IT keeps warning users to be cautious and not open attachments from unknown senders, for example. But users keep on doing it. Are users just dumb, as some experts say?
Users are not dumb. I get upset when I hear that. They're trying to accomplish a task. If the security interface gets in the way, or if the security interface isn't easy to understand, they're going to go around it, whether it's clicking through a certificate warning or trying to follow an e-mail link that says your bank account is going to be frozen if you don't confirm your personal information details on this page. For all these things, the user is trying to accomplish a task. The attacker has created a sense of urgency. The easiest thing in front of them is to click on the link right in front of them.
What needs to be done about it?
We can build mechanisms into browsers and e-mail software that will mitigate users being hurt by these attacks. Firefox 3 has antiphishing and antimalware mechanisms that identify that a site has malware on it and blocks the user from visiting it. Currently, it just throws up a UI [user interface] that is pretty hard to confuse that something serious has happened here. The UI will change until the product ships, but it will make it clear that this is a site that has malware on it, and it doesn't let you click through. It's not done until it ships, so it might look different in the final version. It depends on the feedback from the beta and from the community.
What change in Firefox 3 are you the most excited about?
I'm pretty excited about the malware-protection feature. And this is not a feature that users can feel. There's a lot of security work that goes in under the hood. Anytime you rewrite a piece of software with the security knowledge you have in 2007 compared to the knowledge you had in 2005 or 2006, it's going to be a stronger piece of software because you know more. Different threats have emerged, and [there are] different mechanisms for protecting them. A lot of memory management stuff has changed. That will be a pretty significant enhancement to overall security. A lot of security issues are memory management issues. Anything that mitigates those is a benefit to the entire application, as opposed to a single feature.
Last year, you had to deal with some bugs in the Firefox protocol handler. What did you learn from that whole experience?
One of the most interesting trends in application security is the interaction between multiple applications. We saw some of that this summer with the URI [Uniform Resource Identifier] issues. We saw that with Safari to Firefox, and IE to Firefox, and IE to Outlook and multiple applications. The URI stuff is just an example of a larger trend -- interactions between multiple applications and vulnerabilities between them. It creates a situation where both vendors need to put protection in place to keep it from happening.