Firefox security strategy (was: Firefox goodies)

Bill McGonigle bill at bfccomputing.com
Thu Dec 29 18:10:01 EST 2005 

On Dec 29, 2005, at 16:04, Ben Scott wrote:

>   Then again, I don't really *know* anything about Firefox's
> internals; I've just read blurbs and articles here and there.  Maybe
> most of what I want is already there.

Firefox does have some limitations on JavaScript.  For instance, I 
recently read an article on using a XML proxy on your server to do 
interesting things with AJAX because most JavaScript implementations 
won't let you open an XMLHTTPRequest to a server other than the one the 
script came from.  So, if you want to do, say, Amazon lookups using web 
services, you can't go right to Amazon - you have to proxy through your 
server.  This has all sorts of implications for services that limit 
transaction counts per IP per day and so you can't do certain classes 
of useful things.

In the same way you can't open up a file:/// URL and POST it to a 
server.  There are probably good reasons for being able to do these 
kinds of things in certain situations, but Mozilla would rather just 
throw down the gauntlet then try to enforce security around ACL's, 
especially using a language like C++ to do this safely and robustly.  
Java takes the signed-code approach which makes hard things barely 
possible.

Keep in mind, things like 'pop-up blockers' are really just guards 
against certain JavaScript features succeeding in certain situations - 
not unlike the list of preferences you posted.  And when did a pop-up 
block first make it into Mozilla - 3 or 4 years ago maybe.  I seem to 
recall some flavors of Mozilla don't let you obscure the window 
controls and other things site designers would rather you do.

Anyway, I would argue your list of preference settings for JavaScript 
would be a better set of defaults than what they ship today.  The 
trouble is they're trying to compete with IE on IE's terms and, well, 
users hate security, almost as much as they hate data loss.  For 
instance, I know many people who have stopped getting security updates 
on Windows because they didn't notice the Info bar that says that 
microsoftupdate is trying to install an Active-X control.  A weak GUI, 
sure, but people would just rather let the good guys have control and 
assume the bad guys aren't out to get them.  So maybe Mozilla's 
strategy here is errant.

Which gets to the heart of the matter - a browser like IE was built 
with running OLE controls on the local CPU in mind.  Firefox was built 
with letting things like that happen only in the event of a 
catastrophic bug.  Guess which one has a zero-day exploit today for the 
same thing that was supposedly patched in the past few months?

And then we have the Mozilla/VMWare Browser Appliance, a totally 
tangential approach:
   http://blog.bfccomputing.com/index.php?p=100

-Bill

-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Cell: 603.252.2606
http://www.bfccomputing.com/    Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf

More information about the gnhlug-discuss mailing list