Tighter security coming in Firefox 4
LAS VEGAS–A new JavaScript engine, HTML5, tabs on top, and a new add-on framework are not the only improvements that users can expect in Firefox 4. At Black Hat on Wednesday, a trio of security representatives from Mozilla detailed how the company plans to push the browser to be more secure for users while nudging developers toward safer coding practices.
Mozilla Security Program Manager Brandon Sterne demonstrated on Wednesday how this ostensibly dull code, which is part of Firefox 4's new Content Security Policy, will make the next-generation browser safer.
(Credit:
Mozilla)
One of the biggest fixes that’s been implemented in the Firefox 4 beta (Windows | Mac | Linux) repairs a hole that affects all browsers, a decade-old vulnerability that was mentioned in the documentation for CSS2. The exploit is a CSS sniffing history attack, where malicious code can gain access to your browser history by manipulating link appearance and style. What made the bug so difficult to repair is that the simplest solution, to prevent all link style manipulation, would be like throwing the baby out with the bathwater, said Firefox’s director of development, Jonathan Nightingale. Changing an already-visited link’s colors is one the most-used features of the Web, and it would be catastrophic to prevent that.
Mozilla’s David Baron figured out how to solve the problem with a three-pronged approach that focuses on the user instead of the Web site. His solution limits what aspect of links can be tweaked to color, then “lies” through JavaScript so that although the page queries the link and reports back what it would look like if it was unvisited, the one that Mozilla’s engine draws is the correct one, whether it’s been visited or not. This solution also limits the amount of computation that the rendering engine needs to do, said Nightingale, which allows the focus to remain on the content and reduces the overall “heavy lifting” required to render it properly. “By limiting the link, there’s fewer options for [link exploits that look like] dancing bananas.”
Nightingale added that Wednesday’s release of Safari 5.0.1 has incorporated the fix.
Another type of bug addressed in the Firefox 4 beta is an XSS primary scripting exploit. Brandon Sterne, security program manager at Firefox, said that Firefox’s new Content Security Policy directly addresses these kinds of problems. They present a unique challenge, he said, because a fundamental problem with a Web site is that, “it’s a document that pulls in all these different resources [text, video, or audio] into one document, treated with the same privilege. So it’s hard for the browser to know what was intended and was injection. With Content Security Policy we by default turn it all off, forcing the Web site to turn it on one at time.”
While that may sound like the CSP creates an unnecessarily large burden on developers, Sterne added that the CSP is designed to be backward-compatible with existing Web sites. “It requires developers to opt in,” he said, “but sites that don’t recognize the header will just do business as usual. Research being shown here at Black Hat shows that JavaScript frame-busting doesn’t work anymore, so this addresses that.”
The CSP can be implemented site-wide or only on specific pages within a site by including the relevant line code in the header. Mozilla anticipates that many large content-hosting Web sites will find the short-term investment of time to use the CSP worth the long-term safety results.
As HTML5 and other, newer technologies develop and mature into standardized code, there’s a great potential for new security risks to open up. Nightingale spoke about one such vector: shaders. Shaders are not new, but their implementation in WebGL and OpenGL is, and could potentially open up new breaches. While he wouldn’t go into specifics, he did say that Mozilla was “spending a lot of time taking [shaders] apart, and making sure that we have good validation of our assumptions.”
Browsing security means more than applying patches to vulnerabilities. Nightingale pointed out that the biggest security fix for Firefox 3 was implementing the session saver, which made it easier for users to recover open tabs after shutting down the browser. By allowing users to more or less pick up where they left off, Nightingale said, it encouraged them to apply updates more regularly, including minor-point but important security updates.
Other changes in Firefox 4 promise to be less technical. Firefox’s approach to browser updates is changing, and sounds like in some cases it will more closely resemble Google Chrome’s automatic updates. “There are updates that we want you to know about, and that you’ll have a choice to install or not, but there’s also updates that we just want to get our security patches out,” said Nightingale. Those silent updates will be rolled out first to Windows users because Windows experience the most security risks, he said, but Mac and Linux users will eventually see them, too.
Even with the stronger competition from Chrome, Mozilla says that Firefox remains an industry trend-setter. The company is looking at the HTML5 geolocation feature and how to maintain privacy. “We know that people will look at our implementation and see how we do it,” said Nightingale. “We don’t send any private information, and if we don’t then nobody else will either. We’re trying to put more of that control in users hands.”
In Firefox 4, users can expect the geolocation notifications to be “friendlier.” At this stage of development, it looks like you’ll be able to ignore all geolocation alerts, turn off the service completely, or go back to change your original selection.
The Weave syncing service, which recently changed its name to Firefox Sync, encrypts all of its data locally before sending it up to the cloud. Once in the cloud Mozilla says that the data is inaccessible without the user’s password, which is stored locally.
The out-of-process plug-in feature that debuted in Firefox 3.6.4 for Windows and Linux and is coming in Firefox 4 for Macs, originally code-named “electrolysis,” will eventually include isolated content processes and the new add-on framework known as Jetpack. This means that when one of those add-ons or content-processes crashes, the entire browser won’t get pulled down.
“Electrolysis gives you two sets of orthogonal benefits,” said Nightingale. One is the protection of existing processes, and the other has a direct impact on comparatively low-powered mobile phones. “When content goes runaway, it doesn’t hurt the UI responsiveness, and on mobile that matters even more.” Nightingale said that users shouldn’t be surprised to see the results of the electrolysis process isolation in mobile Firefox first.
Security vulnerability disclosure is a complex problem facing browser publishers today, one that requires a balance between between public dissemination of the bug and withholding the specifics of the breach until it’s been patched. With Google calling its policy “responsible disclosure” and Microsoft labeling it “coordinated disclosure,” Nightingale said that he doesn’t get hung up on nomenclature. “I would always rather people work with us on making the Internet a better place, rather than them not telling us. Once the bug is fixed, we open it up and share how the sausage was made.”
At the root of browser security lies the question of how to balance user education such as not clicking on ads that promise you that “You’ve Won!” or that you need to run their remote virus scanner, with pre-emptive security tactics, such as patching holes but also exposing or blocking bad Web site behavior. For example, Comodo’s Chromium remix, Dragon, takes an aggressive stance on ensuring certificates have been properly written, which is why that browser warns you before you go to Facebook.com.
As Nightingale lamented, though, “We’re not all using the same terminology.” Improving common standards for reporting and dealing with threats could fix that, but there’s little indication that the five major browser publishers are about to collaborate and share the burden of security risks.
Samsung’s Android Tablet Coming Within 60 days
Samsung shows up fashionably late to the Android Tablet party with a new product scheduled to release this quarter.
Porn Industry to Cash In on iPhone 4’s Face Time Feature
It was only a matter of time before the porn industry took advantage of Face Time on the iPhone 4.
Stop-motion movies and racing on water: iPhone apps of the week
(Credit:
CNET)
It’s probably not a good sign that the first thing people ask me when they notice I’m holding an iPhone 4 is always something about how I deal with the reception issues. I’ve said here before that I have yet to experience dropped calls or any other issues related to “Antennagate” (yeesh, will we–as a society–ever get over the whole “Whatevergate” meme?), but that’s probably largely just luck; maybe I’m fortunate that where I go in my daily life is covered pretty well by AT&T. I suspect I could be a rare exception.
The interesting thing to me is that the reception issues and “Death Grip” have been all over the news here in the U.S., but reports trickling in from other countries are quite the opposite. An Australian publication, The Daily Telegraph, gave a very positive review to Apple’s iPhone 4 today saying finally about the reception issues, “Is the antenna an issue? No it’s not. Have I dropped calls? No, I have not.” Another story out of Norway (via AppleInsider) had similar results, with the writer concluding that the issues are more about weak U.S. mobile networks than they are about the iPhone 4 itself.
So my question is, even though the “Death Grip” might reduce your signal by a bar or two, if Apple had announced a deal with Verizon (or some other carrier) at launch, would we even be talking about “Antennagate?” I think I know what Steve Jobs would say if he thought nobody else was listening.
This week’s iPhone AppsGate includes a fun tool to make stop-motion movies and a water-racing game sequel that is a huge improvement over the original.
Tap the screen to take a shot, then move your subject before taking another.
(Credit:
Screenshot by Jason Parker/CNET)
StopMotion Recorder (99 cents) lets you create cool stop-motion movies where your only limit is your imagination. Featuring a fairly intuitive interface, StopMotion Recorder lets you set up your stationary shot, then has you tap the screen for each shot of your stop-motion film. The program provides an “onion skin” (a ghost of your previous shot) so you know just how to line up the next frame of your movie. You also get a grid overlay for even better alignment, and a “clap shot” feature that will take a picture when you clap so you can be closer to the action.
StopMotion Recorder has a number of different options that give you some choices for how the final product will turn out. You get a bunch of film styles that give your movie different effects like grainy old-timey shots and that old-school film strip border for that reel-to-reel feel. When you’re finished, you can share your stop-motion masterpiece over e-mail, Flickr, Twitter, and YouTube, or you can just save the movie to your iPhone’s camera roll. Overall, StopMotion Recorder is a neat way to make funny little movies that just about anyone could appreciate. Hopefully we’ll see some good stop-motion movies from this app start to spring up on YouTube or Twitter soon.
Aqua Moto Racing 2 ($4.99) is the sequel to Aqua Moto Racing, and has plenty of improvements over the original, including better graphics, more tracks, excellent wave physics, and challenging AI. You can control your personal water craft (PWC) in a few different ways, with options for both accelerometer-based steering or an onscreen steering wheel.
Hit the turbo boost before a jump to get maximum air for tricks.
(Credit:
Screenshot by Jason Parker/CNET)
Much like the original, you’ll be able to race in Quick Race mode and set the skill level, track, and number of opponents; or you can race through the championship mode and complete seven multirace circuits. As you race through championship mode, winning a circuit gives you more money and unlocks better PWCs with fixed stats. I actually prefer the setup in the original where you could adjust PWC stats for each race, but there’s something to be said for just jumping in and racing.
While on the course, you’ll race against five opponents through a circuit of buoys and jumps. Getting big enough air puts the game in slow motion, allowing you to hit trick buttons to pull off somewhat underwhelming tricks (maybe the animations are too fast?) that add to your turbo meter. It takes a few jumps usually to fill up the turbo meter so you’ll want to wait for moments when you really need a boost. Also littered about each track are money bags and treasure chests that add to your cash total if you can get to them without letting your opponents pass you. If you get sick of the track layouts, you also can hit a “Mirrored” to make every track a different experience.
The best thing about Aqua Moto Racing 2 is the newly designed wave physics, that bring this title much closer to popular gamer favorite Wave Race (originally on the Nintendo 64).
Overall, with even better graphics than the original, the added wrinkle of big waves to contend with, multiple tracks, and upgradeable PWCs, Aqua Moto Racing 2 will appeal to anyone who likes unique racing games. If you want to check it out before buying, grab the Lite version (free).
What’s your favorite iPhone app? Is the poor reception culprit really AT&T after all? What do you think of StopMotion Recorder? Am I crazy to say Aqua Moto Racing could ever touch the likes of Wave Race 64? Let me know in the comments!