Tuesday, March 13, 2007
Firefox 3 Public Beta Due In Spring
Mozilla plans to release public beta of Version 3 of its Firefox browser in late spring, with added features to include standardised support for running Web apps like mail and office suites when disconnected from the Internet. The new version will also offer Places, a revamped bookmarks and history manager that was bumped from the current version of Firefox, Version 2.
Mozilla expects to ship the final version of Firefox 3, codenamed Gran Paradiso, in the autumn, said Brendan Eich, chief technical officer for Mozilla.
Users of Web applications like Gmail, Yahoo Mail, Google Docs & Spreadsheets, or Google Apps Premier Edition will be able to download their data, disconnect from the Internet, and work offline, if the application publishers make a few simple changes to their code to comply with Firefox 3's APIs for running applications offline.
Offline operation would help users looking for alternatives to expensive Microsoft Office and other desktop applications. Many vendors offer online, browser-based alternatives to Office, including the previously mentioned Google apps, as well as software from companies like Zoho and Ajax13. But the problem with those applications is they currently require users to have an Internet connection.
Firefox's current strategy is reminiscent of a failed strategy by Netscape Communications, more than 10 years ago, to make the operating system irrelevant by building an OS within the browser.
But it's different this time around, in that Mozilla isn't seeking to make an entire operating system within the browser, just enough to run Web apps. And users are now seeking technology that will allow them to run applications on their own data without being tied to a single computer, Eich said.
Firefox is based on open source Netscape code.
Places is a revision to bookmarks and history functionality. Rather than storing bookmarks and history in flat files, as Firefox does now, the data will be stored in a SQLite database.
Places will automatically organise bookmarks, as an aid to users who find it difficult to organise and find their bookmarks on their own. For example, Firefox will automatically generate a folder containing all of a user's most-frequently-visited sites, Eich said.
The Mozilla Wiki describes other plans for Firefox 3, including automatic synching of browser bookmarks with bookmarking services such as del.icio.us and shadows, improved tabbed browsing and improved password manager.
Firefox has been downloaded more than 300 million times since its initial, 9 November 2004 release, but in January it lost market share for the first time since in more than a year.
Further out, Mozilla is looking to add support for more advanced 2-D Web applications that now require proprietary Flash, and, even further out, 3-D Web applications, for data visualisation, games like World of Warcraft, and virtual worlds like Second Life.
Mozilla wrestles with Firefox 3.0 security moves
Mozilla is still wrestling with adding a security feature to Firefox that its browser rival, Microsoft's Internet Explorer 7, uses on Windows Vista to keep malware from hijacking computers.
In Vista, IE7 uses a technique Microsoft calls Protected Mode -- another name for "low rights" -- that blocks disk access to all but a temporary-files folder. The idea is that if an exploit -- a drive-by download, for instance -- attacks IE7 through a browser vulnerability, it can't install code on the PC's drive.
Last October, after Firefox developers had spent several days at Microsoft's Redmond, Wash., headquarters with the Vista team, a Mozilla engineer said they had come away with thoughts on how Firefox might take advantage of Vista's low-rights features. "We spent a while talking to members of both the UAC team and the IE team about ideas on how to structure our app for the lowest permission level," Vladimir Vukićević wrote at the time in a blog entry.
Now, however, Mozilla seems uncertain about whether that security strategy is smart.
"We're still trying to figure out the mechanics of what we can do and we can't do," acknowledged Mike Conner, director of Firefox development. "And there are two sides to this idea of Protected Mode. Microsoft said it's not a complete security sandbox, and some people are saying if [attackers] can work around it, it's not worth doing.
"The big thing for me is where we draw the convenience vs. security line," he added.
Conner argued that some of Vista's security provisions, including User Account Control (UAC) and low-rights modes, can be sidestepped to one degree or another and only get in the user's way. Last month, for instance, a Symantec researcher published a paper detailing how Vista's UAC could be spoofed by attackers.
"There's a lot of academic research coming out now that [some of these things] don't work," said Conner. "We may end up taking the 'safe enough' approach and implement that."
Firefox 3.0, code-named Gran Paradiso for now, will sport beefed up security when it's unveiled as a final release in the second half of this year. Exactly what form that security will take, however, remains uncertain. "There are a lot of things that we can do on security," said Conner, "but we're still in the discussion phase. None of what we're talking about will take a long time to implement."
The current Firefox 3.0 planning document lists security additions in password and antifraud areas, as well as enhancements to the user interface to make it easier for Web surfers to tell the browser's security status or the validity of a site's certificate.
"We want to create a more effective security UI," said Conner. "The main thing is to figure out who isn't looking at the current clues" for valid certificates. He said some of these UI additions will appear in the Alpha 4 or Alpha 5 editions of Gran Paradiso. (The browser reached Alpha 2 about a month ago.)
The newest production version of Firefox -- 2.0.0.2, which was released late last month -- is "100 percent compatible with Vista," according to Conner.
Thursday, March 01, 2007
Mozilla Firefox Wins Anti-Spam Award
The other entrants in this popular category were Norton Internet Security 2007, Vanquish’s vqME, Bullguard’s Internet Security, and the Apache SpamAssassin Project’s SpamAssassin.
The upgraded Firefox browser has built-in phishing protection, which is turned on by default. It checks sites against either a local or online list of known phishing sites, which are authentic-looking Web sites set up by scammers to trick users into entering personal financial information. The list is automatically updated.
Users point to Firefox’s speed, stability, highly customizable interface and open code base. Firefox also has the ability to block those ultra-annoying pop-up windows.
Firefox users tout the fact that it is not integrated with Windows, which helps prevent viruses and hackers from causing damage if they somehow manage to compromise the browser. Firefox doesn't support VBScript and ActiveX, two technologies that allow many IE security holes. Additionally, no spyware/adware software can automatically be installed in Firefox when users inadvertently visit an infecting site. The open source browser also gives users complete control over cookies.
“Firefox's anti-phishing features are a welcome addition to the browser and have been solidly implemented,’’ enthuses Leslie Franke, a systems analyst at the Goodyear Tire & Rubber Co., in Akron, Ohio. Franke has used Firefox as her default browser since the summer of 2003, when it was operating under the name Firebird. “There is no question that anti-phishing features are desperately needed in all browsers and Firefox is at the head of the pack.”
Franke says she especially likes that Firefox enables phishing filters by default and that “the steps taken when a phishing site is found are straightforward and easy to understand.”
Mitch Keeler, a resident of Vernon, Texas who runs a site called Firefox Facts, has used the browser for over three years. Keeler says the anti-phishing features are a plus for less experienced Internet users.
“The phishing protection feature warns Firefox users when they stumble upon suspected phishers, and offers to take them off the Web page or to a Web page where they can find what they are really looking for via search,’’ he says.
Firefox vs. Internet Explorer
How does Firefox stack up against Microsoft’s Internet Explorer? Last November, software testing firm SmartWare released a report based on tests it conducted on the Firefox 2.0 and IE7 browsers, both of which include new technology to help flag and block phishing sites.
In a third-party test that pitted the browsers against two week's worth of phishing sites, the test indicated that Firefox's phish “net” may have fewer holes than IE's. Firefox blocked 243 phishing sites that IE7 overlooked, while IE7 blocked 117 sites that Firefox did not, according to the report.
But Craig Roth, vice president at technology research firm Burton Group, said people should not put too much stock in one test.
“It's a matter of how it’s keeping up with attacks over time that is important,’’ says Roth.
He says people have long paid attention to Firefox because it has a certain David and Goliath element to its story. Where the browser will prove its merit in the future, says Roth, lies in Mozilla’s ability to stay on top of the security features it has implemented.
“It’s the infrastructure and the people behind it who track where attacks are coming from that give this [Firefox’s anti-phishing features] its value. So if the technology feature is there to check certain websites against a blacklist, that alone doesn’t do anything. It's the blacklist that has to be continually updated,’’ he observes.
Firefox 3.0 opens door to web apps, Mozilla says
When Firefox 3.0 is released later this year, the open-source browser is likely to contain a host of new features, including offline support for web applications and new bookmark and search features. Mozilla released the second alpha version of Firefox 3.0 earlier this month.
While the final feature set hasn't been determined, Firefox 3.0 will also contain elements for its 4.0 release and beyond, says Mike Schroepfer, vice president for engineering for Mozilla, during a stop in London. The browser is due out in the second half of the year.
"What we're trying to do with all of these things is lay the foundation," Schroepfer says.
Perhaps most exciting could be Firefox's ability to support writing an email in, for example, Gmail while offline, with the data sent later when a user is connected to the internet again. Ultimately, Mozilla engineers are aiming for an integration between the browser and web-based services that is as smooth running as a desktop application, says Schroepfer.
So far, engineers have made Firefox work with Zimbra, an open-source email, messaging and VoIP (voice over Internet Protocol) application. With a bit of code from Google and Microsoft, it would be possible to integrate with Gmail and Hotmail and other email services.
To do offline support, engineers have overcome the hurdle of how to store data locally on the computer, says Schroepfer said. The feature will make it into Firefox 3.0, although the user interface is still under development, he says.
Other changes could come to "bookmarks" and "history," two features that have seen relatively little innovation, he says. Mozilla would like to create a function where bookmarks could be automatically sorted based on popularity and frequency rather than the static presentation now.
Firefox 3.0 will also have a small, embedded database — SQL Lite — that will eventually be used for full-text indexing of the browser's "history." Users could search for images and text and see the cached page. The feature, however, may not make it into the 3.0 release, he says.
"The advantage of the database is that we can search your cache," says Schroepfer.
Most importantly, Firefox has to be fast and standards compliant, he says. Some users have complained about Firefox sucking up processing power because of add-ons or extensions, a popular aspect of Firefox where small programs can be downloaded and used into the browser to add new functions.
But extensions sometimes tax system resources, in part because it's often part-time hobbyists doing the coding, says Schroepfer.
Mozilla will soon set up a shared library of tested code that extension writers can download and use, Schroepfer says. Mozilla also relaunched its extension site, cutting back on the number of extensions listed so first-time users don't overload their browsers and dampen their experience.
In a few weeks, discussion forums will also be set up for developers to exchange feedback, since code writers sometimes don't know of the problems, he says.
Firefox 4.0 will support the JavaScript 2 language, now under development in part by Mozilla's Chief Technology Officer Brendan Eich and the ECMA International standards body, Schroepfer said. The idea behind the JavaScript revamp is to make high-performance web applications easier to write and assemble for people with less coding expertise, he says.
"It's less about making it possible and more about making it easy," says Schroepfer.
Read about Firefox expert Robert O'Callahan, who is building a Firefox developer team in New Zealand, here.
Firefox, IE7 open to URL spoof
Although Mozilla patched one more Firefox bug last week than first reported, the researcher whose work has plagued the open-source browser for weeks has released details about another flaw.
Firefox does not properly handle JavaScript "onUnload" events and can be tricked into taking the user to an unintended destination, said security researcher Michal Zalewski. "This flaw allows the attacker to track your footsteps and either redirect you to the URL you wanted to visit, which wouldn't be noticed at all, or to a similarly named phishing Web site when you choose to visit a target of some significance," Zalewski said.
The bug affects the just-released Firefox 2.0.0.2 and 1.5.0.10 updates, as well as Microsoft's Internet Explorer 7. JavaScript can be disabled in the browsers to block such redirects.
"The big difference in the two browsers is that Firefox 2.0.0.2 displays the correct address for the redirected site in the address bar," Symantec said in a warning Tuesday. "IE7, however, continues to display the URL that the user typed into the address bar, leading to a false sense of security."
Mozilla fixed 15 flaws Friday in Firefox 2.0.0.2 and 1.5.0.10, as opposed to the 14 Computerworld first reported. An overlooked security update in the revised browsers patches another Zalewski vulnerability, Mozilla said Tuesday.
"Firefox 2.0.0.2 update includes fixes for the bugs that researcher Michael Zalewski reported last week, including the hostname vulnerability, cookie issue, and memory corruption issue," Window Snyder, Mozilla's chief security executive, said in an e-mail.
"It was just a mistake," a Mozilla spokesman said regarding why Friday's list of patched bugs had originally omitted the 15th fixed flaw. The list has since been changed to reflect all the included patches.