Mozilla pushes security in Firefox 3.0

Mozilla pushes security in Firefox 3.0

Mozilla's next update to Firefox will sport several new safer surfing features, the company's chief of security said Wednesday, but users won't see the most important changes.

On track and expected to make it into the final version of Firefox 3.0 when it ships later this year is a tool that would automatically block sites suspected of harboring malware. The Web browser will also offer support for the extended validation Secure Sockets Layer (EV SSL) certificates, said Window Snyder, Mozilla's chief security officer.

The malware blocker, which relies on site blacklists generated by Google, has been publicly debated by Mozilla and Google developers, with mock-ups of the on-screen warnings debuting in early June. Then, Snyder refused to get specific about the feature, saying there was no guarantee the tool would be wrapped up in time to add to Firefox 3.0.

Things are different now; the site blocker is currently a go.

"We wanted to make sure that it's obviously not a security notification that they can ignore," Snyder said, describing how the warnings will work. "The [user interface] makes it clear that this [site] is dangerous. And it does not give the user a click-through," Snyder said. In other words, users will be able to back out of the attempt to reach the potentially malicious site but won't be able to simply accept the warning and continue on.

"Nothing's ever done until it ships," Snyder cautioned, hinting that changes are still possible, or if necessary, the tool might still be ditched.

The other feature set for Firefox 3.0 offers support for the new EV certificates now used by a few of the largest online retailers, banks and financial institutions. Those certificates, which in Microsoft's Internet Explorer (IE) browser trigger a color change in the address bar to green, require more extensive background checks of the buyer by the issuing authority to guarantee that they're given only to trustworthy sites. One of the first sites to use EV certificates was that of PayPal.

But rather than color-code something in Firefox, the open-source browser will display an agent-like character dubbed "Larry" when it reaches a domain equipped with an EV. The indicator, she said, resembles the international symbol for immigration seen at airports: an iconic image of an official holding up a passport. "We think that makes a more visual statement about identity rather than security," said Snyder. "All we're trying to say is that we have a level of confidence about the identity of the site, not that it's free of threats."

Part of the reason why Mozilla is uncomfortable doing more than noting the enhanced identity of such as site is that the standard SSL padlock now means more than it should, Snyder said. "What it's come to mean is that everything is secure, but it's become an overburdened symbol," she said.

Virtually all the other changes to Firefox 3.0 on the security side are "under the hood" of the browser, she continued. "They'll be less apparent to the users, but they will impact them," Snyder said.

For the largest part, this back-end work on Firefox has been in making the code itself more secure. Like the Security Development Lifecycle (SDL) initiative within Microsoft to systematically create more secure code, Mozilla's unnamed effort has involved seeking out vulnerabilities before the software ships.

"I really believe in defense in depth," Snyder said, referring to in-house research on Firefox's code. "All the [security] features in the world won't help you if the code's not secure."

Snyder said that much of her time since joining Mozilla last September has been spent on improving the security of the Firefox code, with a major effort on creating penetration-testing tools developers can use to spot flaws before the application leaves the house. Mozilla used various "fuzzers," tools that automate some vulnerability detection processes, and has found dozens of bugs with just one, a JavaScript fuzzer that Mozilla released last week to the open-source community at the Black Hat security conference.

Putting tools like that in the hands of anyone should mean more secure code for everyone, said Snyder. She said that as Mozilla's point person on security, she is convinced that it's a way to get the biggest bang for buck. "If these tools are broadly distributed, they could help smaller environments develop strong code," Snyder said. "They can help make everyone safer."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?