Mozilla Aims To Warn Users About Dangerous Sites - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Mozilla Aims To Warn Users About Dangerous Sites

The next version of Firefox will identify malware on Web sites and make users stop and think about it.

With the number of malicious Web pages mushrooming over the past several months, the Mozilla Foundation is looking to help users defend themselves. Window Snyder, who is Mozilla's "chief security something-or-other," says the company is taking a two-pronged approach.

First, Mozilla developers are working on giving Firefox 3.0, the next version of the open source browser due later this year, the ability to detect malicious code on Web sites that users are trying to access. "In Firefox 2, there's no mechanism that identifies if malware is present," says Snyder.

Users won't ignore this warning, vows Window Snyder.

Users won't ignore this warning, vows Snyder
Second, developers are working on creating an interface that will warn users that the pages they're trying to call up are dangerous. "We don't want to just pop up an alert that gives them an OK or cancel option," says Snyder. "We want to create a warning that users won't mistake. ... It's going to be a different kind of warning, and it's not going to be a click-through."

Security company Sophos reported last month that the number of malicious Web sites has skyrocketed over the past few months, from 5,000 new ones a day in April to nearly 30,000 a day in early July. One reason, according to Sophos researchers, is that hackers are increasingly turning away from e-mail as their preferred method of spreading malware and putting their focus on malicious sites. In some cases, they're creating their own sites, but in most cases they're hacking into legitimate sites and embedding malware into them.

The mock-up of the alert appears as a red-letter warning that doesn't have a click-through option, and the malicious page wouldn't be able to load. It's still a work in progress, and it could change dramatically before Firefox 3.0 ships, Snyder says. Technicians are debating whether there should be an override mechanism that lets users go to malicious pages regardless of the danger.

One of the most difficult aspects of implementing something like this is making sure the interface communicates clearly to the user, that it's "the sort of thing users won't be able to sail through without a real context change," Snyder says.

Mozilla programmers are rewriting a lot of the Firefox code for the upcoming version release, Snyder says. They're replacing much of the older code to increase performance and make the code base more modular, able to handle new security threats like phishing. In a previous interview, Snyder said some of the browser's components that are written in native code are being rewritten in managed code to reduce memory management flaws, like buffer overflow vulnerabilities. Managed code executes in a virtual machine, so there's less space for memory management problems.

Meanwhile, Mozilla faced another security-related issue recently, one of its own making. An executive appeared to suggest the company could patch any known security vulnerability within 10 days. Snyder, who was quick to try to clear up what Mozilla says was a muddled message, says on her blog that Mozilla doesn't set such parameters: "We do not think security is a game, nor do we issue challenges or ultimatums."

That's not what it sounded like at the Black Hat security conference two weeks ago in Las Vegas. Mike Shaver, director of ecosystem development at Mozilla, passed a business card to security researcher Robert Hansen, known as RSnake, with "ten [expletive] days" written on it. Hansen wrote on his blog that Shaver was claiming that, with responsible disclosure, Mozilla could patch any critical hole in that amount of time. Wrote Hansen, "I told him I would post his card--and he didn't flinch. No, he wasn't drunk. He's serious."

Snyder says Shaver meant that, since Mozilla got a recent security update out in only 10 days, there's no reason security researchers should post details of a vulnerability before a patch is available. But security bloggers pounced on what sure sounded like a challenge. Admits Snyder, "His statement has taken on a life of its own."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll