3 posts categorized "Firefox"

February 09, 2010

Firefox extension installation process vulnerable to MITM attack

Adrian Dimcev made an important discovery the other day: the Firefox installation process is vulnerable to MITM attack. If a man in the middle is able to intercept the traffic of someone installing an extension, he will be able to get the user to install something else. Firefox is supposed to check the integrity of the extensions before it installs them, but it seems something somewhere broke, and the check is no longer in place.

This problem will be fixed in the next release (it has been fixed in the repository, it seems), but the fact remains that the installation process is seriously misleading. Looking at the user interface alone, the impression is that the entire installation process is carried out ever SSL. Even worse, the main domain name where the extensions are "stored" uses an EV certificate, so you are made to feel super-safe. In truth, the extensions are downloaded over HTTP from who-knows-where.

Posted by Ivan Ristić at 4:41 PM in Firefox, SSL | Permalink | Comments (0) | TrackBack (0)

July 01, 2009

Improved handling of SSL warnings in Firefox 3.5

Slightly over a year ago I discussed the SSL certificate error handling in Firefox. Where Firefox 2.x allows users to simply click through a warning about an invalid SSL connection, Firefox 3.0.x improves the handling and makes it difficult to access the invalid web site.

My blog post turned out to be quite popular, sparking a lively discussion, which spilled onto the Mozilla's Bugzilla when I filed two bug reports for Firefox:

  1. Exceptions for invalid SSL certificates are too easy to add
  2. Handling of invalid SSL certificates lacks in usability

The first bug report was rejected after a short discussion (still, I was happy to have been heard), but the second lingered on and, one year later, resulted in the change in how Firefox handles invalid SSL certificates. In Firefox 3.5, when you encounter an invalid SSL web site, you get a screen similar to this one:

Notice the improved language. The message now ways "[...] we can't confirm that your connection is secure", instead of "[a site] uses an invalid security certificate" (followed by technical mumbo-jumbo). Clicking the two headings at the bottom uncovers the hidden areas, which contain more information and the button to create an exception:

Posted by Ivan Ristić at 5:56 PM in Firefox, SSL | Permalink | Comments (0) | TrackBack (0)

July 15, 2008

Firefox versus SSL is really about security versus usability

My blog post Firefox 3 improves handling of invalid SSL certificates is proving to be very popular. It touched a nerve, and the comments of unhappy Firefox users keep piling on. Although I suspect a large part of the problem stems from bugs (if you read the comments you will find the reports of clearly unintended behaviour), there is a bigger problem between Firefox and its user base: it is one of security versus usability.

Who knows better: developers, or users?

It's not a problem specific to Firefox, nor a problem that only exists in the security sphere. In fact, once you become aware of the existence of the problem and start looking around, you will find it in virtually every aspect of technology. GNOME, for example, is famous for dumbing down the user interface and forcing its users to behave in a certain way.

It's not surprising that, with two opposing sides, there are two schools of thought. Implementing either approach is easy—and that's what many applications do—but that only results in unhappy users. Finding a way to make products usable, yet secure (or feature-full, outside security) is the real challenge. How do we educate the innocent yet enable the proficient?

Speaking of implementation, the answer may be in making applications capable of adapting to user needs. A system-wide setting could tell applications whether a user prefers to have decisions made for him. Alternatively, an application-specific flag could be set during installation. Having just two settings is probably not feasible, but there should be an easy way for advanced users to ask applications to show them everything.

But it may be that, in order to really solve the problem, we need to make a further step back and examine the way we develop applications. I think the majority of applications are still built by technical people, pushed by business people with features (not security or usability) in mind. Happy users are productive users, but very few companies seem to recognise this fact.

Posted by Ivan Ristić at 11:12 AM in Firefox, SSL | Permalink | Comments (2) | TrackBack (0)

MY WORK

IronBee is the next generation web application firewall engine, and it's open source too.
ModSecurity Handbok cover
ModSecurity Handbook is the definitive guide to the world's most popular web application firewall.
Apache Security cover
Apache Security is the complete guide to securing your Apache web server.
SSL Labs offers a comprehensive SSL security assessment consisting of 250+ checks. To start, enter your domain name below:

ABOUT ME

Ivan Ristić is an open source advocate, entrepreneur, writer, programmer and web security specialist. He is the principal author of ModSecurity, the open source web application firewall, and the author of Apache Security, a concise yet comprehensive web security guide for the Apache web server.   [LinkedIn Profile]

My Photo

TWITTER

@ivanristic

    Categories

    Archives

    FEEDS