Mozilla Corp.'s next update to Firefox will sport several new safer surfing features, the company's chief of security said Wednesday, but users won't see the most important changes.
On track and expected to make it into the final version of Firefox 3.0 when it ships later this year is a tool that would automatically block sites suspected of harboring malware. The Web browser will also offer support for the extended validation Secure Sockets Layer (EV SSL) certificates, said Window Snyder, Mozilla's chief security officer.
The malware blocker, which relies on site blacklists generated by Google Inc., has been publicly debated by Mozilla and Google developers, with mock-ups of the on-screen warnings debuting in early June. Then, Snyder refused to get specific about the feature, saying there was no guarantee the tool would be wrapped up in time to add to Firefox 3.0.
Things are different now; the site blocker is currently a go.
"We wanted to make sure that it's obviously not a security notification that they can ignore," Snyder said, describing how the warnings will work. "The [user interface] makes it clear that this [site] is dangerous. And it does not give the user a click-through," Snyder said. In other words, users will be able to back out of the attempt to reach the potentially malicious site but won't be able to simply accept the warning and continue on.
"Nothing's ever done until it ships," Snyder cautioned, hinting that changes are still possible, or if necessary, the tool might still be ditched.
The other feature set for Firefox 3.0 offers support for the new EV certificates now used by a few of the largest online retailers, banks and financial institutions. Those certificates, which in Microsoft Corp.'s Internet Explorer (IE) browser trigger a color change in the address bar to green, require more extensive background checks of the buyer by the issuing authority to guarantee that they're given only to trustworthy sites. One of the first sites to use EV certificates was that of PayPal Inc.
But rather than color-code something in Firefox, the open-source browser will display an agent-like character dubbed "Larry" when it reaches a domain equipped with an EV. The indicator, she said, resembles the international symbol for immigration seen at airports: an iconic image of an official holding up a passport. "We think that makes a more visual statement about identity rather than security," said Snyder. "All we're trying to say is that we have a level of confidence about the identity of the site, not that it's free of threats."
Part of the reason why Mozilla is uncomfortable doing more than noting the enhanced identity of such as site is that the standard SSL padlock now means more than it should, Snyder said. "What it's come to mean is that everything is secure, but it's become an overburdened symbol," she said.
Virtually all the other changes to Firefox 3.0 on the security side are "under the hood" of the browser, she continued. "They'll be less apparent to the users, but they will impact them," Snyder said.
For the largest part, this back-end work on Firefox has been in making the code itself more secure. Like the Security Development Lifecycle (SDL) initiative within Microsoft to systematically create more secure code, Mozilla's unnamed effort has involved seeking out vulnerabilities before the software ships.
"I really believe in defense in depth," Snyder said, referring to in-house research on Firefox's code. "All the [security] features in the world won't help you if the code's not secure."
Snyder said that much of her time since joining Mozilla last September has been spent on improving the security of the Firefox code, with a major effort on creating penetration-testing tools developers can use to spot flaws before the application leaves the house. Mozilla used various "fuzzers," tools that automate some vulnerability detection processes, and has found dozens of bugs with just one, a JavaScript fuzzer that Mozilla released last week to the open-source community at the Black Hat security conference.
Putting tools like that in the hands of anyone should mean more secure code for everyone, said Snyder. She said that as Mozilla's point person on security, she is convinced that it's a way to get the biggest bang for buck. "If these tools are broadly distributed, they could help smaller environments develop strong code," Snyder said. "They can help make everyone safer."