Monday, June 9, 2008

Firefox v3: Exciting but Incomplete Security

Make no bones about it: the FireFox version 3 release version is the first software application download that I've looked forward to in years.

FireFox 3 is, for me, the first really user-friendly browser. As Google knows, but no one else cares much to admit, an awful lot of consumers currently go to Yahoo by typing "Yahoo" into the search field, rather than the address bar.

FireFox is potentially changing the game by moving all of this "action" into the address bar, and matching previous site requests and paths with keywords.

The new FireFox address bar is screamingly intuitive (want to find that weather site you went to three days ago? FireFox will pull up everything with "weather" in its path when you type "weather" into the address bar.)


On other issues, the security stuff is really nice-looking, and the integration with Verisign EV is very tasty as well. But "Larry" the FireFox security icon (actually described as a "customs agent" on their site) may actually end up setting up users for a "cavity search"...

The problem with solutions that look after just one small piece of the problem, is that you end up facing the "armored Humvee problem" recently described to me by a "security logistics expert" over lunch in Kuwait.

This problem is, in short, that all defenses are "weapons-specific". No amount of armor on a Humvee will stop the most recent insurgent IED innovation - a shaped charge that turns a sheet of copper into a molten fireball that can burst through any amount of armor.

While the consequences are nowhere near as serious, software/browser designers face the same issue.

The changes to FireFox, while welcome, have modified the "armor" of FireFox without taking into account the massive changes that have taken place in the area of weapon-development by the insurgents of the Internet world - the identity thieves and online criminals.

As sexy as it looks, and as welcome as it will be to lots of users, FireFox 3 unfortunately lacks armor in several places where armor is most needed. As such, it will not present a barrier to serious intruders looking to steal data.

To really operate a defense, the user needs to have everything locked down in the DNS request chain, everything locked down in the OS, and all malware, including any horrible zero-day keyloggers and screen-capture devices already on the PC, needs to be rendered harmless.

As for the message above ("Your connection to this web site has been encrypted to prevent eavesdropping"), don't get me started on the many ways this tells users the wrong thing.

SafeCentral (the next version of which will incorporates FireFox 3, including the FF3 address bar), and the SafeCentral Secure DNS Service, together plug virtually all of the security holes that I just talked about. V3 will be available mid-July.

The downside? None.

You were going to download FireFox v3 anyway, right? ;-)

No comments: