiliar with it, Noscript basically enforces a no-javascript zone for all web sites you encounter, except for those you trust (i.e., sites you add to your whitelist). In today’s Web world, nearly every Web site worth visiting uses javascript to implement the whiz-bang functionality and awesomeness we users demand. Unfortunately, not everyone can be trusted to use that power for good. Noscript is your weapon against such unscrupulous programmers. 

When I first started using Noscript, I found it was a more efficient and more nuanced pop-up / ad blocker, because I could reliably stuff rogue ad-servers while whitelisting the core site. It also protected me from surreptitious malware agents, which silently utilize javascript to take advantage of browser-based vulnerabilities. Noscript allowed me to surf within a trusted Web, while forcing new sites to earn that trust with good behavior.

One of the minor inconveniences of Noscript has always been the use of bookmarklets. Typically, if you’re trying to bookmark or clip a page using a bookmarklet, you must first whitelist the underlying site. This usually means adding at least one extra click and one page reload before you can save the page. This is annoying, but it’s a reasonable tradeoff, given the enormous security advantages Noscript delivers.

A more recent Noscript / Bookmarklet conflict involves a different Noscript feature: protection against cross-site-scripting attacks or (XSS). This feature is a more sophisticated defense, designed to meet a more complicated foe: hackers that can exploit a loophole in a trusted site, and inject malicious code that can fleece you of your cookies including your stored web mail or bank passwords. These attacks are more insidious than traditional phishing attacks because you can’t prevent them just with anti-phishing smarts. The code is loaded without you knowing. Here’s how Wikipedia introduces the subject:

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss.

Obviously, it’s good to have some protection against these attacks. And while Firefox 3 and IE8 offer some protection, Noscript claims to offer a more complete defense. Unfortunately, Noscript’s XSS features can interfere mightily with the function of many otherwise useful bookmarklets. Tim, a Web designer at FastSpot, explains how bookmarklets can be adversely affected by well-meaning XSS defenses:

The great thing about the web is that it’s inter-connected, and even with all the security measures that have been put in place, a great deal of things can still be accomplished with web mash-ups.  We’ve done quite a few cool things with Google Maps, eBay, Yahoo, and other web APIs.  But we had server access to all the sites we’ve incorporated those cool features on.  What if you want to share a cool feature with someone else just by passing them some code to paste into their website, or better yet, simply a bookmark to click?

Bookmarklets are fairly new to the web, but already there are tons of useful ones!  Take a gander at X-Ray (a bookmarklet for inspecting elements of a website), Firebug Lite (an awesome debugging tool for Internet Explorer), and even a bookmarklet for downloading videos off of YouTube and other video sites.  You simply drag the link to your bookmarks bar or right click to add the bookmark, visit any website, click the bookmark, and cool things happen on the current site you’re at.

So what do bookmarklets have to do with cross site scripting and web security?  Well, they’re the most effected feature-wise when it comes to the web paranoia.  There is a cross-domain limit on what Javascript can do in browsers while transmitting data.  For example, “AJAX” requests can’t be transmitted from Javascript hosted on www.google.com to www.yahoo.com.

Here’s an example of what Tim’s talking about, using a bookmarklet for Microsoft’s Thumbtack web-clipping app.

image Clicking the Thumbtack’s bookmarklet gets you a blank slate and an error message:

image

But you can choose to perform an unsafe reload, and it will work just fine.

image 

Sadly, if you choose to continue using Thumbtack, you’ll have to perform an unsafe reload each time you use the bookmarklet, even if both Thumbtack and the underlying site are whitelisted. If you like doing patently unsafe things over and over again, this option is for you.

There are two other things you can do:

image

  1. Create an XSS exception. Go to Options >> XSS. You will see three built-in exceptions for Wikipedia, Google, and Yahoo. The syntax is complicated, and for other sites you’ve got to figure it out yourself. I tried making one for Evernote by copying the examples, but I could never get it to work. Evernote’s Bookmarklet would always require an unsafe reload. It’s worth noting that Google Notebook probably never had to worry about Noscript’s XSS filter, due to the already included exception.
  2. Wait until your favorite site can work out its differences with Noscript. In Evernote’s case, this appears to have finally worked. Noscript announced today that the add-on now works with Evernote’s Web Clipper. I have no doubt that Evernote was aware of the conflict and worked closely with Noscript on a behind-the-scenes fix, although I’ve not seen either company mention it.

Thursday, January 22, 2009

Evernote welcomes Google Notebook users with import utility

As promised, Evernote has released an import tool for disappointed Google Notebook users. I’ve just tried it out, and I’m happy to report it works largely as advertised. If you've tried Ubernote’s import tool the process is basically the same: export each of your notebooks in Google’s Atom format, then import those files into Evernote.

Unlike Ubernote’s no-frills import, Evernote actually gives you some options about how you want your notes to look once they’re imported (reminiscent of their impressive Delicious import tool). You can import your notebooks into an existing Evernote notebook or create a new notebook. You can also decide whether you want to include your existing notes, labels, and section headings.

image

A few times, Evernote got stuck, and I had to re-import, which resulted in some duplicate notes. But, for the most part, it was a smooth process. Once everything was imported, I wanted to see how the same notes were displayed in each service. Let’s take a look:

Here’s a publicly shared note in Google Notebook. Note the secondary comments section in light blue (one of my favorite features.

image

Now, here’s the same note in my public Evernote Notebook. Notice that the tags are on top, right below the title (red arrow). The comment is preserved and separate from the text of the note, but it’s indented rather than highlighted (blue arrow).

image

You’ll also notice a couple of severe drawbacks associated with Evernote’s public notebooks when compared with Google. You have to view each note in isolation by clicking on it, and you have to view ads. I prefer Google Notebook’s uncluttered blog-style view, which allows you to scroll and see notes in context with one another.

My only other complaint is that Evernote promises all imported notes “will retain their original creation date.” My imported notes all bore today’s date. It doesn’t bother me all that much, but if chronology is important to you, I recommend waiting until Evernote has corrected that problem.

Overall, I think Evernote has done a nice job with this feature, and it’s definitely a strong contender to replace Google Notebook as my app of choice. Next week, I’ll let you know why I’m withholding my full endorsement.

Wednesday, January 21, 2009

What I’ll miss about Google Notebook? Speed and Search.

Digital Inspiration notes that several newly invigorated competitors are tripping over themselves to offer easy-import tools now that Google Notebook has been left for dead. Ubernote, which has some striking UI similarities to Google Notebook, offers a guide to importing Google’s Atom files. Zoho’s solution is even easier, because you don’t have to import your notebooks one at a time. Apparently, Evernote is working on an import solution as well, but it’s not quite ready.

Being able to import your notes into another app is nice, but it’s only possible because Google’s web-based product was so superior in the first place. Of the products mentioned above, only Google Notebook provides multiple sharing and backup options, including both HTML and Atom formats. Evernote does full XML import / export, but you have to install the desktop app on Mac or Windows to take advantage of those functions.

Of course, the option to take your game elsewhere isn’t the only advantage Google Notebook had. As you would expect with a Google Product, Notebook was fast and it was easy to find your stuff. I’m not sure what you look for in a Notebook, but being able to store and find my stuff when I’m in a hurry is about the only thing I demand. To illustrate what I’m talking about, let’s take a look the two competitors now offering import tools.

imageUbernote
I’m actually pretty impressed with Ubernote’s expansive list of features, and I love their UI because it borrows so liberally from Google Notebook’s design (it also borrows liberally from Evernote’s name and mascot, but we’ll let that slide for now). Yes, Ubernote offers just about everything Google Notebook offers, but unfortunately, it’s much, much slower. No, I don’t expect Ubernote to match the scale and resources that Google Notebook had, but the load times are a noticeable drag. In my experience, Ubernote’s search function is only slightly slower than Google’s. But page loads and clippings take much longer. “So what,” you say? “So it takes a little longer.” But as Jeff Atwood noted today, even a little lag time can have a huge negative effect on user experience. What I loved about Google was how quickly I could clip text into its Firefox extension and move stuff around, without ever leaving the page. Ubernote’s Firefox add-on and bookmarklet don’t come close in either speed or convenience.

Still, I could actually see myself using Ubernote if they smoothed out the rough edges and sped things up a bit. A recent blog post implied that the hiccups and slow speed might be caused, in part, by their recent growth spurt. They say they’re working on it, and I hope they are. It’s an app with a lot of promise.

Zoho Notebookimage
Zoho Notebook is not quite so promising. Recall that I care about two things: speed and search. Zoho’s Notebook is plenty responsive, but as I’ve noted before, it gets an “F” in search. Why? Because Zoho offers no help when it comes to finding your stuff. There’s no search box. There are no tags. Ubernote, Google Notebook, Evernote, and Zotero all feature both tags AND search. But apparently Zoho doesn’t think these features are all that important. Actually helping you locate what you’ve stored with them is unnecessary. I know I’ve said this before, but that’s kind of ridiculous. Somehow they managed to copy OneNote’s look and feel while omitting one of the most obvious and crucial functions. Stupid. Stupid. Stupid.

Frankly, I kinda wish these sites rushing to capture Google’s market share were forced to do it the old fashioned way. Not by creating an easy-import tool for a dying product, but by making their products more useful to end users. All I want is to quickly clip notes from the web, and find them equally fast from any internet-connected computer. If you can do that, I don’t care about your import tool. I’ll export all my old notes to Google Docs (another killer option Google Notebook offers). Then I’ll start over with a product aimed at winning both my heart and my notes.

Wednesday, January 14, 2009

RIP, Google Notebook

Right now, I’m a little bummed out.
My favorite Notebook app is was Google Notebook. I say was because Google is apparently ending its Notebook experiment. As reported earlier today in Search Engine Land, Google Notebook is one of five casualties in Google’s effort to get leaner and more focused on its core products and mission. Danny Sullivan succinctly noted:
Google Notebook closes, though those with existing accounts can continue to save material. New accounts won’t be allowed, however — nor will the service be further developed, and the Google Notebook Extension for browsers will no longer work. Google told me it makes more sense to close this when it offers other services that allow for notetaking, such as Google SearchWiki, Google Docs and Google Bookmarks.
No doubt, Google needed to consolidate some of its bookmarking efforts, and there clearly wasn’t a critical mass of Notebook users to worry about. But I love Google Notebook, even compared to flashy, feature-rich competitors like Evernote. Google Notebook’s chief advantages were its superb bookmarklet/extension and excellent, no-frills handling of text and links. As I said before, my notes are all about text, and Google Notebook handled basic text and links better than any web-based notebook I’ve used.

Alternatives

Although Google Notebook is technically staying open, I can’t continue to use it without the handy bookmarklet/extension. That was the best feature.  So I’m in the market for a decent alternative. The two most obvious options are as follows:
  • Evernote: I like Evernote a lot. I had almost decided to switch a few weeks back but I ran into a snag when their bookmarklet didn’t work so well with the popular Noscript Firefox add-on. For now, I choose Noscript. But evernote has promised to overhaul their web clipper in the new year, so I’m looking forward to that.
  • Zotero: In some ways, Zotero is better than either Evernote or Google Notebook, but its relatively strong privacy and superb handling of PDFs make it perfect for my work. And I try not to mix my personal stuff with business stuff. Check out my Zotero review for a good idea of why I like it so much.
So my two favorite Google Notebook alternatives are perhaps out of the question for now. And I absolutely can’t stand Zoho Notebook. That being the case I may try one of several smaller, similarly named notebooks: Ubernote, Springnote, Springpad, or Webnote. Honestly, I’ve tried them all, and found them all lacking. Anyway, I’m don’t think any of these smaller companies will have any better luck than Google did. And without Google’s cash, I’m not too sure I can trust another company to hold onto my data.

Exporting your Google Notebook

Speaking of which, Digital Inspiration already has a great guide to exporting your Google Notebook for use somewhere else. I will probably go the Google Docs route.

One final prediction

As I said earlier, Google probably had to split the baby when it came to Google Notebook and Google Bookmarks. The fact that they decided in favor of Google Bookmarks might seem surprising given how poorly the product stacks up against every other bookmarking service out there (e.g., Delicious, Magnolia, Diigo). But I think focusing their effort on Google Bookmarks is consistent with a few other moves they’ve made in the last year or so:
Could Google be thinking about expanding Bookmarks into a bona fide Delicious competitor that’s fully integrated into its desktop offerings? I think that would be the most sensible (and compelling) route for Google to take.

Sunday, January 4, 2009

Tagging: How to do it and knowing when not to do it

One of the best innovations in social media is also one of its most pernicious traps: tag creep. Do you have too many tags? Redundant tags? Tags that are similar? Tags that break your own rules for tagging stuff? I know it’s happened to me, in both my blogs and my Delicious collection. But Steve Rubel points me to some great advice from Jason Falls on how to ensure your tags are useful and organized so that YOU can FIND STUFF (that is why you do this, right?).

One of the best tips is also a bit counter-intuitive: don’t bookmark everything.

This one is a hard one for some to grasp, but bear with me. I bookmark fewer and fewer items these days for one simple reason: I subscribe to just about everything I find interesting online via RSS. If I want to find an article I read on Mark Dykeman’s blog a year ago, I can search my RSS feeds and find it. It’s not much more time consuming or difficult than bookmarking it, so I don’t need bookmarking as much anymore. However, there are purposes and reasons for aggregating everything I find on certain subjects, so bookmarking hasn’t lost its relevance. But I only bookmark what I’m going to later need when writing an article on the subject or preparing presentation for clients, etc.

This is the one bit of advice I’ve already been following myself. I use Google Reader as my primary news source, and if I want to go back to an article I’ve read there I simply search my feeds for it (I also use tags within Google Reader, but I use them very sparingly).

But what if there’s something I want to read later? Call me crazy, but I use Read it Later.

So what do I use Delicious for, if not for organizing items I’ve read or saving items for later reading? I use Delicious for reference. Reference doesn’t mean, “I might need this later.” Reference is stronger than that:

  • I will use this later. More than once.
  • I will recommend this to friends now. I will want to recommend it to them later as well.
  • This matches a collection of other items for which I already use a common tag.

The last bullet is related to an idea I would have added to Jason’s outstanding post. Don’t tag everything. Tag an item only when you know how to tag it. Don’t tag it just because you’re saving it.  Tags are for items that are thematically or topically related to something else you’ve already saved. Adding a tag means, “I’ve got more than one of these.” If you aren’t sure how to tag something, but you think it needs to be saved, write a good description of the item. A later search of your bookmarks will find it. If you never use that item again, that’s okay. You’ve avoided cluttering your system with a tag that makes you scratch your head.