Mozilla Corp. is considering adding a tool to Firefox
3.0 that would automatically block Web sites thought to
harbor malicious downloads, but the company's security
chief refused to spell out details, saying Mozilla is
"not ready to talk about the feature."
Even so, there are numerous details to be found on a
blog by a Firefox designer and in a back-and-forth
discussion of the feature in Bugzilla, the management
system that Mozilla uses to track changes in its
software. Together, the two offer a behind-the-scenes
look into Mozilla's open-source development process.
"Similar to how Firefox 2 blocks Web sites that are
potentially going to try to steal your personal
information, Firefox 3 will block Web sites that we
believe are going to try to install malicious programs
on your computer," said Alex Faaborg, a user experience
designer in a blog entry last week. "Mozilla is
coordinating with Google on this feature."
And in a Bugzilla entry that offers comments from
Mozilla and Google employees -- including Chris Hofmann,
Mozilla's director of engineering, and Mike Shaver, its
director of ecosystem development -- information is even
more free-flowing about malicious site blocking in the
next major update to Firefox.
The discussion centers on how Firefox 3.0 will warn
or alert users to a potentially malicious site. Faaborg
mocks up a warning notice, then someone else offers up
another option entitled "Scarier error page". But at
times the thread lingers on technical issues.
"If a site does not appear in the blacklist but the
response from Google says 'this is a malware site,' will
Firefox stop showing the page immediately and load this
error page in its place?" asked Jesse Ruderman, a PhD
student at the University of California, San Diego, and
a unpaid Firefox developer.
"I think the plan for malware is to only use the
local lists so we don't have to slow down page load or
unload a page (which would probably be too late
anyway)," replied Tony Chang, one of the Google software
engineers who works full-time on Firefox.
"This is an example of how development goes on [at
Mozilla]," said Window Snyder, the company's chief
security officer. "This is a great example of working
with the [open-source] community" in a give-and-take
atmosphere where ideas are batted back and forth, she
added.
Still, she wouldn't commit Mozilla to adding a
malicious blocking tool to the anti-phishing filter
already present in Firefox. "It's definitely one of the
things we're looking at," Snyder acknowledged, while
noting that the feature is currently rated P2 (Priority
2). By Mozilla's definitions, only P1 features are
mandatory for Firefox 3.0.
If the security tool makes it into Firefox 3.0's
final build, Mozilla will rely on long-time partner
Google to provide the blocking blacklists. Google
already does that for Firefox 2.0's anti-phishing
feature, which is powered by the search giant's
open-source "Safe Browsing" code. (Safe Browsing was
offered as a separate plug-in for Firefox before Version
2.0, then baked into the Google Toolbar for Firefox.)
But comments made by developers, designers and others
on Bugzilla show that Mozilla has questions about the
Google technology. "Will the google malware blacklist
include sites that are known to be exploiting just
Firefox, or IE, or all browsers?" queried Chris Hofmann.
"Do we need to make that distinction and/or communicate
it to the user so we don't overstep our bounds?"
"What we are actually doing here is giving Google
veto power over any web page. Hmm..." added Gervase
Markham, a lead developer for Bugzilla.
Google warns its search engine users of potentially
dangerous sites with an interstitial page. Google's
current blacklists, and presumably those downloaded to
Firefox browsers, come from StopBadware.org, a group
created by Google, Chinese computer maker Lenovo Group
Ltd., and Sun Microsystems Inc. that collects flagged
URLs. Some Web sites, however, including one associated
with a in Kansas educational service center, have
complained that Google erroneously blocks their sites.
No other browser currently includes an integrated
tool for blocking sites flagged for downloading
malicious code. When asked if Mozilla sees this as a
chance to pull away from the competition, Snyder said:
"We're always looking for ways to keep our users safe."
Mozilla's developers have until mid-July to add the
feature to Firefox 3.0. According to Mozilla's
development schedule, the browser will be feature-frozen
for Beta 1 on July 17.
That urgency was communicated by at least one
Bugzilla commenter. "Alex's design depends on being able
to render error messages as he mocked up, which I'd love
to see, but am not sure we can do," said Mozilla's Mike
Beltzer. "We need to scope & determine that feasibility
pretty damned quickly, IMO."
