Web surfers eyeing Mozilla-based browsers as a safer alternative might want to wait a week before making the switch.
That's because the Mozilla Foundation, an open-source browser development group in Mountain View, Calif., has acknowledged a pair of serious flaws in the way its browsers handle certificates, the digital documents that let you verify a Web site's identity.
Mozilla said its engineers were caught off-guard by the vulnerabilities, as the code in question dates back from the open-source browser's proprietary progenitor, Netscape.
"The security code has been around for six or seven years, so all the serious bugs got worked out in the Netscape 4.0 time frame," said Chris Hofmann, the Mozilla Foundation's director of engineering. "We haven't seen anything serious in quite some time, so this is a surprise."
The certificate-handling flaws come at an awkward time for the Mozilla Foundation, just as security experts are promoting its browsers, along with Opera and others, as safer alternatives to Microsoft's dominant Internet Explorer software.
While Mozilla and other IE competitors claim to have a
fundamentally more trustworthy security model, they have also
acknowledged that Microsoft gets targeted for more security exploits simply because it is the market leader.
If Mozilla and other second-tier browsers gain market traction, that dynamic could shift.
The first of the two certificate bugs, posted to the Web and to the Bugtraq security mailing list by researcher Emmanouel Kellinis, could let a malicious Web site author trick a visitor into thinking the site was a trusted site, like that of a bank or mainstream company.
The problem has to do with a standard mechanism for pulling in content from Web sites other than the one the surfer has visited.
Normally, when a trusted Web site pulls in such third-party content, it goes into the browser cache, and the browser alerts the surfer by changing a security icon shaped like a key into a broken key.
But a problem with the Mozilla caching system makes it possible to keep that key unbroken even while importing content from other sites, and for the malicious site to display the security certificates from the trusted site.
That could help a malicious site author convincingly impersonate a trusted site like eBay or the Bank of America, a security situation ripe for credit card or identity theft schemes.
Because of the bug, a forged certificate could wind up corrupting an authentic one. As a result, someone visiting the trusted site would be denied access.
Mozilla said it was still deciding whether it would release stand-alone patches or simply issue the fixes with upcoming versions of the browsers. Current Mozilla-based browsers include Mozilla 1.7.1 and Firefox 0.9.2.
Mozilla expects to have either patches or new versions of the browsers available in about a week.
Apple, Google, Microsoft, Amazon--all are targets for Mozilla's plan to use Web apps to free people from ecosystem lock-in. Also: new Firefox features aplenty.
The rise of Apple's stores is one of the past decade's great retail stories. So, why then does the company continue to creep back into the big-box outlets and will this hurt the brand?
The company helps small businesses with little tech savvy build apps easily, and now its partner Constant Contact will email-blast prospective users, too.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
Web giant is spending $120 million to beef up its Mountain View, Calif., headquarters, according to filings with the city reviewed by the San Jose Mercury News.
