Mozilla raises Firefox security bar

Touts anti-malware site blocker, 'holistic' security as key additions to Firefox 3.0

Firefox 3.0's new anti-malware blocker, a tool that prevents some malicious pages from loading, is the browser upgrade's most important new security feature, Mozilla's head of engineering said.

Officially dubbed Malware Protection, the tool warns users when they steer Firefox to sites that are known to install viruses, spyware, Trojan horses and other malicious code. When a user tries to reach a site on the banned list, a large red warning appears in lieu of the page. The warning says that the intended destination, "has been reported as an attack site and has been blocked based on your security preferences." A button labeled "Get me out of here!" returns Firefox to the browser's home page.

"Anti-malware is an evolution of Firefox 2.0's anti-phishing," said Mike Schroepfer, Mozilla's vice president of engineering, who said it was his first pick as Firefox 3.0's most important security addition. "This is part of our active defenses," he said.

"It's actually quite difficult to do this kind of checking well," Schroepfer said. "You have to stop a page load before it happens. And you have to be conscious of performance because the browser is doing extra work." Firefox 3.0, he said, runs its checks "without impacting performance at all."

Like the anti-phishing blocker found in Firefox 2.0, the anti-malware tool relies on a list generated by Google, the search company that provides most of Mozilla's revenues. Firefox 3.0 users can choose to have the browser either download an updated blacklist daily, or query Google in real time for each page it tries to pull up.

"It's based on a blacklist," confirmed Schroepfer. "We're pulling that data similarly to anti-phishing, checking the site against that [black]list and then putting up the malware warning if necessary."

The blacklist originates with the tests Google runs on sites it crawls for its search index. Some of the criteria Google users to finger a site as dangerous -- and deserving a spot on the blacklist -- are based on findings by StopBadware.org, a group created by Google, Chinese computer maker Lenovo and Sun Microsystems. Google's made it clear, however, that it also applies its own criteria and procedures, and relies on its own tools to spot sites that host or distribute malware.

Firefox's anti-malware tool first made news, when developers posted information on the feature in Bugzilla, the management system Mozilla uses to track changes in its software. At the time, Window Snyder, Mozilla's chief security officer, refused to commit to getting the tool into Firefox 3.0. By September, however, the anti-malware blocker had been added to one of the Firefox 3.0 alpha builds.

Other security improvements in Firefox 3.0, said Schroepfer, include additional clues about where the browser is really pointed. Touted as "one-click site info" in the Beta 3 release notes, the feature lets users see the true owner of the site and whether the connection is encrypted when they click on the "favicon," the icon at the far left of the address bar. Firefox also supports Extended Validation (EV) SSL certificates, and shows sites using the souped up EVs by turning the favicon section of the bar green.

But as he ticked off Firefox 3.0's security enhancements, Schroepfer also claimed that Firefox was more secure than its rivals, new features or not.

"We're one of the fastest to patch," he said, "and we patch even when the bug is not in our software, but [also] when we can mitigate [the problem] by patching around the issue."

As examples of the latter, he cited instances last year when Mozilla updated Firefox to secure the browser against what it then argued was a bug in Microsoft Windows. In October 2007, as it patched Windows XP and Server 2003, Microsoft acknowledged that some of the summer's protocol handler vulnerabilities, including one that Mozilla patched in late July with Firefox 2.0.0.6, were actually its responsibility.

Schroepfer also trumpeted Mozilla's attention to software updates as a security plus. The open-source browser has long checked for its own updates, and for updates to any extensions, or add-ons, that the user has installed. But in Firefox 3.0, it also checks for updates to installed plug-ins, such as those for QuickTime, Java, Flash and other technologies. (As of Beta 3, the button marked "Find Updates" is grayed out and cannot be clicked, however.)

"One of the biggest security problems users face is running old [and insecure] versions of plug-ins," said Schroepfer. When the feature's enabled -- Schroepfer wasn't available late today to answer questions about that timing -- Firefox will check at least once a day for its own updates, as well as those for any installed themes, extensions and plug-ins.

"I think we're holistic," said Schroepfer in describing the newest beta's security strategy. "You have to look at [security] with an integrated approach."

Firefox 3.0 Beta 3 can be downloaded for Windows, Mac OS X and Linux in 32 languages from Mozilla's site.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?