normal_post - Firefox 3 Secures Extensions  - Technology Author Topic: Firefox 3 Secures Extensions  (Read 495 times)

G@Len

  • INTERN
  • **
  • avatar_275 - Firefox 3 Secures Extensions  - Technology
  • Posts: 668
  • wabodu badah!
    • Share Post
xx - Firefox 3 Secures Extensions  - Technology
Firefox 3 Secures Extensions
« on: September 23, 2007, 04:18:51 PM »
Source: www.internetnews.com

September 20, 2007
Firefox 3 Secures Extensions
By Sean Michael Kerner

Among the many reasons why Mozilla's Firefox browser has become popular is the fact that it's relatively easy to build and install add on extensions for it. That ease of extensibility however has a potential dark side to it.

Those same extensions that add power to Firefox, generally speaking, could arguably represent a security risk as well. It's a security gap that Mozilla is now plugging with its Alpha 8 development release of its next generation Firefox 3 browser.

In terms of add-on extension security, Firefox 3 Alpha 8 is specifically targeting the updating of add-ons to make that process more secure.

Mozilla spells out the issue in its guide on the new extension security:

"Firefox currently automatically checks for updates to add-ons using a url specified in the add-on's install manifest. Currently there are no requirements placed on these urls. In particular, neither url is required to be https. This allows either the update manifest or the update package to be compromised, potentially resulting in the injection of malicious updates. A demonstration of one form of compromise is already public."

The new extension security feature will aim to secure updates by a number of mechanisms including using SSL (define), and digital signatures that help to verify the identity and authenticity of the add-on's author. The general idea is that by ensuring that both the update mechanism and integrity of the update package are properly secured, overall safety will be improved.

There still might well be other issues that Mozilla will need to tackle in order to further improve add-on security though.

"It should be stressed that this feature is targeted at ensuring the security of updates to add-ons and has no impact on the security of initial add-on installs," Mozilla admits in its guide.

The Alpha 8 build is what Mozilla considers to be an early developer milestone and is not intended for the general public. In fact one of the rough edges in Firefox 3 Alpha 8 will actually prevent it from launching on Windows Vista if parental controls are enabled.

Mozilla developers have also not yet added in the fix for the QuickTime cross-scripting flaw that was fixed in the mainline Firefox 2.0.0.7 release which came out earlier this week.

Firefox 3 is Mozilla's next generation browser and has been under development since October of 2006 when the first Firefox 3 alpha appeared. Mozilla is currently releasing new milestones every 6 weeks for Firefox 3 with final development expected sometime in 2008.

Linkback: https://tubagbohol.mikeligalig.com/index.php?topic=4923.0
blackeye@rybnet.pl | hitmemore@nutdrug.ru | ringme@comision1135.com.ar | black.rossy@pillmathe12l.ru | indosat@defdrug.ru | isumbong@sonda.co.kr



Share via facebook Share via linkedin Share via pinterest Share via tumblr Share via twitter

xx
Use those extensions (Tip 23)

Started by Ligalig-Mike on Technology

0 Replies
780 Views
Last post June 02, 2007, 08:55:49 PM
by Ligalig-Mike
 

SMF spam blocked by CleanTalk
Powered by SMFPacks SEO Pro Mod | Sitemap
Mobile View
SimplePortal 2.3.7 © 2008-2019, SimplePortal