Firefox 2.0 To Gain Security Improvements

An alpha release of Firefox 2.0 is due out in the next few days, according to meeting minutes posted at Mozilla Foundation.  

A new feature in the alpha release will be a "blocklist" for certain extensions that are known to contain vulnerabilities that make them exploitable. When someone installs an extension, or updates an extension, then that extension will be checked in realtime over the Internet against the list of blocked extensions. If the extension is in the blocklist then Firefox will alert the user and prevent that extension from being installed. The blocklist will be maintained by Mozilla as a check and balance, and considerable efforts will be made to remove exploitable extensions from popular extension sites.

The official release version of Firefox 2.0 is due out sometime in the third quarter of 2006. As we reported previously, Mozilla plans to implement support for "high assurance" SSL certificates, which are issued to entities who undergo a more rigorous identity verification process

The official release version will also have new anti-phishing technology features, however the technology is only in its experimental phases.

The current anti-phishing code being evaluated for inclusion is developed by Google as an extension called Google Safe Browsing, which is currently available as as standalone extension from Google, but the company will cease to offer the extension in standalone form and will instead package it with Google Toolbar.

When packaged with Firefox the extension will be renamed to "Anti-Phishing." Google said they'd like to see development of the extension moved into the Mozilla development code tree.

When using the extension in enhanced mode the browser will send encrypted URLs of sites a users visits to Google for evaluation along with some information about the site content in order to try to determine if the site is a known phishing site. If it is a known phishing site then the extension will display a warning dialog. The extension also communicates to Google whether the user accepts or declines the warning dialog, and communicates when the user actually navigates away from a phishing page. Users who are uncomfortable with such tracking can use the extension with "enhanced protection" disabled.

Mozilla Foundation added that they are open to partnering with others who provide anti-phishing tools and resources. The foundation plans to create a generic API so that the anti-phishing technology can be used by other Mozilla products.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.