Firefox Beta Bets on Security

Given that much of the recent growth in the Firefox user base has come at the expense of Microsoft due to security problems with Internet Explorer, I don't find it surprising at all that Mozilla continues to bet on security enhancements as a big selling point for Firefox. The long-anticipated beta of Firefox 3 is now out, and the Firefox developers have kept the security momentum going.

The list of enhancements to the browser is fairly extensive, but you'll notice that the security enhancements top the list. From the release notes:

• One click site info: Click the site favicon in the location bar to see who owns the site. Identity verification is prominently displayed and easier to understand. In later versions, Extended Validation SSL certificate information will be displayed.

• Malware Protection: malware protection warns users when they arrive at sites which are known to install viruses, spyware, trojans or other malware. You can test it here (note: our blacklist of malware sites is not yet activated).

• New Web Forgery Protection page: the content of pages suspected as web forgeries is no longer shown. You can test it here.

• New SSL error pages: clearer and stricter error pages are used when Firefox encounters an invalid SSL certificate.

• Add-ons and Plugin version check: Firefox now automatically checks add-on and plugin versions and will disable older, insecure versions.

• Secure add-on updates: to improve add-on update security, add-ons that provide updates in an insecure manner will be disabled.

• Anti-virus integration: Firefox will inform anti-virus software when downloading executables.

• Vista Parental Controls: Firefox now respects the Vista system-wide parental control setting for disabling file downloads.
  

What I like about most of these features is that many of them are focused on not just preventing mischief, but on informing the user. Better feedback to the user about security I think works in an application's favor. Of course, "better" should not be equated with "more." Firefox seems to be on the right track here — explicitly warning users when necessary, but otherwise, putting the security information where users can get at it, but not presenting it in a way that forces them to swat away dialog and warning boxes every five minutes.

So, kudos to Mozilla. But there's always a catch. In this case, it's the fact that, by Mozilla's own estimate, this new version of Firefox represents two million new or changed lines of code. That's an awfully big landscape for new bugs to hide in. And some of those bugs are bound to be security related. But hey, that's what beta testing is all about, right?

Posted by Kevin Carlson at 10:52 AM  Permalink