Mozilla Corp.’s next update to Firefox will sport several new safer surfing features, the company’s chief of security said Wednesday, but users won’t see the most important changes.
On track and expected to make it into the final version of Firefox 3.0 when it ships later this year is a tool that would automatically block sites suspected of harboring malware. The Web browser will also offer support for the extended validation Secure Sockets Layer (EV SSL) certificates, said Window Snyder, Mozilla’s chief security officer.
The malware blocker, which relies on site blacklists generated by Google Inc., has been publicly debated by Mozilla and Google developers, with mock-ups of the on-screen warnings debuting in early June. Then, Snyder refused to get specific about the feature, saying there was no guarantee the tool would be wrapped up in time to add to Firefox 3.0.
Things are different now; the site blocker is currently a go.
“We wanted to make sure that it’s obviously not a security notification that they can ignore,” Snyder said, describing how the warnings will work. “The [user interface] makes it clear that this [site] is dangerous. And it does not give the user a click-through,” Snyder said. In other words, users will be able to back out of the attempt to reach the potentially malicious site but won’t be able to simply accept the warning and continue on.
“Nothing’s ever done until it ships,” Snyder cautioned, hinting that changes are still possible, or if necessary, the tool might still be ditched.
The other feature set for Firefox 3.0 offers support for the new EV certificates now used by a few of the largest online retailers, banks and financial institutions. Those certificates, which in Microsoft Corp.’s Internet Explorer (IE) browser trigger a color change in the address bar to green, require more extensive background checks of the buyer by the issuing authority to guarantee that they’re given only to trustworthy sites. One of the first sites to use EV certificates was that of PayPal Inc.
But rather than color-code something in Firefox, the open-source browser will display an agent-like character dubbed “Larry” when it reaches a domain equipped with an EV. The indicator, she said, resembles the international symbol for immigration seen at airports: an iconic image of an official holding up a passport. “We think that makes a more visual statement about identity rather than security,” said Snyder. “All we’re trying to say is that we have a level of confidence about the identity of the site, not that it’s free of threats.”
Part of the reason why Mozilla is uncomfortable doing more than noting the enhanced identity of such as site is that the standard SSL padlock now means more than it should, Snyder said. “What it’s come to mean is that everything is secure, but it’s become an overburdened symbol,” she said.
Virtually all the other changes to Firefox 3.0 on the security side are “under the hood” of the browser, she continued. “They’ll be less apparent to the users, but they will impact them,” Snyder said.
For the largest part, this back-end work on Firefox has been in making the code itself more secure. Like the Security Development Lifecycle (SDL) initiative within Microsoft to systematically create more secure code, Mozilla’s unnamed effort has involved seeking out vulnerabilities before the software ships.
“I really believe in defense in depth,” Snyder said, referring to in-house research on Firefox’s code. “All the [security] features in the world won’t help you if the code’s not secure.”
Snyder said that much of her time since joining Mozilla last September has been spent on improving the security of the Firefox code, with a major effort on creating penetration-testing tools developers can use to spot flaws before the application leaves the house. Mozilla used various “fuzzers,” tools that automate some vulnerability detection processes, and has found dozens of bugs with just one, a JavaScript fuzzer that Mozilla released last week to the open-source community at the Black Hat security conference.
Putting tools like that in the hands of anyone should mean more secure code for everyone, said Snyder. She said that as Mozilla’s point person on security, she is convinced that it’s a way to get the biggest bang for buck. “If these tools are broadly distributed, they could help smaller environments develop strong code,” Snyder said. “They can help make everyone safer.”
Read the rest of this entry »
Posted in Mozilla, Security, Software | No Comments »
Firefox is seeing tremendous adoption rates in some parts of the world. In order to perpetuate this growth trend, Mozilla has to continue to find new ways to bring Firefox to a broader audience. Mozilla is tackling this problem from many different angles, but user retention has emerged as a significant priority for the organization’s Firefox promotion efforts.
According to Mozilla, only fifty percent of the people who download Firefox actually try the browser and only about half of the people who try it continue to use it. Although this is a pretty decent user retention rate for a piece of software that can be downloaded for free, Mozilla recognizes that improving retention is probably the most productive way to increase overall market share. Mozilla has been working with the community to devise strategies for improving retention rates, and the result is a 12 point plan for getting users to stick with Firefox.
Mozilla is working on creating a new support site to address documentation issues and plans to create new download and first run pages that are more instructive. On the development side of things, Mozilla plans to make common plug-ins work better out of the box, work on user interface enhancements that make the browsing experience more natural, and make add-ons easier to manage and install. On Windows, Mozilla plans to change the Firefox icon name to make it more apparent to users that the program is a web browser and improve desktop and quicklaunch icon placement to make the program more accessible. Mozilla is also going to work on brand marketing.
User retention is likely a problem for other cross-platform open source software applications as well. Mozilla’s efforts in the area could provide valuable insight into practical methods that could potentially be employed for other open source projects.
Read the rest of this entry »
Posted in Design, Mozilla, Software | No Comments »
Thunderbird, Mozilla’s open source desktop e-mail client, is being kicked out of its parent organization’s house, ostensibly for its own good.
In a blog post on Wednesday, Mozilla CEO Mitchell Baker explained, “We have concluded that we should find a new, separate organizational setting for Thunderbird; one that allows the Thunderbird community to determine its own destiny.”
The rationale behind the decision is that Mozilla’s ongoing effort to promote the Firefox Web browser leaves Thunderbird out of the limelight.
Baker proposed several options for Thunderbird: creating a nonprofit foundation similar to the Mozilla Foundation; creating a Mozilla Foundation subsidiary for Thunderbird; and releasing Thunderbird as a community project along the lines of SeaMonkey, an open source application suite that includes a Web-browser, e-mail and newsgroup client, IRC chat client, and HTML editor.
While Baker outlines potential difficulties with each of these approaches, she makes no mention of the fact that Web browsers like Firefox, in conjunction with the continued adoption of free Internet-based e-mail services, are obviating the need for a standalone e-mail client for many users.
Responding to Baker’s post, Rafael Ebron, founder and general manager of Browser Garage and a founding Mozilla Corp. employee, explained in a comment that despite being an avid user of Thunderbird, the e-mail application no longer meets his needs. “I honestly must say that I do not have much use for an offline client anymore,” he said. “For the last few years I have switched to entirely online options. Gmail, Hotmail, etc. solve all of my e-mail problems. Google Groups solves my Usenet problems. No more backups, importing, and synchronization. It really is an ideal system for me.”
Online e-mail services like Gmail, Yahoo Mail, and Microsoft’s Hotmail also offer very good spam protection, unlike out-of-the-box Bayesian filters in desktop e-mail clients.
Then there are other differences between Firefox and Thunderbird, like the millions in revenue Mozilla earns for setting Google to be the default search engine in Firefox. Thunderbird doesn’t feed off the search cash cow, though with 5 million users around the globe there are probably untapped revenue opportunities.
Thunderbird has also suffered in comparison to Microsoft Outlook for its lack of calendar support. Though a calendar is under development in the form of Mozilla Sunbird, Thunderbird still faces a tougher sell than Firefox, without an obvious search ad dollar payoff. It also has to deal with competition from the likes of Zimbra in the corporate world.
Firefox rode resentment of Microsoft’s Internet Explorer monoculture to success. Microsoft Exchange and Outlook don’t seem to generate the same discontentment. Finding a new home for Thunderbird may prove to be far easier than sparking the uprising it needs to be king.
Read the rest of this entry »
Posted in General, Mozilla, Software | No Comments »
