Firefox 3 edges closer to release, with the fourth and final beta of the web browser out "in a couple of weeks", according to Mozilla's vice president of engineering, Mike Schroepfer.
The final Firefox 3 beta release will address issues including memory usage and cross-site XML HTTP requests. Memory usage has been improved in the final release version of Firefox 3 by rewriting "big chunks of the core Firefox code" and tuning the core scripting engine, according to Schroepfer.
Talking to ZDNet.co.uk on Monday, Schroepfer said that security had also been beefed up in Firefox 3. A major security concern for browser developers is browser susceptibility to cross-site scripting attacks (XSS), where code that can exploit browser vulnerabilities is injected into web pages.
Firefox 3 has secure cross-site XML HTTP requests, based on an emerging standard Mozilla, Google and others are developing, said Schroepfer. The standard allows websites to securely exchange information, he added. Essentially whitelists, cross-site XML HTTP request capabilities in browsers negate the need to embed iFrames in websites, which can be exploited, said Schroepfer.
"People are building sites but they're using hacks, including the site having embedded iFrames," said Schroepfer. "People are building complicated [web-facing] mashups, but big sources of attacks are cross-site scripting bugs or problems with implementation."
Read this
Q&A: When more bugs can mean tighter security
Mozilla Europe's president Tristan Nitot explains why having fewer disclosed vulnerabilities doesn't mean Internet Explorer is safer than the open-source web browser
As well as including secure cross-site XML HTTP requests, Schroepfer said that the final version of Firefox 3 will have anti-malware capabilities. Firefox 3 will block web access to sites blacklisted by StopBadware.org, an organisation contributed to by Google and Mozilla, which lists potentially compromised websites.
"[Firefox] will check against the local list to make sure the URL isn't on the [StopBadware.org] blacklist," said Schroepfer.
This capability is already in the current beta version the browser, Firefox 3 beta 3. Schoepfer said that a "couple of weeks ago" the blacklist utility had a real-world test when the Firebug site got hacked.
"Firebug, the Mozilla debugging website, got hacked, with malware [injected] on the site" said Schroepfer. "Firefox blocked access to the site, which we thought initially was a bug in Firefox. Actually, it really worked."
Schroepfer added that the third beta of Firefox 3 had proved popular, saying it had gained half a million active users since its release on 12 February 12.
When Mozilla started to develop Firefox 3, Schroepfer said the organisation had started an in-depth security review process, with "security experts" and Mozilla developers going through each new feature in detail to discuss possible attack vectors and privacy implications of Firefox features.
Talkback
Hi - just a quick correction from StopBadware. The dynamically-updating list of bad sites used by Firefox 3 is generated by Google, not by StopBadware. More information on the partnership is here:
http://blogs.stopbadware.org/articles/2007/11/15/stopbadware-mozilla-and-google
thanks,
Erica George
StopBadware staff
Hi Erica,
The way I see it is that Mozilla, Google and others contribute to the blacklist that StopBadware maintains, which is why I wrote:
"Firefox 3 will block web access to sites blacklisted by StopBadware.org, an organisation contributed to by Google and Mozilla, which lists potentially compromised websites."
Mozilla, Google and others each sepearately compile a list of possible compromised sites, they give those lists to StopBadware, you guys collate the list, then Mozilla, Google and others take that blacklist and enforce it.
While you guys also act as negotiators to deal with webmasters who feel their sites should not have been blacklisted, the focus of the article was security in Firefox 3, so I didn't feel that needed to be mentioned.
Best wishes,
Tom
Hi Tom,
Actually, that's not how it works now, though it's possible that may be how we'll work it some time in the future as we add more data partners. Right now, Firefox gets its list directly from Google - Mozilla doesn't get any website data from us. We get our list directly from Google, too. We're not the data broker between the two companies. Our role in Google's and Mozilla's warnings is in providing information and education to internet users & webmasters who see the warnings, and in providing one of the options for requesting a review (the other being directly with Google).
I agree our role isn't a focus of the article, which is why this is just a small note of clarification. We just try to keep it clear as much as possible who provides what data where, since it can be confusing, and we've found that the more average users understand about what actually happens, the better they feel about the process as a whole and the more they are likely to understand that, while encountering a warning in Firefox may be inconvenient, it's actually helpful.
Erica