Security UI in Firefox 3plus1

We’ve made a lot of changes (and more importantly, a lot of positive progress) in security UI for Firefox 3.

We have built-in malware protection now, and better phishing protection.  We have a password manager that intelligently lets you see whether your login was successful before saving, instead of interrupting the page load.  We have gotten rid of several security dialogs that taught users to click OK automatically, unseeingly.  We have OCSP on by default.  We have a consistent place in the UI now where users can get information about the site they are visiting, including detailed secondary information about their history with the site; all of which are first steps in a long road towards equipping users with more sophisticated tools for browsing online, by taking advantage of habits they already have, and things we already know.  All the people who worked on this stuff know who they are, and I want to thank them, because it sure as hell wasn’t all me.

With Firefox 3 in full down-hunker for final release (and with conference silly season upon us) though, I’ve started to get serious about thinking through what comes next.

Here’s my initial list of the 3 things I care most about, what have I missed?

1. Key Continuity Management

Key continuity management is the name for an approach to SSL certificates that focuses more on “is this the same site I saw last time?” instead of “is this site presenting a cert from a trusted third party?”  Those approaches don’t have to be mutually exclusive, and shouldn’t in our case, but supporting some version of this would let us deal more intelligently with crypto environments that don’t use CA-issued certificates.

The exception mechanism in Firefox 3 is a very weak version of KCM, in that security exceptions, once manually added, do have “KCM-ish” properties (future visits are undisturbed, changes are detected).  But without the whole process being transparent to users, we miss the biggest advantage to this approach.

Why I care: KCM lets us eliminate the most-benign and most-frequently-occurring SSL error in Firefox 3.  Self-signed certs aren’t intrinsically dangerous, even if they do lack any identification information whatsoever.  The problem is that case-by-case, we don’t have a way to know if a given self-signed cert represents an attack in progress.  The probability of that event is low, but the risk is high, so we get in the way.  That’s not optimal, though.  When the risk is negligible, we should get out of the way, and save our warnings for the times when they can be most effective.

2. Secure Remote Passwords

Secure Remote Password protocol is a mechanism (have some math!) for allowing a username/password-style exchange to happen, without an actual password going out along the wire. Rob Sayre already has a patch.  That patch makes the technology available, but putting together a UI for it that resists spoofing (and is attractive enough that sites want to participate) will be interesting.

Why I care: SRP is not the solution to phishing, but it does make it harder to make use of stolen credentials, and that’s already a big deal.  It also has the happy side effect of authenticating the site to you while it’s authenticating you to the site.  I wouldn’t want this useful technology to get stuck in the chicken-egg quagmire of “you implement it first.”

3. Private Browsing Mode

This is the idea of a mode for Firefox which would protect their privacy more aggressively, and erase any trace of having been in that mode after the fact.  Ehsan Akhgari has done a bunch of work here, and in fact has a working patch.  While his version hooks into all the various places we might store personal data, I’ve also wondered about a mode where we just spawn a new profile on the spot (possibly with saved passwords intact) and then delete it once finished.

Why I care: Aside from awkward teenagers (and wandering fiancés), there are a lot of places in the world where the sites you choose to visit can be used as a weapon against you.  Private browsing mode is not some panacea for governmental oppression, but as the user’s agent, I think it is legitimately within our scope (and morally within our responsibility) to put users in control of their information.  We began this thinking with the “Clear Private Data” entry in the tools menu, but I think we can do better.

(And also…)

Outside of these 3, there are a couple things that I know will get some of my attention, but involve more work to understand before I can talk intelligently about how to solve them.

The first is for me to get a better understanding of user certificates. In North America (outside of the military, at least) client certificates are not a regular matter of course for most users, but in other parts of the world, they are becoming downright commonplace.  As I understand it, Belgium and Denmark already issue certs to their citizenry for government interaction, and I think Britain is considering its options as well.  We’ve fixed some bugs in that UI in Firefox 3, but I think it’s still a second-class UI in terms of the attention it has gotten, and making it awesome would probably help a lot of users in the countries that use them.  If you have experience and feedback here, I would welcome it.

The second is banging on the drum about our mixed content detection.  We have some very old bugs in the area, and mixed content has the ability to break all of our assumptions about secure connections.  I think it’s just a matter of getting the right people interested in the problem, so it may be that the best way for me to solve this is with bottles of single malt.  Whatever it takes.  If you can help here, name your price.

Obviously I’ve left out all the tactical fixup work on the UI we already have.  We all know that those things will need to happen, to be re-evaluated and evolved.  I wanted to get these bigger-topic thoughts out early, so that people like you can start thinking about whether they are interesting and relevant to the things you care about, and shouting angrily if they aren’t.

15 comments

  1. First off, my sincere thanks to you and the rest of your team for making FF3 by far the most humane browsing experience I’ve ever had, especially insofar as security usability is concerned.

    Regarding mixed content: does FF3 still display a modal dialog box when this is the case? Is there a reason you can’t display a non-modal security pane informing the user that the content is mixed, or is there a potential security breach in even displaying the mixed content?

  2. Regarding private browsing mode, I kind of wonder if there’s a way to re-introduce the concept of profiles to the UI in a humane way here to kill multiple birds with one stone. (afaik, profiles used to be accessible from the UI a long time ago but now the only way I know of accessing it is via the -ProfileManager command-line option.)

    Aside from allowing for private browsing, it would also allow, for instance, two people who use the same computer but don’t have separate OS-level user accounts to separate their private data. Then again, this could raise so many edge cases that it might complicate the UI more than it’s worth (perhaps this is the reason the profile manager was taken out of the UI in the first place?).

  3. “client certificates are not a regular matter of course for most users, but in other parts of the world, they are becoming downright commonplace.”

    You can add South Korea to that list.

  4. It would be nice if we could completely exclude specific websites from history (and/or all Private Data) like we can for cookies/passwords. This would avoid having to remember to switch to “Private Browsing Mode” before visiting sensitive sites.

  5. “client certificates are not a regular matter of course for most users, but in other parts of the world, they are becoming downright commonplace.”

    Slovenia too: http://www.sigen-ca.si/eng/
    Personal certificates are very commonly used.

  6. One of Big Problems in authentication is profile-sharing. People don’t want/know/care to create separate OS-level profiles and switch between them, so any transparent authentication done by the browser is anywhere from annoying to dangerous to unusable. Client certificates are one of the most striking examples of this.

    On the other hand, the advent of client certs could be a motivating force for people to take advantage of profile separation.

  7. It is great to see developers being brave enough to blog AND allow comments 🙂

  8. lol, I have a separate Firefox profile just for private browsing. such a mode would be perfect.

  9. Christian (from Denmark)

    When installing a certificate from the CA that is currently designated by the Danish state to issue free certificates to citizens, it involves a signed Java applet that does some stuff to your browser.

    On Windows it installs a security device (Crypto API) that displays a password dialog whenever the certificate is used.

    On Linux it just requires you to choose a strong password (> 8 characters etc.) for the built-in “Software Security Device”, meaning that you have to enter this password in every browser session the first time you visit a page with a login field that is stored in the password manager (i.e. even when no certificate is involved). This is rather annoying.

    This is a workaround for this:
    https://bugzilla.mozilla.org/show_bug.cgi?id=322617

    In general, the certificate may be used to access pretty sensitive data and enter legally binding contracts, so it is important that it can be protected more than passwords for random websites. Also, for people using their signature on shared computers, it would be useful if there was a easy way to use certificates stored on USB keys or USB security tokens without having to install the signature in the computer. I don’t know if there is a bug filed for this.

    Since personal certificates are so common around here, we use them where I work as an optional authentication mechanism on websites for customers and employees. They are very easy to deal with in an Apache+PHP setup.

  10. Here’s my beef: when I want to install an extension, let’s say from http://getfirebug.com, I get a warning that I’m not allowed to install extentions from there, and do I want to allow that site?

    If I do allow it, then it gets added to my *permanent* list of exceptions. But I don’t know if there’ll be malware at any given site in the future! There should be a “grant temporary exception to this site” button instead of the current “grant permanent exception”.

  11. I agree with Bill Mill. I don’t think an added “Allow only this time”/”Allow Once” button would complicate the decision for the user.

  12. @Bill & Ethan – You’ll be happy to know that the FF3 “Allow” button does precisely that. Whitelisting a domain permanently now requires going into your security options, the default is a one-time pass.

    I should have mentioned that in my opening paragraph, because it’s a big deal, but that list is *hardly* exhaustive. FF3 is pretty awesome. 🙂

  13. johnath: these all look like good areas to be looking into. Of course, it’s hard to judge without concrete proposals 🙂 But no-one’s asking you for those yet.

  14. Jonath: I had to think a bit, but it came to me: browser hardening should be high on the agenda. As we know, the threat is widening to include attacks directly into the user’s computer, and into the user’s browser.

    Yes, this is a non-specific, non-concrete requirement, leaving implementation open for much discussion. Some people have tried to do it, and got some distance before running out of breath. Maybe this is an area where firefox internal people have a natural advantage over plugin developers?

  15. […] think the approach in Firefox 3 is perfect, I’m not sure any of us do. I have filed bugs, and talked about things I think we could do to continue to enhance our users’ security while at the same time […]