The open source Mozilla Firefox web browser is on the front lines of modern IT security. The web browser, after all, is the conduit through which many people access the Internet, and it is often the target of attacks.

Mozilla has made significant strides in recent years to secure the browser, and has a roadmap to make it even safer in the future.

"A lot of the security work from us is not a silver bullet solution," Johnathan Nightingale, VP of Firefox Engineering at Mozilla, told eSecurity Planet. "It's really about careful consideration of where people are experiencing security problems online, where are the perils and what can we do to anticipate and disarm those risks."

Plug-In Security

For Nightingale, the biggest source of vulnerabilities that he sees on the web is plug-ins such as Java and Flash. While Mozilla is not directly responsible for plug-in code, it can help secure users from malicious plug-in activities in a number of ways.


As far back as the Firefox 3.6 release in 2010, Mozilla began an effort to take plug-ins out-of-process. With out-of-process plug-ins, the idea is to limit the stability risk to the browser from an unstable plug-in. If a plug-in crashes, it no longer takes down the entire browser.

There is still more work to be done for plug-in stability and security, which is where Mozilla's 'click-to-play' plug-in approach is now having an impact. With click-to-play, a plug-in doesn't automatically start by default.

"For many plug-ins we'll default to the assumption that if a user wants to interact with plug-in content, they can explicitly activate it," Nightingale said. "There will no longer be any latent content sitting in the background of a page that will be able to attack a user if it is malicious, without the user ever coming into contact with it."

Mixed Content Blocking

A common security risk that exists on the web today is when regular HTTP content is mixed together with HTTPS secure content on an encrypted page. The risk is that the HTTP content can potentially undermine the security of the content that is intended to be secure.

"We have got a user interface that we're testing out now to block mixed content by default, but give users some options in case the content looks broken," Nightingale said.

SSL in general has been a key focus for Mozilla.

One of the efforts that Mozilla has underway is for SSL certificate pinning. With certificate pinning, when Firefox users encounter a site that has an SSL certificate other than the one it should have, an alert is displayed. Mozilla has also done work with HSTS (HTTP Strict Transport Security), which gives sites the ability to explicitly always require a connection over SSL.

"We'll keep building those technologies to improve state of the web for everyone," Nightingale said.

Use-after-Free

One of the most common software vulnerabilities found across all modern browsers is use-after-free code vulnerabilities. With a use-after-free vulnerability, an attacker can potentially leverage allocated memory to launch an attack.

"It's realistic to say that as long as people are writing C and C++ code, there will memory safety issues," Nightingale said. "Mozilla has some pretty robust defenses to catch a lot of it early, but memory management is one of those hard things in computer science."

That said, Mozilla does have an ongoing project to move code from C/C++ to a managed code system like JavaScript.

"JavaScript doesn't have use-after-free errors or other memory management errors because it's a memory managed language," Nightingale explained. "So that gives you robustness against a whole category of security issues."

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.