(Although the API is still considered experimental, don't be fooled; Google has a funny habit of insisting that even its most mature and stable software (including Gmail) is still in "experimental" or "beta" status.)
Mozilla's use of Google's Safe Browsing API is significant for a couple of reasons. First, it relies upon an completely open and transparent protocol for checking and flagging suspected attack sites, including a formal process for reporting and removing sites that should not be in the Safe Browsing database. Perhaps more important, however, it allows Firefox 3 users to benefit from the immense computing and technical resources Google can bring to bear on this problem, including the ability to generate constant, around-the-clock updates to its attack-site list.
Why is this so important? Because Google doesn't just track sites that are obviously up to no good. It also keeps track of legitimate Web sites that may have been hacked or compromised in order to serve up malware to unsuspecting visitors. These sites are far more dangerous to users, since they can deliver their payloads quickly, silently, and with potentially devastating consequences for the unsuspecting victims.
A quick note: Opera 9.5 offers a similar service through a partnership with Haute Secure, a major Web-based security software provider. While Internet Explorer 7 does not currently offer similar protection against possible attack sites, it does provide some built-in anti-phishing protection, and Microsoft says IE8 will offer a feature similar to the ones found in Firefox 3 and Opera 9.5.
Here are some tips for getting the most out of the attack-site protection in Firefox 3:
- While Firefox 3 enables attack-site protection by default, you should ensure that it is active. Go to "Tools > Options" on the Firefox menu bar, select the "Security" tab, and make sure the "suspected attack site" and "suspected forgery" options are checked.
- Next, ensure that the attack-site protection feature is working properly. Mozilla offers a safe way to do this by giving users links to both phishing and malware test sites; if your browser displays a page with a red background and a warning about the potential threat, you're ready to go.
- If you want to access a suspected attack site anyway, click the "ignore this warning" link at the lower right site of the warning box when it appears. While false-positive warnings do happen, however, it is foolish to assume that a site that seems legitimate has not been compromised.
- Understand that using attack-site protection, at least for now, is an all-or-nothing deal. If you disable either the attack site or phishing site blocking in your Firefox 3 options, you will lose all attack-site protection. While advanced users might be able to edit the SQLite database used to store a local copy of the Google Safe Browsing blacklist, at least for now there is no selective-whitelisting feature built into the Firefox user interface.
- It should be obvious that no service of this type will be 100 percent effective. Attaching a computer -- any computer -- to a network is an inherently risky activity. Most users, in my opinion, who complain about the inevitable flaws in this type of service simply aren't being realistic.
Finally, as I noted in a blog entry last October, the Firefox NoScript extension does an amazing job of preventing certain types of Web-based attacks, including those launched through otherwise-legitimate sites. Although I can't imagine life on the Web without both AdBlock Plus and FlashBlock, if I had to pick just one Firefox extension to install, it would have to be NoScript. It's just that important in today's Web security environment.