I’m very excited about some of the new security improvements in the new Firefox 3 browser release.
One improvement is some built-in protection against Cross-Site Scripting (XSS) attacks, though it’s important to note that the vulnerabilities extant on many of our industry sites are still not caught by the Firefox filter. Firefox add-ons that I have mentioned in the past on this blog, including NoScript and NoRef are still of value, and the Firefox improvements don’t mean vendors don’t need to follow secure coding practices consistently and that users don’t need to be very careful about the sites they visit.
Another improvement is seen just to the right of the address bar (now called the “Awesome Bar” in Firefox). That area now shows the site’s icon (or a blank page if the site has no icon) with a color background that makes it easier for users to see the security status of the page. As you can see below, colors include gray, blue, green (and red) and if you click on the icon you can get more information about the site.
- Grey is normal – no SSL encryption on the connection or other identifying information about the site.
- Blue means you are viewing the site through an SSL certificate and all content (even images) are being transmitted to and from the site encrypted.
- Green means there’s not only an SSL certificate, but also an “Extended Validation Certificate” (a.k.a. EV Cert) that means the site owner (not just the site) has been validated in some way by a “certifying authority”. These certificates are spendy (about $500 / year), and some people complain that they are an unnecessary expense. That will certainly be an ongoing argument!
- There’s also a RED color – this means a site is known to cause compromise – I’m not going to a site of that nature to collect an image – sorry!
The ‘More Information’ button lets you see if you have visited the site before today, if there is a cookie (and lets you see the cookie contents), if you have saved passwords for the site in the browser (tsk!), if the connection is encrypted, and also lets you see information about the site owner.
Internet Explorer 7 and Opera 9.5 both also have support for the EV Cert, but I think that Firefox’s implementation is the most ‘in your face’ and in that way, the best.
Some believe (and others don’t) that the color approach (including EV Cert) is still vulnerable to homograph and picture-in-picture attacks (sorry about the tech-vocab…) – but I still think this approach is a worthwhile endeavor toward reducing phishing attacks and I applaud Mozilla Firefox for improving its interface to be helpful in this way.
Share this post: