« Comparative Feature Analyses
« Security Research

Purpose

Examine a bunch of browsers, existing Firefox Add-ons, and web services to generate a report that describes:

• Which capabilities each has
• A summary of where each is different/unique
• Some conclusions about which aspects seem most innovative and interesting that we might want to consider for Firefox

Research

General capabilities

The following will be done in a table with notes and observations following as footnotes.

• - include malware detection and anti-phishing as security categories
• - identify capabilities before diving in
• - exclude "private browsing"/privacy

• -openID
• - users click through warnings dialogs, ignore security indicators, and focus on completing tasks. security indicators are out of the way and hard to interpret, terminology is confusing
• - security UI must balance obviousness with unintrusiveness, convey clarity in reasonable size, and reflect complexity with simplicity - talk to Jonathan Nightingale

• page info (click on lock)
• bookmarklets
• blacklisting
• whitelisting
• AJAX
• surf by ip protection
• download actions - don't downloda
• security preferences
• phishing protection
  • make easier to report phishing sites
  • implementing phishing filter that learns automatically - integration w/ phishTank
• script execution
• pop ups
• secure defaults/ no security pop-ups
• restricted javascript
• cookies
• extension installation
• virus/malware protection
• highlight URL domain name in address bar

• Phishing Protection - warn users of suspected forgery (phishing) sites, and offer to take user to search page to find the real Web site they were looking for.

• Automated Update - always checks to see if you’re running the latest version, and notifies you when a security update is available.

• Protection from Spyware - notification whenever downloading or installing software

• Clear Private Data - ability to clear all your private Web browsing data
  • setup Maxthon Browser to clear all your browsing information automatically when it closes.

• Downloads - if web page uses script to try to pop up a download box and force you to deal with it, IE intercepts the script and displays a prompt in the Info bar instead. (IE screenshot)

• Digital Signature Information - provides more information about the publisher of a program as well as whether the program is digitally signed (IE screenshot)

• Options
  • warn me when sites try to install add-ons
    • exceptions
  • tell me if the site i'm visiting is a suspected forgery (phishing)
    • check using a downloaded list of suspected sites
    • check by asking Google about each site I visit
  • remember passwords for sites
    • exceptions
  • use a master password
  • security warnings
    • i am about to view an encrypted page
    • i am about to view a page that uses low-grade encryption
    • i leave an encrypted page for one that isn't encrypted
    • i submit information that's not encrypted
    • warn when sending Form data by email (iCab)
    • i'm about to view an encrypted page that contains some unencrypted information
    • moving from a secure to an insecure page (camino)
  • encryption
    • Use SSL 3.0 Protocol
    • Use SSL 2.0 Protocol (Flock)
    • Use TLS 1.0 Protocol
    • Use TLS 1.1 Protocol (Opera)
    • Certificates
    • Manager Security Devices (SeaMonkey)
  • enable plug-ins (safari)
    • block flash animations (camino)

• • enable java (safari)
    • click to run applets (Omniweb)
  • enable javascript (safari)
    • allow scripts to reorder windows (omniweb)
    • allow scripts to resize windows (omniweb)
  • block pop-up windows (safari)
  • block web advertising (camino)
  • prevent sites from changing, moving or resizing windows (camino)
  • accepting cookies (safari)
    • only from the current site (omniweb)
    • discard when quitting omniweb (omniweb)
    • cookie manager (SeaMonkey)

• SeaMonkey Categories
  • Cookies
  • Images
  • Popup Windows
  • Forms
  • Passwords
  • SSL
  • Certificates
  • Validation
    • Manage Certificate Revocation Lists
    • use Online Certificate Status Protocol for certificate validation

• Extensions
  • NoScript - It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, and guards the "trust boundaries" against cross-site scripting attacks (XSS)

• ActiveX opt-in - Disable nearly all pre-installed ActiveX controls to prevent potentially vulnerable controls from being exposed to attack. You can easily enable or disable ActiveX controls as needed through the Information Bar and the Add-on Manager. (IE)

• Security Status bar - Color-coded notifications appear next to the address bar to make you aware of website security and privacy settings. The Address Bar changes to green for websites bearing new High Assurance certificates, indicating the site owner has completed extensive identity verification checks. Phishing Filter notifications, certificate names, and the gold padlock icon also appear next to the address bar for better visibility. You can easily display certificate and privacy detail information with a single click on the Security Status bar. (IE)

• Cross-domain barriers - Internet Explorer 7 helps to prevent the script on webpages from interacting with content from other domains or windows. This enhanced safeguard gives you additional protection against malware by helping to prevent malicious websites from manipulating flaws in other websites or causing you to download undesired content or software. (IE)

• Address bar protection - Every window, whether it's a pop-up or standard window, will show you an address bar, helping to block malicious sites from emulating trusted sites. (IE)

• International domain name anti-spoofing - In addition to adding support for International Domain Names in URLs, Internet Explorer also notifies you when visually similar characters in the URL are not expressed in the same language—protecting you against sites that could otherwise appear as known, trustworthy sites. (IE)

• URL handling security - Redesigned URL parsing ensures consistent processing and minimizes possible exploits. The new URL handler helps centralize critical data parsing and increases data consistency throughout the application. (IE)

• Fix My Settings - To help protect you from browsing with unsafe settings, Internet Explorer 7 warns you with an Information Bar when current security settings may put you at risk. Within the Internet Control Panel, you will see certain critical items highlighted in red when they are unsafely configured. The Information Bar will continue to remind you as long as the settings remain unsafe. You can instantly reset Internet security settings to the "Medium-High" default level by clicking the "Fix My Settings" option in the Information Bar. (IE)

• Protected mode Internet Explorer 7 in Windows Vista runs in isolation from other applications in the operating system. It restricts exploits and malicious software from writing to any location beyond Temporary Internet Files without explicit user consent. (IE)

Malware detection

Anti-phishing

Other

Browsers to investigate

• Firefox 2
• Camino
• Flock
• iCab
• IE 7
• Maxthon
• Netscape
• OmniWeb
• Opera
• Safari
• SeaMonkey
• Shiira

Add-ons to investigate

Firefox

• Adblock
• NoScript
• CookieCuller
• CookiePie

Safari

Web services/apps to investigate

Desktop apps to investigate

Results

Summary of unique and/or innovative features

Conclusions

References