Mozilla promises big security strides in the upcoming release of Firefox 3, including access to a Google's database of malware-laced Web sites and a warning system that will alert users who are about to visit them. IT security professionals who have experimented with the latest beta say tweaks are needed but that the overall changes look promising.
In an interview with SearchSecurity.com, Mozilla vice president of engineering Mike Schroepfer said one of the main goals behind Firefox 3 was to bolster security in a browser many already consider a safer alternative to Microsoft's much-attacked Internet Explorer. Essentially, the plan was to give Firefox the ability to save users from themselves.
"A big initiative was to give users more information about the Web site they are visiting," he said. "Does the site have an extended validation ticket and does it have a history of hosting malware? The goal is to better explain to the user where they are going and what the risks are, and to help them make rational choices."
Firefox 3 Beta 1 was released for testing purposes late last month. On its Firefox 3 beta release notes page, Mozilla describes the following security improvements:
One-click site info: Click the site favicon in the location bar to see who owns the site and identity verification is prominently displayed and easier to understand. In later versions, extended validation SSL certificate information will be displayed.
Malware protection: Embedded malware protection will warn users when they arrive at sites known to install viruses, spyware, Trojans and other malware.
New Web forgery protection page: The content of pages suspected as Web forgeries is no longer shown.
New SSL error pages: Clearer and stricter error pages are used when Firefox encounters an invalid SSL certificate.
Add-ons and plug-in version check: Firefox will now automatically check add-on and plug-in versions and will disable older, insecure versions.
Secure add-on updates: To improve add-on update security, add-ons that provide updates in an insecure manner will be disabled.
Antivirus integration: Firefox will inform antivirus software when downloading executables.
Vista parental controls: Firefox will respect the Vista system-wide parental control setting for disabling file downloads.
Dave Lewis, an Ontario-based IT security officer and keeper of the Liquidmatrix security blog, said after some initial beta testing that the overall product looks promising, though there appears to be room for more improvement.
Some of the features he immediately identified as a plus included the lock down feature for the add-ons so that they can't be installed if they are from an untrusted source. He said the integration of the download manager with antivirus is a welcome touch as well.
"The only part that I'm a little skittish on is the browser history portion," Lewis said in an email exchange. "Is this information safe from prying eyes such as Google? Or can this be indexed to drive advertising? This is something I will have to look into."
Todd Towles, an Austin-based information security consultant and penetration tester, said in an email exchange that the malware and phishing protection enhancements are sure to save more than a couple of Firefox's less-technically savvy users while still giving its highly technically users the option to disable the features, which may be necessary for a security professional to conduct an application security assessment.
Of the anti-malware integration, he said, "It's a nice feature and appears to work, but it caused my NOD32 v2.7 to scan a test .exe file twice -- once with the Office Document module and once with the Internet monitor module."
Schroepfer expects Beta 2 to be out by month's end with some additional user interface improvements. A third beta will be released around February before the browser is officially released sometime in 2008. More than half a million copies of the first beta had been downloaded as of Dec. 1, he said.