Gran Pradiso site looks hacked
John J. Barton
http://www.mozilla.org/projects/firefox/3.0a4/releasenotes/
I got a .ru site offering the download. Wow, I thought this must be a
hack! Cancel! Next is was mozilla site. Then a .es site. Please no
offense to Russian or Spanish colleagues. But the download page was
from mozilla.org, not .anything else.
Ok so I know you are international and all, but if you start silently
redirecting folks what do we do? What practical way to people have to
quickly verify that the file is really what you wanted to offer? Esp.
since I know that lots of Mozilla docs are by wiki, do I have to go on
along examination to decide that this file is ok?
John.
Tony Mechelynck
Mozilla has mirrors for its download site in various parts of the world. When
you go to the Mozilla download site, it may silently redirect you to a mirror
nearer to you than where the Mozilla offices are located. This is normal.
The list of "official" mirror sites is at http://www.mozilla.org/mirrors.html
To avoid the possibility of going through a (possibly hacked) wiki, you may
get the GranParadiso installer for Windows as
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/granparadiso/alpha4/win32/en-US/Gran%20Paradiso%20Setup%20Alpha%204.exe
Best regards,
Tony.
--
Try to be the best of whatever you are, even if what you are is no
good.
John J. Barton
> John J. Barton wrote:
>> The first time I started to download Gran Paradiso alpha 4 from
>> http://www.mozilla.org/projects/firefox/3.0a4/releasenotes/
>> I got a .ru site offering the download. Wow, I thought this must be a
>> hack! Cancel! Next is was mozilla site. Then a .es site. Please no
>> offense to Russian or Spanish colleagues. But the download page was
>> from mozilla.org, not .anything else.
>>
>> Ok so I know you are international and all, but if you start silently
>> redirecting folks what do we do? What practical way to people have to
>> quickly verify that the file is really what you wanted to offer? Esp.
>> since I know that lots of Mozilla docs are by wiki, do I have to go on
>> along examination to decide that this file is ok?
>>
>> John.
>
> Mozilla has mirrors for its download site in various parts of the world.
> When you go to the Mozilla download site, it may silently redirect you
> to a mirror nearer to you than where the Mozilla offices are located.
> This is normal.
Thanks, but the reason I posted here was to suggest that this is a bad
policy for Mozilla or bad technology to us in Firefox. I understand that
automating mirror selection for users seems like a good thing. But in
these days of phishing attacks, the particular implementation undermines
one of the few checks end users have to avoid being hacked.
>
> The list of "official" mirror sites is at
> http://www.mozilla.org/mirrors.html
>
> To avoid the possibility of going through a (possibly hacked) wiki, you
> may get the GranParadiso installer for Windows as
> http://releases.mozilla.org/pub/mozilla.org/firefox/releases/granparadiso/alpha4/win32/en-US/Gran%20Paradiso%20Setup%20Alpha%204.exe
I'm not worried about being hacked. I am worried about eroding users
trust in web technology and Firefox in particular because the premiere,
leading-edge technology site uses a technology that directs me to an
untrusted site without warning or reassurance that they accept
responsibility for this redirection.
Thanks for listening,
John.
rhe...@gmail.com
wrote:
>
> I'm not worried about being hacked. I am worried about eroding users
> trust in web technology and Firefox in particular because the premiere,
> leading-edge technology site uses a technology that directs me to an
> untrusted site without warning or reassurance that they accept
> responsibility for this redirection.
Would a message that explained that you are being redirected to a
(trusted) mirror help?
There are several ways to verify that you have the same build that
Mozilla shipped, regardless of where you got it from:
Mozilla provides SHA1 and MD5 hashes for all products:
http://releases.mozilla.org/pub/mozilla.org/firefox/releases/granparadiso/alpha4/
Also note that Windows installers are signed with authenticode (using
Mozilla's key), and detached .gpg signatures exist for all files (the
public key is in the KEY file alonside the hashfiles).
Windows is easiest to verify since you don't need to install any
additional software.
It would be awesome to make the verification part of this easier; I
wonder a hash could be specified in the HTML that the browser would
know to check (implemented via javascript maybe?). Off the top of my
head, I don't think we can do this without the download going through
the main server (and doing that check server-side) without loosing the
whole point of having mirrors.
Anyone have ideas on how this could be (1) made more apparent to the
user what's happening wrt redirection (2) verify that the user is
getting an authentic file (ideally without them having to install
GnuPG!)?
rhe...@gmail.com
>
> I'm not worried about being hacked. I am worried about eroding users
> trust in web technology and Firefox in particular because the premiere,
> leading-edge technology site uses a technology that directs me to an
> untrusted site without warning or reassurance that they accept
> responsibility for this redirection.
Would a message that explained that you are being redirected to a
Gervase Markham
> Thanks, but the reason I posted here was to suggest that this is a bad
> policy for Mozilla or bad technology to us in Firefox. I understand that
> automating mirror selection for users seems like a good thing. But in
> these days of phishing attacks, the particular implementation undermines
> one of the few checks end users have to avoid being hacked.
So end users should assume there has been a hack if they end up
downloading software from servers in Russia?
> I'm not worried about being hacked. I am worried about eroding users
> trust in web technology and Firefox in particular because the premiere,
> leading-edge technology site uses a technology that directs me to an
> untrusted site without warning or reassurance that they accept
> responsibility for this redirection.
How do you know we don't trust the admin of the site? Again, because
it's in Russia?
Gerv
Michael Lefevre
[snip]
>
> Mozilla provides SHA1 and MD5 hashes for all products:
> http://releases.mozilla.org/pub/mozilla.org/firefox/releases/granparadiso/alpha4/
That's nice, but as far as I've seen, there isn't anywhere on the
mozilla.org download pages or release notes where it says this. So unless
people already know about the above URL, the only place they will see the
hashes is on the FTP mirrors, where they could be changed just as easily
as the binaries.
> It would be awesome to make the verification part of this easier; I
> wonder a hash could be specified in the HTML that the browser would
> know to check (implemented via javascript maybe?). Off the top of my
> head, I don't think we can do this without the download going through
> the main server (and doing that check server-side) without loosing the
> whole point of having mirrors.
That would be cool, but just having the hashes available from a trusted
site (without pointing everyone to releases.mozilla.org for their
downloads). Maybe just the hashes could be mirrored on
https://secure.mozilla.org/hashes or something, with that linked from the
download page, and some instructions on how to check the hashes (although
I'm thinking of the primary audience for this being people who know how to
check hashes already but don't know that they can find a central
repository of them at releases.mozilla.org when they are downloading from
a mirror)
--
Michael
Michael Lefevre
> John J. Barton wrote:
>> Thanks, but the reason I posted here was to suggest that this is a bad
>> policy for Mozilla or bad technology to us in Firefox. I understand that
>> automating mirror selection for users seems like a good thing. But in
>> these days of phishing attacks, the particular implementation undermines
>> one of the few checks end users have to avoid being hacked.
>
> So end users should assume there has been a hack if they end up
> downloading software from servers in Russia?
If I was on a site that I believed to be in the US or the UK, and I found
myself downloading from a site in Russia, then I might well make that
assumption.
>> I'm not worried about being hacked. I am worried about eroding users
>> trust in web technology and Firefox in particular because the premiere,
>> leading-edge technology site uses a technology that directs me to an
>> untrusted site without warning or reassurance that they accept
>> responsibility for this redirection.
>
> How do you know we don't trust the admin of the site? Again, because
> it's in Russia?
Well, there is a lot of phishing activity based in Russia. However,
whether or not he is displaying some level of prejudice against Russian
sites isn't really the point. The point is that he doesn't know that you
trust the admin of the Russian site (which I guess you do), or indeed any
of the mirror sites that are linked (unless he happens to have visited the
page which lists the official mirrors and stuff)
Michael Vincent van Rantwijk, MultiZilla
And to add one more reason: The copyright laws in Russia are...lets just
say: "Not as good as elsewhere" (ask any musician who will confirm this
to you).
pcab...@gmail.com
Can we cut the Russia thing? The point is it is confusing to click on
a .com site and then get a download from a .ac, .pe, .uk . whatever
site if you don't know about mirrors. An advised user may have been
told about phishing attacks and to check where get gets his stuff
from, but it won't necessary imply get knows about mirroring.
Could it be possible to show in the download result page (http://
www.mozilla.com/en-US/products/download.html?product=firefox-2.0.0.4&os=win&lang=en-US)
which mirror was selected? Could this page be SSLd? I think this
paranoid comes in the same tone as the recent add-ons update
"spoofability" issue: it can be prevented, why not? Aside from limited
resources of course.
A prettier solution would be Gerv's proposal for link fingerprints
(http://www.gerv.net/security/link-fingerprints/), but I think it will
be years before it gets to IE, which if the main browser used for
Firefox downloads (61% in 2007, according to latest figures).
John J. Barton
> John J. Barton wrote:
>> Thanks, but the reason I posted here was to suggest that this is a bad
>> policy for Mozilla or bad technology to us in Firefox. I understand
>> that automating mirror selection for users seems like a good thing.
>> But in these days of phishing attacks, the particular implementation
>> undermines one of the few checks end users have to avoid being hacked.
>
> So end users should assume there has been a hack if they end up
> downloading software from servers in Russia?
In my original post you can read my request that Russian and Spanish
colleagues not take offense at my use of their country domain name in my
example. If the redirect had been to US servers at the 's'-ociety of
'ex'-ploration dot org I would have had the same reaction.
>
>> I'm not worried about being hacked. I am worried about eroding users
>> trust in web technology and Firefox in particular because the
>> premiere, leading-edge technology site uses a technology that directs
>> me to an untrusted site without warning or reassurance that they
>> accept responsibility for this redirection.
>
> How do you know we don't trust the admin of the site? Again, because
> it's in Russia?
I am not questioning your trust or the quality of your mirrors in Russia
Spain or elsewhere. I am expressing my surprise at automatic redirection
to download executables given that the download page is largely similar
to other mozilla sites. If the download page had either information
suggesting that it was more controlled than other mozilla sites or that
the links would redirect the user to a site that mozilla.org has
verified I may not have had the same reaction.
To put it differently: how do I know you do trust the admin of those
sites? how do I know your page is trustworthy?
>
> Gerv
rhe...@gmail.com
https://bugzilla.mozilla.org/show_bug.cgi?id=382856
Justin Dolske
> I am not questioning your trust or the quality of your mirrors in Russia
> Spain or elsewhere. I am expressing my surprise at automatic redirection
> to download executables given that the download page is largely similar
> to other mozilla sites.
I think this is a perfectly valid concern. Malware is common enough
these days such that if someone notices a download coming from an
unexpected site, they're not crazy to be concerned.
One approach to fixing this might be to have Mozilla CNAMEs in DNS, so
that instead of bouncing a request to ftp.mud.elbonia.el, we bounce to
el.mirrors.mozilla.org instead. [We'd want to ensure this doesn't break
any existing trust models about who a *.mozilla.org service is, though.]
It might also be possible to resolve the problem by changing the browser
UI, so that if a download is redirected to another site, the UI either
shows the original URL, or succinctly notes what's happening in a
reassuring way. I'm sure Mozilla isn't the only site with this
"problem", so a more general solution would be a good thing.
[Both of these ideas would need careful exploration to avoid security
issues, but off the top of my head they seem sensible to consider.]
Justin
Tony Mechelynck
> John J. Barton wrote:
>
>> I am not questioning your trust or the quality of your mirrors in
>> Russia Spain or elsewhere. I am expressing my surprise at automatic
>> redirection to download executables given that the download page is
>> largely similar to other mozilla sites.
>
> I think this is a perfectly valid concern. Malware is common enough
> these days such that if someone notices a download coming from an
> unexpected site, they're not crazy to be concerned.
>
> One approach to fixing this might be to have Mozilla CNAMEs in DNS, so
> that instead of bouncing a request to ftp.mud.elbonia.el, we bounce to
> el.mirrors.mozilla.org instead. [We'd want to ensure this doesn't break
> any existing trust models about who a *.mozilla.org service is, though.]
This would mean changing the DNS records for all Mozilla mirrors: the two
primary mirrors nearest me are subdomains of .scarlet.be (an ISP in Belgium)
and .uni-erlangen.de (a university in Germany) because they are dual FTP/HTTP
server space "donated" by these two institutions. It might be a lot of work
(and maybe money) to redefine them (as well as all other mirrors all over the
world) as aliases of <something>.mozilla.org, if it is at all possible.
>
> It might also be possible to resolve the problem by changing the browser
> UI, so that if a download is redirected to another site, the UI either
> shows the original URL, or succinctly notes what's happening in a
> reassuring way. I'm sure Mozilla isn't the only site with this
> "problem", so a more general solution would be a good thing.
That might be a BadThing™ security-wise, because IIUC it would hide phishing
redirects just the same way as Mozilla redirects.
>
> [Both of these ideas would need careful exploration to avoid security
> issues, but off the top of my head they seem sensible to consider.]
>
> Justin
Best regards,
Tony.
--
The software said it requires Windows 95 or better, so I installed Linux.
Gervase Markham
> Well, there is a lot of phishing activity based in Russia. However,
> whether or not he is displaying some level of prejudice against Russian
> sites isn't really the point. The point is that he doesn't know that you
> trust the admin of the Russian site (which I guess you do), or indeed any
> of the mirror sites that are linked (unless he happens to have visited the
> page which lists the official mirrors and stuff)
That makes no sense. I trust the Russian site because I have linked to
it. And if my site has been hacked, then they could have hacked the
official mirrors list as well, so that's no better indicator.
What is your suggested solution? Not having mirrors in Russia? Link
Fingerprints don't help, because you are assuming the webserver has been
hacked anyway, so the fingerprint could have been changed.
Gerv
Gervase Markham
> In my original post you can read my request that Russian and Spanish
> colleagues not take offense at my use of their country domain name in my
> example. If the redirect had been to US servers at the 's'-ociety of
> 'ex'-ploration dot org I would have had the same reaction.
So on what grounds are you making these seemingly arbitrary decisions
about which sites you think we might be trusting and which sites you
suspect we don't trust?
Either:
a) Our site has not been hacked. In which case, we are linking to people
we trust, and you don't need to worry.
b) Our site has been hacked. In which case, even if it directed you to a
US server at "safe-downloads.com", you'd still be in trouble.
Making this decision based on the location of the server is just wrong.
> To put it differently: how do I know you do trust the admin of those
> sites?
Because we linked to them.
> how do I know your page is trustworthy?
How do you know our website hasn't been hacked? You can't.
Gerv
Gervase Markham
> This would mean changing the DNS records for all Mozilla mirrors:
No; CNAMEs are aliases. It's just like me deciding to call you "The
Tonester"; it doesn't mean you are no longer called Tony.
>> It might also be possible to resolve the problem by changing the
>> browser UI, so that if a download is redirected to another site, the
>> UI either shows the original URL, or succinctly notes what's happening
>> in a reassuring way. I'm sure Mozilla isn't the only site with this
>> "problem", so a more general solution would be a good thing.
>
> That might be a BadThing™ security-wise, because IIUC it would hide
> phishing redirects just the same way as Mozilla redirects.
I certainly would be very sceptical of any plan to have the browser
display a URL other than the true one. I like the above idea better.
Gerv
Tony Mechelynck
> Tony Mechelynck wrote:
>> This would mean changing the DNS records for all Mozilla mirrors:
>
> No; CNAMEs are aliases. It's just like me deciding to call you "The
> Tonester"; it doesn't mean you are no longer called Tony.
Sorry, I knew about aliases; I meant: creating DNS aliases pointing to each of
the Mozilla mirrors, from subdomains of .mozilla.org.
Best regards,
Tony.
--
His head smashed in, and his heart cut out,
And his liver removed, and his bowels unplugged,
And his nostrils raped, and his bottom burned off,
And his penis split ... and his ...
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD
Justin Dolske
> I certainly would be very sceptical of any plan to have the browser
> display a URL other than the true one. I like the above idea better.
Me too. :-) But if "original.com" redirects a request to
"alternate.org", there might be value in indicating that in the download
window somehow. I'm thinking security concerns are mitigated because
it's probably already game over if someone can redirect/control a
trusted URL.
Then again, there wouldn't be much point in doing this unless you *only*
showed the original request URL, because a notification like
"http://elbonia.el/firefox.exe redirected from
http://mozilla.com/firefox.exe" would still cause concerned users to
wonder if something might be amiss.
Conclusion: interesting idea, perhaps, but not a great way to fix the
problem. :-)
Justin
Tony Mechelynck
Maybe a warning on the download page that they may be taken to a mirror site,
with a link to http://www.mozilla.org/mirrors.html where all the worldwide
mirrors are listed?
Best regards,
Tony.
--
The greatest lies of all time:
(1) The check is in the mail.
(2) We have a really challenging assignment for you.
(3) I love you.
(4) That bug has been fixed.
(5) This won't hurt a bit.
(6) The Mercedes is paid for.
(7) I have just sent you an e-mail about that.
(8) Of course I'll respect you in the morning.
(9) I'm from the government, and I'm here to help you.
Gavin Sharp
>
> John J. Barton wrote:
> > In my original post you can read my request that Russian and Spanish
> > colleagues not take offense at my use of their country domain name in my
> > example. If the redirect had been to US servers at the 's'-ociety of
> > 'ex'-ploration dot org I would have had the same reaction.
>
> So on what grounds are you making these seemingly arbitrary decisions
> about which sites you think we might be trusting and which sites you
> suspect we don't trust?
The problem that John is pointing out is that some people may be surprised
to see us link to sites they would consider untrustworthy, for whatever
reason. Whether these people's concerns are technically valid or not isn't
really the point - if we're doing something that could potentially confuse
people downloading our software, it makes sense to consider ways to avoid
the confusion.
Gavin
John J. Barton
> John J. Barton wrote:
>> In my original post you can read my request that Russian and Spanish
>> colleagues not take offense at my use of their country domain name in
>> my example. If the redirect had been to US servers at the 's'-ociety
>> of 'ex'-ploration dot org I would have had the same reaction.
>
> So on what grounds are you making these seemingly arbitrary decisions
> about which sites you think we might be trusting and which sites you
> suspect we don't trust?
>
> Either:
>
> a) Our site has not been hacked. In which case, we are linking to people
> we trust, and you don't need to worry.
>
> b) Our site has been hacked. In which case, even if it directed you to a
> US server at "safe-downloads.com", you'd still be in trouble.
But the case we are discussing was neither of these. Rather the case was:
c) I know other mozilla sites have had trouble in the past and I was
silently redirected to a domain I have no past good experience with.
>
> Making this decision based on the location of the server is just wrong.
The domain name of the server is one of many factors users have to
consider in making judgments online. I agree that relying solely on
domain name is unwise, but it has been historically valuable and remains
so today.
>
>> To put it differently: how do I know you do trust the admin of those
>> sites?
>
> Because we linked to them.
>
>> how do I know your page is trustworthy?
>
> How do you know our website hasn't been hacked? You can't.
True I can't invoke a proof to know your site has not been hacked or
vis-versa. Lacking perfection I have to go on experience and multiple
clues. Two important clues is "was this download page prepared with
extra care" and "do they control the server they are using for download
traffic". I'm not claiming these are fool proof or even especially
good. Its just all I have to go on.
>
> Gerv
Justin Dolske
> Maybe a warning on the download page that they may be taken to a mirror
> site, with a link to http://www.mozilla.org/mirrors.html where all the
> worldwide mirrors are listed?
Perhaps, but I think a solution that just avoids the problem to begin
with would be better.
Justin
Gervase Markham
> The problem that John is pointing out is that some people may be surprised
> to see us link to sites they would consider untrustworthy, for whatever
> reason. Whether these people's concerns are technically valid or not isn't
> really the point
Well, it is. How do we deal with the Chinese guy who doesn't trust
American websites? And if you think that's impossible, aren't you just
being culturally imperialist?
> - if we're doing something that could potentially confuse
> people downloading our software, it makes sense to consider ways to avoid
> the confusion.
I agree with that. I think giving all our mirrors aliases of the form
uk.mirrors.mozilla.org is a wise idea.
Gerv
Gervase Markham
> But the case we are discussing was neither of these. Rather the case was:
> c) I know other mozilla sites have had trouble in the past
Really, which? I don't recall us ever having problems with trojaned
downloads.
> and I was
> silently redirected to a domain I have no past good experience with.
Which is true of the vast majority of domains in the world, presumably?
Gerv
dolphinling
> John J. Barton wrote:
>> But the case we are discussing was neither of these. Rather the case was:
>> c) I know other mozilla sites have had trouble in the past
>
> Really, which? I don't recall us ever having problems with trojaned
> downloads.
There was a contributed build that did once, a localization. IIRC it was Korean
(could be wrong though). But that was served off a mozilla.org server, not a mirror.
--
dolphinling
<http://dolphinling.net/>
Mike Shaver
I don't believe there was a trojaned download in that case either, nor
a "site that had trouble" in any way related to the issue at hand, but
that shouldn't stop you from adding more noise to the conversation. :)
Mike
Justin Dolske
> Well, it is. How do we deal with the Chinese guy who doesn't trust
> American websites? And if you think that's impossible, aren't you just
> being culturally imperialist?
I think this is just a special case of the more general problem: If a
user goes to SiteA.com and then starts getting stuff from SiteB.com,
there's a potential for confusion and even concern. In that context,
quibbling over the the nationalities (or other attributes) of the sites
in question isn't terribly productive, as it would be better to just fix
the root problem.
Justin
John J. Barton
> John J. Barton wrote:
>> But the case we are discussing was neither of these. Rather the case was:
>> c) I know other mozilla sites have had trouble in the past
>
> Really, which? I don't recall us ever having problems with trojaned
> downloads.
From Eric Shepherd, Developer Documentation Lead, Mozilla Corporation
on mozilla.dev.mdc, 4/11/2007 1:04 PM:
>Account creation has been disabled temporarily due to the vandalism
>that's been occurring for the last couple of days. ...
>
>> and I was silently redirected to a domain I have no past good
>> experience with.
>
> Which is true of the vast majority of domains in the world, presumably?
I have downloaded from many sites for Linux, eclipse, svn, apache, and
so on. As far as I remember, none of these sites has silently
redirected. They all host or provide a list of mirrors or have
auxiliary information about the download site. There are also sites that
I will not download from because of information I have read online about
issues on that site.
I hope this information is useful.
John.
>
> Gerv
Gervase Markham
> From Eric Shepherd, Developer Documentation Lead, Mozilla Corporation
> on mozilla.dev.mdc, 4/11/2007 1:04 PM:
> >Account creation has been disabled temporarily due to the vandalism
> >that's been occurring for the last couple of days. ...
That is _so_ not the same thing.
Gerv
Michael Lefevre
> Gavin Sharp wrote:
>> The problem that John is pointing out is that some people may be surprised
>> to see us link to sites they would consider untrustworthy, for whatever
>> reason. Whether these people's concerns are technically valid or not isn't
>> really the point
>
> Well, it is.
It may be a point, but it's not a point which it's useful to address.
> How do we deal with the Chinese guy who doesn't trust American websites?
By giving him a site in Chinese at mozilla.org.cn, and then having the
download page there not redirect him to a .com or .ru or something else
(and I just tried being that Chinese guy, and got redirected from
mozilla.org.cn via mozilla.com to netscape.com)
>> - if we're doing something that could potentially confuse
>> people downloading our software, it makes sense to consider ways to avoid
>> the confusion.
>
> I agree with that. I think giving all our mirrors aliases of the form
> uk.mirrors.mozilla.org is a wise idea.
That would be good. However, I don't think you could do this only from
Mozilla's end - each mirror server will probably need to know about its
alias, so it doesn't get confused by clients sending it a URL with a
hostname it doesn't recognise. Getting that done for every mirror may be a
challenge (but the IT people would know better...)
--
Michael
Justin Dolske
>> How do we deal with the Chinese guy who doesn't trust American websites?
>
> By giving him a site in Chinese at mozilla.org.cn, and then having the
> download page there not redirect him to a .com or .ru or something else
This is a huge rathole that just doesn't have a realistic technical
solution. Is someone suppose to create (and maintain) mapping of what
mirror site names are "trustworthy" for every TLD or IP block in
existence? Where do we send the German guy downloading while in Spain?
When the rebels in Elbonia declare independence, do we monitor the
political situation and create new "trustworthy" mirrors?
Ugh.
They only thing we know is that a user clicked a link to the mozilla.com
download redirector. Sending them to any other DNS location fails to
address the original issue.
Justin
Justin Dolske
> I agree with that. I think giving all our mirrors aliases of the form
> uk.mirrors.mozilla.org is a wise idea.
After the Amsterdam colo was brought up, mrz mentioned that the geo
loadbalancing was actually sending visitors from some east coast US
locations to Europe, because it was a faster route than to the
California colo. I don't think that affects how download mirrors are
chosen (yet?), but that might imply mirror aliases should just be
generically named...
But at this point I think we have some well-overengineered ideas,
anything involving a Mozilla DNS alias would be "good enough". :-)
Justin