Mozilla pushes security in Firefox 3.0

Mozilla pushes security in Firefox 3.0

Mozilla's next update to Firefox will sport several new safer surfing features, the company's chief of security said Wednesday, but users won't see the most important changes.

On track and expected to make it into the final version of Firefox 3.0 when it ships later this year is a tool that would automatically block sites suspected of harboring malware. The Web browser will also offer support for the extended validation Secure Sockets Layer (EV SSL) certificates, said Window Snyder, Mozilla's chief security officer.

The malware blocker, which relies on site blacklists generated by Google, has been publicly debated by Mozilla and Google developers, with mock-ups of the on-screen warnings debuting in early June. Then, Snyder refused to get specific about the feature, saying there was no guarantee the tool would be wrapped up in time to add to Firefox 3.0.

Things are different now; the site blocker is currently a go.

"We wanted to make sure that it's obviously not a security notification that they can ignore," Snyder said, describing how the warnings will work. "The [user interface] makes it clear that this [site] is dangerous. And it does not give the user a click-through," Snyder said. In other words, users will be able to back out of the attempt to reach the potentially malicious site but won't be able to simply accept the warning and continue on.

"Nothing's ever done until it ships," Snyder cautioned, hinting that changes are still possible, or if necessary, the tool might still be ditched.

The other feature set for Firefox 3.0 offers support for the new EV certificates now used by a few of the largest online retailers, banks and financial institutions. Those certificates, which in Microsoft's Internet Explorer (IE) browser trigger a color change in the address bar to green, require more extensive background checks of the buyer by the issuing authority to guarantee that they're given only to trustworthy sites. One of the first sites to use EV certificates was that of PayPal.

But rather than color-code something in Firefox, the open-source browser will display an agent-like character dubbed "Larry" when it reaches a domain equipped with an EV. The indicator, she said, resembles the international symbol for immigration seen at airports: an iconic image of an official holding up a passport. "We think that makes a more visual statement about identity rather than security," said Snyder. "All we're trying to say is that we have a level of confidence about the identity of the site, not that it's free of threats."

Part of the reason why Mozilla is uncomfortable doing more than noting the enhanced identity of such as site is that the standard SSL padlock now means more than it should, Snyder said. "What it's come to mean is that everything is secure, but it's become an overburdened symbol," she said.

Virtually all the other changes to Firefox 3.0 on the security side are "under the hood" of the browser, she continued. "They'll be less apparent to the users, but they will impact them," Snyder said.

For the largest part, this back-end work on Firefox has been in making the code itself more secure. Like the Security Development Lifecycle (SDL) initiative within Microsoft to systematically create more secure code, Mozilla's unnamed effort has involved seeking out vulnerabilities before the software ships.

"I really believe in defense in depth," Snyder said, referring to in-house research on Firefox's code. "All the [security] features in the world won't help you if the code's not secure."

Snyder said that much of her time since joining Mozilla last September has been spent on improving the security of the Firefox code, with a major effort on creating penetration-testing tools developers can use to spot flaws before the application leaves the house. Mozilla used various "fuzzers," tools that automate some vulnerability detection processes, and has found dozens of bugs with just one, a JavaScript fuzzer that Mozilla released last week to the open-source community at the Black Hat security conference.

Putting tools like that in the hands of anyone should mean more secure code for everyone, said Snyder. She said that as Mozilla's point person on security, she is convinced that it's a way to get the biggest bang for buck. "If these tools are broadly distributed, they could help smaller environments develop strong code," Snyder said. "They can help make everyone safer."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?