(Credit:
Robert Vamosi/CBS Interactive)
Window Snyder, Mozilla's chief security something-or-other (her official title), is leaving Mozilla, effective the end of the year.
"I am sad to be leaving," she wrote in her blog on Wednesday, "but I am excited to go work on something I have always been passionate about. I wish I could tell you about it now, but that will have to wait for a while."
In an interview earlier this year, Snyder stressed to me how she wants to bring open-source practices to the security community. And her background certainly supports that passion.
Snyder is the co-author of Threat Modeling, a book about application security. Her security work started at @Stake (now a part of Symantec) before continuing at Microsoft. Later she helped found Matasano Security before landing at Mozilla in September 2006.
Johnathan Nightingale, Lucas Adamski, Brandon Sterne, and Mike Shaver will continue to blog about security at Mozilla in Snyder's absence.
Window Snyder, Mozilla's chief security something-or-other (her official title), wants to bring open source practices to the security community.
"At a lot of companies," she told me recently, "there's fear around security: you don't want to talk about what you're doing around security because one might deem it not enough--or might want to criticize it." She said most companies have a lot of reasons to keep what you're doing in security quiet, but not Mozilla. "We benefit from being open; it's the model for us and it's been successful for us."
Snyder started her security work at @Stake (now a part of Symantec) then went to Microsoft and later Matasano Security. She describes her journey as moving toward open source with each environment. At Mozilla, makers of the popular Firefox browser, Thunderbird e-mail client, and other open software, she's pretty much at ground zero.
Snyder said the idea of opening up security came about by asking, "What are we doing internally that we can make publicly available to help somebody else in some other project."
They decided to start out small. "We're starting off with secure programs and practices for C and C++. There is a focus on how to make it useful for a browser, but there is of course a general aspect to this. It's training materials, it's syllabi, exercises, it's a workshop-style class. Hopefully we'll be able to do video as well." The idea is that one employee from a company can attend these workshops and then take the training back home to train even more people.
Johnathan Nightingale of Mozilla echoed this. "It's pretty brittle if there's only one person who is the security guy or gal that always solves a problem. It's better to get that knowledge out there--whether it's working on Mozilla or some other project. By working at understanding the good habits and the bad habits, you've made a huge step forward."
In addition to training sessions, Mozilla will be making a variety of tools available. Last year Mozilla released a protocol fuzzer created by Michael Eddington, and a Javascript fuzzer created by Jesse Ruderman. Further, Mozilla admitted that these tools had found vulnerabilities within Firefox. Accepting that openness, Opera reported that the tools had also discovered a flaw within its browser product. Microsoft, maker of Internet Explorer, and Apple, maker of Safari, haven't revealed whether they used the tool to detect any flaws in their products.
Snyder says often the security story isn't that a company created a tool that found 14 vulnerabilities in it own product, it's that there were 14 vulnerabilities in the product in the first place. "Why would they want to share this tool? Maybe they want to demonstrate how successful it was because it found a vulnerability. That's something that we can do that other companies cannot."
In addition to training and tools, Mozilla wants to talk more about security metrics and threat modeling.
In this video, Window Snyder talks about security metrics.
"Threat modeling is a methodology for identifying security vulnerabilities, for identifying the risks of a security vulnerability within that application," Snyder said. "Making a threat model available shows other development environments how a complex application like Firefox gets deconstructed into threats, along with the mitigations that we've implemented to address those specific threats.
"But it also gets us feedback on whether or mitigations are sufficient. It gets the research community engaged in another point in the development process. Instead of looking for vulnerabilities at the end of the lifecycle, they're able to get involved in the threat modeling process which is between design and implementation, ideally. You want to be able to do it early enough in the process so that you can actually change at the architectural level as the result of threat modeling."
The goal, she said, is to remove whole categories of vulnerabilities. "Here's a pattern, and if we implement one architectural change we can eliminate all these vulnerabilities."
Threat modeling is more theoretical; it's abstract. "So, instead of saying concretely if you do this that and the other thing, that will result in an actual vulnerability, threat modeling, says there is no input validation mechanism, for example. If you send a request this way, you end up bypassing the input validation mechanism and you're sending content, unvalidated to this audio decoder. That would be scary. So the threat would be unvalidated content is being passed directly to the audio decoder if it comes in this way. A vulnerability would be there's an overflow in the audio decoder that an attacker is able to trigger if they craft a URL this way, and because it bypasses the input validation mechanism, all these other mechanisms that would have protected from an exploit are bypassed as well."
She concludes that the training, the tools, and the threat modeling is "good for peer reviews, it's good for testers, it's good for developers." She sees it as delivering on a promise to "to make the Web more secure."
Mozilla has been steadily demonstrating how open source projects can make money without betraying their community goals. At Mozilla, she says "we absorb the costs in criticism and we tolerate that in security because the benefit for us far outweighs everything else."
On Thursday, Opera released version 9.51. The new version fixes a few security vulnerabilities and resolves some stability issues. One of the fixes addresses an arbitrary code execution vulnerability that was not previously made public.
Meanwhile, Mozilla released Firefox 2.0.15 with a dozen security fixes, including a few remote-execution vulnerabilities.
Current Firefox 2 users should, however, upgrade to Firefox 3, which includes antimalware protection and other security features.
I recently spoke with Johnathan Nightingale, Mozilla's "Human Shield," the man who designed the security interface within Firefox 3. One of the big changes is how Firefox communicates the authenticity of a given site. Located on the left hand side of the address bar is a tiny icon associated with the site. Sites using Extended Verification Secure Socket Layers (EV SSL) go an additional step.
Nightingale explains: "If you go to PayPal.com, for instance, that will expand out and it'll say PayPal Inc USA because PayPal is a site that presents this enhanced identity information and so, because they're presenting it to the browser we can present it our users and if you click that button and you get a bunch of more information. You get this little site identity pop up basically. It'll tell you that this PayPal Inc is located in such and such a place in the United States, and there's even a 'more information' button that'll talk about your history with that site; how many times have you visited it before; all in an effort to help you understand whether this is the site you think it is and what the state of your relationship with that site is.
"Now, as for how Larry figures into all of that--the icon we chose to communicate this identity checking is a passport officer. When you click this icon, which is available on any Web site, whether it has completely verified identity information or no information at all, you can always click the button and find out more about the Web sites that you're interacting with. You'll always see the little passport officer to indicate that we're checking identity credentials right; we're looking into the site; we're trying to verify the information so we can present it to you so that you can make an informed decision about the sites that you're interacting with.
"A lot of sites these days aren't providing any identity information and that's okay. If you don't need to trust them, if you don't need to exchange any confidential information with them, then maybe you don't care if they're identifying themselves. But sites like banks or even government sites for that matter, we're hoping that as more and more of them deploy this extended identity information our users will have a much better sense of who they're interacting with and will develop a confidence that they're on the site they appear to be on."
So how did Larry get his name?
"I was doing the initial designs we had this passport guy in there and I was trying to find a way to introduce him to people and to talk about him and stuff. It gets sort of cumbersome to keep talking about the AIGA public domain icons or passport officer. He just seemed like a friendly guy to me and Larry seemed like a friendly name. I mean he's approachable, he's there to watch out for you, so it just made sense. It's not named after anyone in particular, although if there's Larry out there that wants to claim the title they're welcome to do so."
My entire interview with Johnathan Nightingale can be heard here.
Correction at 7:50 a.m. PDT: The spelling of Johnathan Nightingale has been fixed.
At least one security feature won't make it into the final release of Firefox 3 on June 17, Mozilla confirmed again Thursday.
The feature, Private Browsing, would have disabled all caching, cookie downloads, history records, and form data used during the current session. In essence, you could surf the Web and leave no fingerprints.
"It basically said to the browser: I would like what I'm about to do to not be logged anywhere," said Johnathan Nightingale, Mozilla's "human shield," aka its security user interface designer.
He described the private browsing process as this: you hit a button and everything past that point isn't logged. Then, at some point in the future, you hit the button again and it's as though what you just did never happened.
One possible use might be when someone other than the computer owner uses the browser.
"We looked at ways to do this, but the problem is that it touches a lot of code," Nightingale said. "Because there are such rich interactions with Web sites and mashups and things like that, we didn't want to put in something that was half baked."
You can hear more of my interview with Nightingale on my Security Bites podcast here.
Correction on June 13: The spelling of Johnathan Nightingale has been fixed.
On Wednesday, Mozilla announced next Tuesday, June 17, as "Download Day" for Firefox 3. The company also released Firefox 3 release candidate 3 as a final step toward full release.
With Firefox 3, Mozilla is attempting to set a Guinness Book of World Records for the largest number of software downloads within a 24-hour period. There is currently no Guinness Book record for that accomplishment.
Firefox 3 includes a new rendering engine, so pages load faster. It also uses fewer system resources, addressing a complaint in earlier versions.
On this week's Security Bites podcast, I spoke with Johnathan Nightingale, Mozilla's "human shield," about the security features within Firefox 3, including its antimalware protection and support for Extended Verification SSL.
The current Firefox 3 release candidate, version 3, can be downloaded for Windows, Portable, Mac, and Linux systems.
Updated at 12:30 p.m. PDT on Wednesday with links to the newly debuted release candidate.
If you were planning to host a Firefox 3 launch party this week, keep that bubbly on ice a bit longer.
Mozilla on Wednesday released Firefox 3 Release Candidate 3. Windows and Linux users won't likely feel a thing; the new browser is considered stable on those platforms.
The extra release candidate addresses some lingering issues on the Mac OS X operating system. The changes are internal.
The previous test version, Firefox 3 Release Candidate 2, can also be downloaded for Windows, Portable, Mac, and Linux systems.
Mozilla hopes to set a world record for the most downloads within a 24-hour period on the day Firefox 3 is released (currently expected to be in June).
The online edition of Guinness Book of World Records does not list a current record for most downloads within 24 hours.
The final release candidates for Firefox 3 are showing a number of improvements, including greater rendering speed, the use of fewer resources, and more baked-in security features than other browsers.
To help Mozilla set a world record, the foundation recommends the following:
- Sign up to get the final copy of Firefox 3 on Download Day.
- Host a Download Day Fest on Firefox 3 launch day at your school, office, or anywhere with an Internet connection.
- Become a Firefox campus representative and collect pledges from fellow students.
- Add Mozilla buttons and banners to your site, blog, or profile.
To get people excited, Mozilla has provided a map showing pledges to date along with more details.
PayPal is seriously considering blocking some browsers from accessing its site, according to a paper (PDF) available to shareholders.
Titled "A Practical Approach to Managing Phishing," the paper admits that there's no one silver bullet to prevent fraudsters from making money on the Internet. However, authors Michael Barrett, PayPal's chief information security officer, and Dan Levy, the company's senior director of risk management for Europe, say companies could and should start addressing five specific areas:
Prevent fraudulent e-mail from getting into users' in-boxes
Prevent phishing sites by shutting them down
Authenticate users so that stolen credentials can't be used on PayPal
Prosecute fraudsters to the full extent of the law
Focus on brand and consumer recovery
Of these, the paper focuses mainly on e-mail prevention and phishing-site blocking. For e-mail prevention, the authors cite Yahoo Mail as an example and point to its use of domain keys to identify legitimate and illegitimate mail marked as coming from PayPal.
Most controversial is the idea of blocking "unsafe" browsers, or browsers that do not currently include antiphishing tools. PayPal says it would first notify users when they log in if they are using an unsafe browser. Later, PayPal would simply block the use of the browser entirely.
PayPal is interested in enforcing new Extended Verification SSL certificates used by Internet Explorer 7 and the upcoming Mozilla Firefox 3. EV SSL highlights the address bar in green when the site has been certified. Other browsers, such as Apple Safari and Opera, do not currently include these protections.
Browsers not on the desktop could also be barred. On Monday, researchers cited the Apple Safari browser on the iPhone and Nintendo's use of the Opera on its DS and Wii gaming systems as lacking adequate antiphishing protection.
The security team at Mozilla has fixed the flat add-on vulnerability acknowledged last week. However, no decision has been made when Firefox 2.0.0.12 will be pushed out to users' desktops.
The vulnerability, known formally as the "chrome protocol directory transversal," occurs when a "flat" add-on is present. In this case, an extension to the browser stores its information within JavaScript files as opposed to JAR files. Window Snyder, Mozilla's chief of security, says the vulnerability is not within the browser, but in how the extensions are written.
An attacker exploiting this flaw may be able to retrieve data or profile a compromised system.
Extensions such as Greasemonkey and Download Statusbar were initially mentioned. However, the current list of affected extensions provided by Mozilla is much longer.
