Mozilla security chief on Firefox improvementsDate: Aug 21, 2009
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Mozilla security chief on Firefox improvements
Johnathan Nightingale: Firefox 3.5 came out about a month ago, and one of the things I'm really excited about is we've added a bunch of privacy features to the browser. So, you know, when we look at how people are using the Web, it's always helpful for them if the browser remembers more about what you've done, right? If the browser remembers where you've been, it can load pages faster, because it can use the cache, it can suggest sites that you want to get back to. But the problem is, as we start to accumulate all that information, we want to make sure that users have an ability to control it, and understand it.
One big piece of that was in Firefox 3.5 we introduced private browsing mode. So, in private browsing mode, you know, you're doing your regular work, you decide you want to do some stuff, maybe you're going to shop for an engagement ring, or something, and you'd rather not leave a record of that. So, you just go to the tools menu, you say 'start private browsing', all your old work goes away, that will come back when you're done.
But, now you are in a session where everything you do will be forgotten, so nothing will hit the desk. We won't remember your history, we won't remember any cookies, or anything like that. So, it's all private. Now, we've seen this in some other browsers. But one of the limitations you always run into, with private browsing mode is that it's asking the user to know ahead of time, right? The only way private browsing mode works is if you know ahead of time you are about to do some stuff that you're going to want not recorded. A lot of the time, when you talk to people using the Web, it's after the fact that they think to themselves, "Boy, I wish I could just make the last hour not exist anymore."
So, Firefox 3.5 also has a clear recent history feature. It's really simple. So, you are using your Web browser, you decide there is some stuff that you'd like to forget, you go to the tools menu and say, 'clear recent history' and it asks one question, which is, "How much do you want to forget? The last hour, the last four hours, the last day?" Right? It'll wipe everything if you want it to. But, the point is, you get some control, over how we store that information. We can take care of all the back-end. You don't need to remember to clear your cookies, and your cache, and all of these 27 things. We built the browser. So, if you tell us you want to forget the last hour, that's what we'll do. To sort of round that out, sometimes the thing you want to forget, the privacy that you want to control, is about your visits to a particular site.
It's not about a period of time. In Firefox 3.5, you can also go into your history. You can right click on a site, maybe your company says they don't want you visiting YouTube at work or something; you can right click on that, and say, "Forget about this site." Again, we'll just go through everything, and blow it away, no saved passwords, no history entries, no cache. That's one thing we really pushed on in 3.5, was making sure our users were in control of their data.
Interviewer: It seems to be a conscious decision internally; you can confirm or not, you know. To make it a very straightforward process for the user, there's no geek speak in there. Can you talk about that whole interaction internally?
Johnathan Nightingale: Yeah, exactly. That's really close to my heart. We're here at Black Hat, which is full of people who are very technologically savvy, and who can understand all the technical details. Firefox has 300 million users. It's not really fair to ask them all, to understand all of these details, and keep track of the changing landscape of technology. If the next version has an additional piece of information, that browsers can keep track of, they all need to remember to check that as well, if they want to maintain their privacy. It's not really fair to them. We can create a much nicer experience, because we know the underlying technology. Instead, we give you these tools that are really straightforward. Because, as you say, we don't need them to understand the details. They know what their privacy feelings are, and what they want to protect, so we should just make that as straightforward, as possible. That's what try we do.
Interviewer: What else is in the security queue right now, that maybe just didn't quite make the cut for 3.5?
Johnathan Nightingale: Right, right. We've got a couple of research projects, that we've been writing about on our blog, and I can send you the links. One of them is a thing called, 'Content Security Policy'. When you talk to Web sites, I mean, if you're paying any attention on the Web, you see that user generated content is everywhere, right? Everybody wants to make it easier for the people visiting their website, to contribute pictures, and posts, and comments, and things like that.
But, a lot of these sites are having continued problems with cross-side scripting attacks. Where bad people will be inserting content into the page to steal passwords, or to deface the website, or whatever. The Web developers can keep trying to stay ahead of that, and keep trying to defend against the new way of injecting that code.
With 'Content Security Policy,' what we're building is a way for a website to say to us; you know, we download the page; and one of the headers will be a policy that says, "Here's a page, all the content is going to come from my site, or maybe, this one other site."
One of the things we're really excited about is that we blogged about it, we put some of the specs up there for people to start playing with. We've been working on our own implementation, as well. We've started to see interest from some other browsers, too. Our hope is that this is something we can really collaborate on, and that we can just give to web authors in general, to say, "Look, let's modernize the Web browser. Let's get to the point where we can help you defend your website."
Interviewer: The development process has it's core, like super user, super developer, that kind of, controls what goes into the tree. Can you talk a little bit about the whole contribution process, and how it's changed in the last year or so, if it has at all? What are you guys getting from the community as a whole, outside of your core niche?
Johnathan Nightingale: Right, a huge amount from the community. I mean, in Firefox 3.5, I think, something like 40% of our code came from outside contributions. You know, you can talk about the core, you can talk about the people employed to work on this. That's a luxury that some of us have. But, we could not ship Firefox without our community. As you say, an important part of that is acting as bit of a gatekeeper, to make sure that all of these people can come in, and contribute, and be part of the project. That's really healthy, and we love that. But, at the same time, keep the standards of code quality very high. So, we've got several processes in place there. I don't want to get into too much technical detail, but we have a review and super review process, right? So, anybody who comes in they can say, "Look, I've got this great patch, it's going to fix five bugs. Here it is." That can't land in the tree. Not until experienced members of the development community, the sort of core community that you are talking about have looked it over. Not only for security vulnerabilities, but also for performance issues, or code correctness issues. Often a patch will go through many iterations of, here's an updated patch, here's some more review comments. So, once those reviews are intact, if it gets landed into the tree, one of the other pieces that helps defend us, especially long term, is that we've got a real focus on unit testing.
We run, I think, about 110,000 automated tests, right now. We run them 20 times a day, on 4 supported platforms just constantly. Anytime code is checked in, it immediately goes to the testing queue. Those tests, not only make sure that we don't regress things we've already fixed, but they also protect our features. If we introduce some security fix that harms a feature, that somehow slipped through the review process, the tests catch it instantly. We back things out, we reevaluate, and make sure that the code that lands is not only secure, but also, sort of, stable in performance.
Interviewer: I'd like a little about the interaction that you have with community. What kind of push-back, what kind of feedback do hear on the automatic updates? I mean, they aren't necessarily, silent updates, but they do happen without much advanced notice. Do you hear a lot back from the community, for or against?
Johnathan Nightingale: That's an interesting question. For one thing, there are two kinds of updates. There are minor updates, that we release periodically. Just security, and stability updates to fix crashes that may have emerged in weird situations. Those ones we tell you about, and certainly, you have the option to turn them off. But, we hope most people don't. Because we are very conservative about what goes in there. We won't break your add-ons in a minor update, for instance. We'll make sure, that it's strictly about stability and security, fixing any issues that may have cropped up.
Then, the second kind of update is a major update, which is when we move from, say, Firefox 3.0 to Firefox 3.5. Now, we maintain the old versions of Firefox for a period of time, after a new version is released, to make sure people have some transition time. But, when those major update offers are given, that's not automatic. We'll prompt you, and we'll say, "There's a new version of Firefox. It's faster, it's safer, it's got these new features. We'd like you to move to it." Because, long-term, we want everybody to have the most modern experience. It also makes it more straightforward, for us, to make sure they keep getting those security updates.
But, those ones are never automatic, because it may be that you're in a situation, where it's going to take you some time, before you can be ready to make that migration. There's an add-on that you depend on, or there's some internal website that needs to be updated. So, we're very cautious with those, to make sure that users always have that choice.
Interviewer: Just your reaction, your general take on browser security, as a self security? I mean, it's complicated technology, it's difficult for the user to deal with. What's your take on some of the research that's coming out of here?
Johnathan Nightingale: You’re right, it's a very complicated technology. It's one that's very important we get right. Some of the stuff that's come up here that's specific to our code, we've already got fixes in the works, we'll have releases coming out soon. In a more general sense, I think it's pretty healthy. The reason that we come to Black Hat every year is because the security research community, they're also contributing to the security, that our users experience, right? When they do this research, whether it's about our product, whether it's about SSL, in general, as a technology, or about the certificate authorities that issues these things, all of that helps us get safer, it's more eyes on the problem. In a lot of cases, what you'll see is that these security researchers, start from the fact that they have access to the Mozilla source code. That's how they understand the problem. Then they go, and they test it in other browsers, and they find out that other browsers have similar issues, right? So, we feel good, about the fact that our openness, helps that research make progress. But, overall, people looking at this thing, and trying to make it better, and coming to a conference like this to share their knowledge, instead of trying to exploit it, for their own personal gain, is a positive thing. When we have to fix a bug, we'll fix it right away. We take that very seriously. But, overall, it's quite positive.