CFA/Security-Notes

From MozillaWiki
Jump to navigation Jump to search

« Comparative Feature Analyses
« Security Research

Purpose

Examine a bunch of browsers, existing Firefox Add-ons, and web services to generate a report that describes:

  • Which capabilities each has
  • A summary of where each is different/unique
  • Some conclusions about which aspects seem most innovative and interesting that we might want to consider for Firefox

Research

General capabilities

The following will be done in a table with notes and observations following as footnotes.

  • - include malware detection and anti-phishing as security categories
  • - identify capabilities before diving in
  • - exclude "private browsing"/privacy
  • -openID
  • - users click through warnings dialogs, ignore security indicators, and focus on completing tasks. security indicators are out of the way and hard to interpret, terminology is confusing
  • - security UI must balance obviousness with unintrusiveness, convey clarity in reasonable size, and reflect complexity with simplicity - talk to Jonathan Nightingale


  • bookmarklets
  • blacklisting
  • whitelisting
  • AJAX
  • surf by ip protection
  • download actions - don't downloda
  • security preferences
  • phishing protection
    • make easier to report phishing sites
    • implementing phishing filter that learns automatically - integration w/ phishTank
  • script execution
  • pop ups
  • secure defaults/ no security pop-ups
  • restricted javascript
  • cookies
  • extension installation
  • virus/malware protection
  • highlight URL domain name in address bar


  • Phishing Protection - warn users of suspected forgery (phishing) sites, and offer to take user to search page to find the real Web site they were looking for.
  • Automated Update - always checks to see if you’re running the latest version, and notifies you when a security update is available.
  • Protection from Spyware - notification whenever downloading or installing software
  • Clear Private Data - ability to clear all your private Web browsing data
  • Downloads - if web page uses script to try to pop up a download box and force you to deal with it, IE intercepts the script and displays a prompt in the Info bar instead. (IE screenshot)
  • Digital Signature Information - provides more information about the publisher of a program as well as whether the program is digitally signed (IE screenshot)
  • Options
    • warn me when sites try to install add-ons
      • exceptions
    • tell me if the site i'm visiting is a suspected forgery (phishing)
      • check using a downloaded list of suspected sites
      • check by asking Google about each site I visit
    • remember passwords for sites
      • exceptions
    • use a master password
    • security warnings
      • i am about to view an encrypted page
      • i am about to view a page that uses low-grade encryption
      • i leave an encrypted page for one that isn't encrypted
      • i submit information that's not encrypted
      • i'm about to view an encrypted page that contains some unencrypted information
    • encryption
      • Use SSL 3.0 Protocol
      • Use TLS 1.0 Protocol
      • Certificates

Malware detection

Anti-phishing

Other

Browsers to investigate

  • Firefox 2
  • Camino
  • Flock
  • iCab
  • IE 7
  • Maxthon
  • Netscape
  • OmniWeb
  • Opera
  • Safari
  • SeaMonkey
  • Shiira

Add-ons to investigate

Firefox

  • Adblock
  • NoScript
  • CookieCuller
  • CookiePie

Safari

Web services/apps to investigate

Desktop apps to investigate

Results

Summary of unique and/or innovative features

Conclusions

References

Retrieved from "https://wiki.mozilla.org/index.php?title=CFA/Security-Notes&oldid=62041"