WASHINGTON — As it moves ahead with beta testing its Firefox 4 Web browser, Mozilla is taking a hard look at security and privacy.
Here at the USENIX security conference, Sid Stamm, a member of Mozilla’s security team, described the increased security burden that browsers are experiencing as they handle ever-more complex Web applications.
“Web apps are becoming incredibly rich,” Stamm said. “The browser is starting to manage full-bore applications … They’re essentially becoming OSes.”
Stamm is helping lead an effort within Mozilla to rethink the security and privacy controls in the Firefox browser, an initiative that extends to the design of the user interface, which Stamm admits is not as intuitive as he would like.
As a result, Stamm and his team have begun preliminary testing on new user interface features that would aim to present non-technical users with a clearer picture of what information is being collected by the websites they visit and how those sites intend to use that data for activities like targeting ads.
“We’re exploring doing some privacy icon work where the site tells the browser what it plans to do,” Stamm said. “This is very experimental.”
Mozilla is also exploring a reputation system that would evaluate different websites based on their privacy and security features. Additionally, Stamm said Mozilla is mulling novel ways to treat cookies, particularly those placed by third-parties, to give users more understanding and control of the tracking mechanisms in use around the Web.
Many of the features that Stamm outlined won’t make it into Firefox 4, which is already well into beta testing with the final version due out later this year. But they come in response to the growing security strain that rich Web apps are placing on the browser, as well as the mounting concerns about sophisticated behavioral tracking technologies that threaten online privacy on the Web.
“It’s clear that Web apps are doing more and more with your computer,” he said. “Maybe we should start thinking about how to provide users with a little more anonymity.”
One of Mozilla’s areas of interest involves expanding the connections between the browser and the websites it navigates. Mozilla is testing a feature it’s calling the account manager, which would have the user sign into the browser, which would then negotiate actions like creating accounts with a website. The browser would automatically generate and store the password, so users could easily sign in without having to remember their credentials.
With the login credentials already stored on the legitimate site, the browser could alert users when they navigate to a spoofed website.
“I think this is a good win for authentication,” Stamm said, though he admitted that his team is still working to resolve the problem of password retrieval, or how a user could retrieve his credentials when using a browser on a different machine.
“One of the things that we’re batting around now is logging into your browser,” he said. The idea of the account manager would be to mitigate the responsibility of the user by automatically assigning and remembering secure passwords, and presenting the feature in an intuitive user interface. Stamm suggested placing a “sign in” button to the left of the website icon, also known as a favicon, next to the address bar in the browser.
The user interface remains a major challenge at Mozilla as it mulls new security and privacy features, Stamm said. Even if the browser manages to incorporate technical features that help close vulnerabilities and shield users’ personal information, Mozilla is still wrestling with the best way to communicate those fixes to its legions of non-technical users.
Additionally, the Firefox team continues to grapple with what Stamm described as “social-technical security” issues, those scams that rely on persuading a user to share personal information or take an action that navigates to a malicious site.
“We can’t just write a patch to the browser to fix phishing,” he said. “When psychology enters into it, I think it’s a bigger problem entirely and we can’t just engineer our way out of it.”
Keep up-to-date with security news; follow eSecurityPlanet on Twitter: @eSecurityP.