Defense in Depth

Window Snyder, Mozilla's chief security something-or-other (her official title), wants to bring open source practices to the security community.

"At a lot of companies," she told me recently, "there's fear around security: you don't want to talk about what you're doing around security because one might deem it not enough--or might want to criticize it." She said most companies have a lot of reasons to keep what you're doing in security quiet, but not Mozilla. "We benefit from being open; it's the model for us and it's been successful for us."

Snyder started her security work at @Stake (now a part of Symantec) then went to Microsoft and later Matasano Security. She describes her journey as moving toward open source with each environment. At Mozilla, makers of the popular Firefox browser, Thunderbird e-mail client, and other open software, she's pretty much at ground zero.

Snyder said the idea of opening up security came about by asking, "What are we doing internally that we can make publicly available to help somebody else in some other project."

They decided to start out small. "We're starting off with secure programs and practices for C and C++. There is a focus on how to make it useful for a browser, but there is of course a general aspect to this. It's training materials, it's syllabi, exercises, it's a workshop-style class. Hopefully we'll be able to do video as well." The idea is that one employee from a company can attend these workshops and then take the training back home to train even more people.

Johnathan Nightingale of Mozilla echoed this. "It's pretty brittle if there's only one person who is the security guy or gal that always solves a problem. It's better to get that knowledge out there--whether it's working on Mozilla or some other project. By working at understanding the good habits and the bad habits, you've made a huge step forward."

In addition to training sessions, Mozilla will be making a variety of tools available. Last year Mozilla released a protocol fuzzer created by Michael Eddington, and a Javascript fuzzer created by Jesse Ruderman. Further, Mozilla admitted that these tools had found vulnerabilities within Firefox. Accepting that openness, Opera reported that the tools had also discovered a flaw within its browser product. Microsoft, maker of Internet Explorer, and Apple, maker of Safari, haven't revealed whether they used the tool to detect any flaws in their products.

Snyder says often the security story isn't that a company created a tool that found 14 vulnerabilities in it own product, it's that there were 14 vulnerabilities in the product in the first place. "Why would they want to share this tool? Maybe they want to demonstrate how successful it was because it found a vulnerability. That's something that we can do that other companies cannot."

In addition to training and tools, Mozilla wants to talk more about security metrics and threat modeling.

In this video, Window Snyder talks about security metrics.

"Threat modeling is a methodology for identifying security vulnerabilities, for identifying the risks of a security vulnerability within that application," Snyder said. "Making a threat model available shows other development environments how a complex application like Firefox gets deconstructed into threats, along with the mitigations that we've implemented to address those specific threats.

"But it also gets us feedback on whether or mitigations are sufficient. It gets the research community engaged in another point in the development process. Instead of looking for vulnerabilities at the end of the lifecycle, they're able to get involved in the threat modeling process which is between design and implementation, ideally. You want to be able to do it early enough in the process so that you can actually change at the architectural level as the result of threat modeling."

The goal, she said, is to remove whole categories of vulnerabilities. "Here's a pattern, and if we implement one architectural change we can eliminate all these vulnerabilities."

Threat modeling is more theoretical; it's abstract. "So, instead of saying concretely if you do this that and the other thing, that will result in an actual vulnerability, threat modeling, says there is no input validation mechanism, for example. If you send a request this way, you end up bypassing the input validation mechanism and you're sending content, unvalidated to this audio decoder. That would be scary. So the threat would be unvalidated content is being passed directly to the audio decoder if it comes in this way. A vulnerability would be there's an overflow in the audio decoder that an attacker is able to trigger if they craft a URL this way, and because it bypasses the input validation mechanism, all these other mechanisms that would have protected from an exploit are bypassed as well."

She concludes that the training, the tools, and the threat modeling is "good for peer reviews, it's good for testers, it's good for developers." She sees it as delivering on a promise to "to make the Web more secure."

Mozilla has been steadily demonstrating how open source projects can make money without betraying their community goals. At Mozilla, she says "we absorb the costs in criticism and we tolerate that in security because the benefit for us far outweighs everything else."

On Thursday, Opera released version 9.51. The new version fixes a few security vulnerabilities and resolves some stability issues. One of the fixes addresses an arbitrary code execution vulnerability that was not previously made public.

Meanwhile, Mozilla released Firefox 2.0.15 with a dozen security fixes, including a few remote-execution vulnerabilities.

Current Firefox 2 users should, however, upgrade to Firefox 3, which includes antimalware protection and other security features.

A group of researches on Tuesday said 637 million Web users are surfing with outdated Internet browsers and therefore at greater risk of Web-based attacks.

Using data collected from Google Web searches and security firm Secunia, the researchers, Stefan Frei (of ETH, Zurich), Thomas Dübendorfer (Google), Gunter Ollmann (IBM ISS), and Martin May (ETH, Zurich), analyzed the browsers used in a new report (PDF). They did so in an effort to understand why so many recent attacks by criminal hackers have been aimed at the browser, and why those attacks have been so successful.

Overall the authors found that roughly 40 percent of users were using insecure versions of Web browsers. Among the least compliant were users of Internet Explorer, which currently dominates the Internet browser market.

The data was collected in mid-June 2008. The users were scattered among 78 percent Internet Explorer users, 16 percent Firefox, 3 percent Safari, and 0.8 percent for Opera. Of these, 52 percent were running the latest version of Internet Explorer, 92 percent for Firefox, 70 percent for Apple, and 90 percent for Opera.

The authors note that it has taken IE 7, the current Internet Explorer release, 19 months to gain only 52 percent of the entire Internet Explorer audience. Forty-eight percent of the users in the study were either using an old version of IE 7 or still had IE 6 installed.

Some of this has to do with how the respective vendors provide updates. IE 7 is currently offered as an auto-update with each monthly set of Microsoft security patches, yet a number of people are opting out of the upgrade and still running IE 6.

The study did not include use of insecure browser add-ons, such as older versions of Adobe Reader, because the data from Google contained only the browser info.

For mitigation, the study used comparisons to the food industry, arguing that people understand the need to buy the safest foods, why not browsers? People understand that food is perishable, so why not make Internet browsers display expiration dates? The authors provided an example of a browser that displayed in red in the upper right hand corner "145 days expired, 3 updates missed."

But unlike the food industry there is no liability for software vendors. And, the authors note, software vendors are not legally obligated to provide software updates.

Imagine if the food industry was not accountable for selling spoiled milk.

According to Tipping Point's Zero Day Initiative, the vulnerability, which it rates as critical, was reported within the first five hours of Firefox 3's release.

"Once the vulnerability was verified in TippingPoint's DVLabs and acquired from the researcher, the vulnerability was promptly reported to the Mozilla security team," said a representative.

Although the Zero Day Initiative team does not offer specifics until the vendor has a chance to patch it, the blog post did say this vulnerability, which also affects Firefox 2, requires user interaction and could result in an attacker executing arbitrary code.

Mozilla is reported to be working on a fix.

The Zero Day Initiative has been criticized in the past for paying researchers who find vulnerabilities.

I recently spoke with Johnathan Nightingale, Mozilla's "Human Shield," the man who designed the security interface within Firefox 3. One of the big changes is how Firefox communicates the authenticity of a given site. Located on the left hand side of the address bar is a tiny icon associated with the site. Sites using Extended Verification Secure Socket Layers (EV SSL) go an additional step.

Nightingale explains: "If you go to PayPal.com, for instance, that will expand out and it'll say PayPal Inc USA because PayPal is a site that presents this enhanced identity information and so, because they're presenting it to the browser we can present it our users and if you click that button and you get a bunch of more information. You get this little site identity pop up basically. It'll tell you that this PayPal Inc is located in such and such a place in the United States, and there's even a 'more information' button that'll talk about your history with that site; how many times have you visited it before; all in an effort to help you understand whether this is the site you think it is and what the state of your relationship with that site is.

"Now, as for how Larry figures into all of that--the icon we chose to communicate this identity checking is a passport officer. When you click this icon, which is available on any Web site, whether it has completely verified identity information or no information at all, you can always click the button and find out more about the Web sites that you're interacting with. You'll always see the little passport officer to indicate that we're checking identity credentials right; we're looking into the site; we're trying to verify the information so we can present it to you so that you can make an informed decision about the sites that you're interacting with.

"A lot of sites these days aren't providing any identity information and that's okay. If you don't need to trust them, if you don't need to exchange any confidential information with them, then maybe you don't care if they're identifying themselves. But sites like banks or even government sites for that matter, we're hoping that as more and more of them deploy this extended identity information our users will have a much better sense of who they're interacting with and will develop a confidence that they're on the site they appear to be on."

So how did Larry get his name?

"I was doing the initial designs we had this passport guy in there and I was trying to find a way to introduce him to people and to talk about him and stuff. It gets sort of cumbersome to keep talking about the AIGA public domain icons or passport officer. He just seemed like a friendly guy to me and Larry seemed like a friendly name. I mean he's approachable, he's there to watch out for you, so it just made sense. It's not named after anyone in particular, although if there's Larry out there that wants to claim the title they're welcome to do so."

My entire interview with Johnathan Nightingale can be heard here.

Correction at 7:50 a.m. PDT: The spelling of Johnathan Nightingale has been fixed.

At least one security feature won't make it into the final release of Firefox 3 on June 17, Mozilla confirmed again Thursday.

The feature, Private Browsing, would have disabled all caching, cookie downloads, history records, and form data used during the current session. In essence, you could surf the Web and leave no fingerprints.

"It basically said to the browser: I would like what I'm about to do to not be logged anywhere," said Johnathan Nightingale, Mozilla's "human shield," aka its security user interface designer.

He described the private browsing process as this: you hit a button and everything past that point isn't logged. Then, at some point in the future, you hit the button again and it's as though what you just did never happened.

One possible use might be when someone other than the computer owner uses the browser.

"We looked at ways to do this, but the problem is that it touches a lot of code," Nightingale said. "Because there are such rich interactions with Web sites and mashups and things like that, we didn't want to put in something that was half baked."

You can hear more of my interview with Nightingale on my Security Bites podcast here.

Correction on June 13: The spelling of Johnathan Nightingale has been fixed.

On Wednesday, Mozilla announced next Tuesday, June 17, as "Download Day" for Firefox 3. The company also released Firefox 3 release candidate 3 as a final step toward full release.

With Firefox 3, Mozilla is attempting to set a Guinness Book of World Records for the largest number of software downloads within a 24-hour period. There is currently no Guinness Book record for that accomplishment.

Firefox 3 includes a new rendering engine, so pages load faster. It also uses fewer system resources, addressing a complaint in earlier versions.

On this week's Security Bites podcast, I spoke with Johnathan Nightingale, Mozilla's "human shield," about the security features within Firefox 3, including its antimalware protection and support for Extended Verification SSL.

The current Firefox 3 release candidate, version 3, can be downloaded for Windows, Portable, Mac, and Linux systems.

Updated at 12:30 p.m. PDT on Wednesday with links to the newly debuted release candidate.

If you were planning to host a Firefox 3 launch party this week, keep that bubbly on ice a bit longer.

Mozilla on Wednesday released Firefox 3 Release Candidate 3. Windows and Linux users won't likely feel a thing; the new browser is considered stable on those platforms.

The extra release candidate addresses some lingering issues on the Mac OS X operating system. The changes are internal.

The previous test version, Firefox 3 Release Candidate 2, can also be downloaded for Windows, Portable, Mac, and Linux systems.

On Friday Opera announced that version 9.5 of the browser (download Opera 9.5 beta for Windows or Mac) will include built-in antimalware protection from Haute Secure (download for Windows 32-bit or Windows 64-bit).

This is, of course, to counter the antimalware protection built into Firefox 3, currently available as a final release candidate (download for Windows or Mac). Firefox uses data from Google and StopBadware to block a site before it loads on your browser.

Haute Secure counters that its offering is better because it relies upon a community of dedicated users to inform the product when to block and when not. In testing at CNET, the latest version of Haute Secure still misses some recently published phishing sites, while Firefox 3 RC2 blocked them immediately.

How did that happen? Haute Secure explains that the APIs provided by antiphishing sites such as PhishTank won't update until the site is confirmed to be bad, whereas Google can make that determination on its own. Still, Haute Secure prevents malicious sites (as opposed to mere phishing sites) from loading, and provides more information about those sites than does Firefox 3.

Haute Secure was founded by a group of former Microsoft employees, and its flagship product came out of beta in March.