Talking Firefox security with Mozilla's Window Snyder

Talking Firefox security with Mozilla's Window Snyder

Summary: LAS VEGAS -- Mozilla security chief Window Snyder wants to open-source much more than the Firefox browser.During a sit-down chat at the Black Hat security conference here, Snyder announced plans to launch three new initiatives around threat modeling, training and vulnerability metrics that push the envelope around sharing and collaborating with the rest of the industry.

SHARE:
TOPICS: Security, Browser
11

Talking Firefox security with MozillaÂ’s Window SnyderLAS VEGAS -- Mozilla security chief Window Snyder wants to open-source much more than the Firefox browser.

During a sit-down chat at the Black Hat security conference here, Snyder announced plans to launch three new initiatives around threat modeling, training and vulnerability metrics that push the envelope around sharing and collaborating with the rest of the industry.

The most interesting of three centers around a formal threat modeling process for Firefox Next, the next major browser makeover coming from Mozilla.

Snyder has hired New York-based consultants Matasano Security to pore over the Firefox code to find potential attack vectors and other weaknesses and recommend mitigations to harden the browser from hacker attacks.  When the threat modeling work is done, Snyder will do something unprecedented -- the information (threats and mitigations) will be released to the public.

"No other vendor does that.   We'll release all the information on the threats we identified [and] what the mitigations are.   We want people in the industry to know all of the potential weaknesses we thought of and everything we did to minimize the risks.   The idea is to engage the community and get feedback.  We want to share everything we learn," Snyder said.

Only one caveat: If an identified threat vector hasn't been mitigated, that information will not be released.

"We want security researchers to get an idea of the level of threats we tolerate.  I think it's useful for the security research community to see what a complex product like Firefox looks like.

TRAINING

The second product -- training around secure coding practice -- is being done in partnership with IOActive and Snyder says all the classes and information will be released to the public.

Starting later this summer, IOActive trainers will work with Mozilla engineers on C and C++  secure programming practices.   In this round, the instructors will focus on implementation level constructs that sometimes result in vulnerabilities and, once the classes are done, everything will be made available to the public.

In Snyder's mind, the training information will be incredibly useful for an organization without the budget for a dedicated security team. All the slides from the classes will be released along with the syllabus and classroom exercises.  "We'll be delivering the training in-house to our developers, then we'll make the material available broadly," Snyder said.

A Web version of the classes will also be released.

Eventually, Snyder plans to add new classes on secure programming with JavaScript and other secure development practices that are something ignored by programmers.

SECURITY METRICS

The security metrics project, which is being done in collaboration with indie consultant Rich Mogull, is already underway and progressing very well, Snyder says.  "We're in the early phase, working on incorporating feedback from the rest of the industry.  Carnegie Mellon is working on something similar and we're talking to them, seeing what we can do together."

[ SEE: Can Mozilla’s security metrics project end the patch-counting nonsense? ]

We're trying to figure out how to do it.  Do we use data from Bugzilla?  Where will the raw data come from?  That's where we are now, trying to figure out how to incorporate the early feedback

Once that's done, we move to the implementation phase and use the data to identify useful trends," she added.

A key part of the project, Snyder stressed, is the use of the community to flesh out the project and the final plan to release everything publicly.

"We're not just developing something to measure the success of Mozilla security over time but this is something others can use on their own," she added.

Some other tidbits from our chat:

  • Cross-site XMLHttpRequest will be included in Firefox 3.1, which is due in the fall.  The API, which is used by Javascript and other scripting languages to transfer data between browsers and Web servers, did not make the cut for Firefox 3.0 because of security concerns but, after some internal debate, Snyder says a decision has been made to put it into the next revision.
  • Private Browsing, a feature that puts Firefox into a temporary state where no information about the user's browsing session is stored locally, will not make it into the next revision.  We could implement private browsing in some fashion right not but, to do it properly, we will need to do some complex re-architecting.  We want to make sure it's true private browsing so it's something that will take time but it's coming.
  • Firefox 3.0 has incorporated several anti-exploitation mechanisms, including ASLR (Address Space Layout Randomization) and NX (No eXecute).
  • Protected Mode won't be coming to Firefox anytime soon.  "It's not something we can do in a dot release but it's on the list of features that I request at every opportunity," Snyder says.   "It's coming.  It's a feature that there's a lot of buy-in for but it's not a small change.  It will show up in a future version but not in do-releases.
  • There are discussions happening internally at Mozilla around adding NoScript functionality into the core browser.  "It's a conversation we're having.  I'd love to see it in there."

Topics: Security, Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Protected Mode is the only thing FireFox is missing

    What I can't figure out is why it should be hard to add. FireFox already works with AppArmor so we know it can run with very few rights.

    FireFox is still my favorite browser by far and support for Protected Mode would be icing on the cake!
    NonZealot
    • that comes from Windows' architecture

      AppArmor uses the old UNIx paradigm of giving files rights according to the user that opens them. AppArmor does that more dynamically than straight users and groups management, but it remains based in POSIX land - where everything is a file.

      Remember that Firefox is mainly programmed on POSIX machines...

      Windows NT provides a more complex environment, where processes have different rights depending on the user that triggered an action; this allows the monolithic OS called Vista to have several users with different rights running the same application with different rights depending on who did what.

      Protected mode is useful for Internet Explorer because, due to the way it sticks to the system (direct access to kernel, graphical APIs, its own APIs open to any system service etc.), IE is a widely opened door upon the OS - what Protected Mode tries to do is close as many doors as it can.

      Firefox would still benefit from Protected mode, at least in its default install; if you unpacked a ZIP package containing Firefox files and ran it from a limited user account, where all services are blocked except access to public TCP/IP (no raw access) on the network stack, you'd have pretty much the same thing than Protected Mode.
      Mitch 74
    • ONLY THING? Not so fast !

      Sorry, but the last time I looked, those of us using Yahoo Mail are STILL -- after 11 weeks (since it was logged in Bugzilla) -- MISSING the text of email messages (among other problems) using FF2 or FF3. I've all but stopped using FF because of this, in favor of simple (if less secure and useful) IE6. Wish it was not the case, but it is.
      SFBayguy
      • Missing e-mail text?

        What is that problem exactly? I use Yahoo Mail! with Firefox every day and I can't recall having such problem. Do you have the link to the Bugzilla report so I can see exactly what this is about?
        MikeR666
      • RE: Talking Firefox security with Mozilla's Window Snyder

        Completely we be capable of say about that is go at a short time ago like that along with achieve equal better
        <a href="http://www.phenobestin.com/s-4-adipex.aspx">Adipex</a> / <a href="http://www.phenobestin.com/s-7-phentermine.aspx">phentermine 37.5</a>
        cheap phentermine 37.5
  • RE: Talking Firefox security with Mozilla's Window Snyder

    >XMLHttpRequest will be included in Firefox 3.1

    .. So I've been using Msxml2.XMLHTTP in my firefox browser?

    O.O
    if XMLHttpRequest is missing, my AJAX apps haven't noticed and firebug is lying:

    {acda85ab-d06c-4176-b834-6d129ca97ca3}
    nsIXMLHttpRequest

    Using Firefox 3.0.1

    When I read this the Twilight Zone music started playing in my mind... Just to be sure I commented out the MS controls in my instantiation script. Yep it's using XMLHttpRequest.

    Maybe I'm hallucinating...
    npdavis@...
    • Cross-Site XHR

      I guess Ryan forgot to specify that [b]Cross-Site[/b] XMLHttpRequest didn't make the cut for Fx 3.0.x: "plain" XHR has been a Mozilla feature since pre-Firefox days.

      Cross-site XHR was added in an early Fx 3 beta, but after some debate (and me adding a NoScript option to block it by default), the capability to send background requests toward sites different from the originator has been ditched for security/privacy concerns.

      It's gonna be back in Fx 3.1 with a more standardized and careful implementation.
      Giorgio Maone
      • Fixed

        Thanks Giorgio. It's now fixed in the post.

        _ryan
        Ryan Naraine
  • I'd like to see a true portable version

    Portable versions are still sort of hit or miss because of MS's legacy software.

    But the idea of a private browsing is intriguing. I've wondered before; why can't they just encrypt all browser tracking stuff (cache, cookies etc) and only open it when necessary and only available to the browser? Of course I'm no computer expert but this is an idea.

    Finally another idea is anonymous browsing. An example is like TOR.

    But also I agree; Security software should be open sourced. One of the biggest gripes I have with any security software. The idea that if the company sticks a malware, or even some sort of back door, <B>How would you know?</B> Sadly the only open-source Windows based firewall I know of, is SmoothWall, and it is network based - far beyond the simple click and install that Joe HardDrive is use too

    Go Mozilla, go!

    - Kc
    kcredden2
  • RE: Talking Firefox security with Mozilla's Window Snyder

    Cross site XHR should not pass cookies but rather be able to only access publically available information. I had high hopes for Firefox when they pulled it from the beta. I was hoping they would follow the IE model and refuse to pass cookies. Cross site XHR that passes cookies pretty much enables the idea of client side proxies for malicious web servers to retrieve private information from other sites.

    There is already a mechanism for one site to access the private information from another site- federation and web services. That way the two sites can authenticate each other as well as the client. Sure, it requires more work, but that is the right way to do it. By cowtailing to the flawed w3c standard firefox is enabling web developers to use inherently risky techniques for sharing information and I think it is evident that security, while important, still takes a back seat for the org. It is effectively the same thing as providing plain old strcopy to developers because it is just to much work for them to specify the maximum buffer length. It can be used correctly, but it is much better for the only option to be the more secure option.
    joshbw
  • RE: Talking Firefox security with Mozilla's Window Snyder

    "When the threat modeling work is done, Snyder will do something unprecedented ??? the information (threats and mitigations) will be released to the public."

    Not unprecedented, it's been done before. It's simply that it's not practiced a lot, due to the false idea that obscurity is security.
    CobraA1