Keep Firefox On Guard Against Attack-Site Threats

Firefox 3 employs some great new security features. Here are a few quick tips on to make them work as effectively as possible.
Firefox 3 employs some great new security features. Here are a few quick tips on to make them work as effectively as possible.By default, Firefox 3 includes built-in tools that detect and block Web sites that pose a known threat to users. Mozilla uses Google's Safe Browsing Service, which offers an open API for developers who want to use Google's database -- free of charge -- in their Web-client applications. When Firefox is running and online, it downloads updates to Google's Safe Browsing database of suspected attack sites every 30 minutes or so and saves them to a file in the user's desktop Firefox profile folder.

(Although the API is still considered experimental, don't be fooled; Google has a funny habit of insisting that even its most mature and stable software (including Gmail) is still in "experimental" or "beta" status.)

Mozilla's use of Google's Safe Browsing API is significant for a couple of reasons. First, it relies upon an completely open and transparent protocol for checking and flagging suspected attack sites, including a formal process for reporting and removing sites that should not be in the Safe Browsing database. Perhaps more important, however, it allows Firefox 3 users to benefit from the immense computing and technical resources Google can bring to bear on this problem, including the ability to generate constant, around-the-clock updates to its attack-site list.

Why is this so important? Because Google doesn't just track sites that are obviously up to no good. It also keeps track of legitimate Web sites that may have been hacked or compromised in order to serve up malware to unsuspecting visitors. These sites are far more dangerous to users, since they can deliver their payloads quickly, silently, and with potentially devastating consequences for the unsuspecting victims.

A quick note: Opera 9.5 offers a similar service through a partnership with Haute Secure, a major Web-based security software provider. While Internet Explorer 7 does not currently offer similar protection against possible attack sites, it does provide some built-in anti-phishing protection, and Microsoft says IE8 will offer a feature similar to the ones found in Firefox 3 and Opera 9.5.

Here are some tips for getting the most out of the attack-site protection in Firefox 3:

  • While Firefox 3 enables attack-site protection by default, you should ensure that it is active. Go to "Tools > Options" on the Firefox menu bar, select the "Security" tab, and make sure the "suspected attack site" and "suspected forgery" options are checked.
  • Next, ensure that the attack-site protection feature is working properly. Mozilla offers a safe way to do this by giving users links to both phishing and malware test sites; if your browser displays a page with a red background and a warning about the potential threat, you're ready to go.
  • If you want to access a suspected attack site anyway, click the "ignore this warning" link at the lower right site of the warning box when it appears. While false-positive warnings do happen, however, it is foolish to assume that a site that seems legitimate has not been compromised.
  • Understand that using attack-site protection, at least for now, is an all-or-nothing deal. If you disable either the attack site or phishing site blocking in your Firefox 3 options, you will lose all attack-site protection. While advanced users might be able to edit the SQLite database used to store a local copy of the Google Safe Browsing blacklist, at least for now there is no selective-whitelisting feature built into the Firefox user interface.
  • It should be obvious that no service of this type will be 100 percent effective. Attaching a computer -- any computer -- to a network is an inherently risky activity. Most users, in my opinion, who complain about the inevitable flaws in this type of service simply aren't being realistic.
Another easy way to minimize this risk is to configure Firefox to download and install browser software updates automatically. Also check your installed add-ons and plugins regularly for updates; as Adobe's security woes with its Flash client software prove, these are just as important as updates to Firefox itself.

Finally, as I noted in a blog entry last October, the Firefox NoScript extension does an amazing job of preventing certain types of Web-based attacks, including those launched through otherwise-legitimate sites. Although I can't imagine life on the Web without both AdBlock Plus and FlashBlock, if I had to pick just one Firefox extension to install, it would have to be NoScript. It's just that important in today's Web security environment.