The new security measure is based on suggestions made by Web-security specialist Robert Hansen back in 2005. The researcher had been studying different types of Web attacks and had identified an interesting idea: allowing websites to change the security level of the user's browser.
Hansen turned the idea on its head and, instead, came up with a model that he called Content Restrictions. "The model shouldn't be, if you trust me, disable all the security; the model should be, trust me to tell you not to trust me," says Hansen, who is now CEO of Web security consultancy SecTheory. "If I know a page is bad, then I should be able to tell you that the page is bad."
An engineer at the Mozilla Foundation, Gervase Markham, championed the idea within the Firefox team and further developed the technology, and noted Web security researcher Jeremiah Grossman publicly called for adoption of the technique. Four years later, Mozilla has committed to implementing the technology.
The new Firefox security feature could help block another form of attack, known as clickjacking, which allows an attacker to trick a user into clicking an unsafe button--for example, initiating a bank transfer when she believes that she is sending an e-mail. However, clickjacking is a problem so pervasive that an opt-in model really doesn't work, says Hansen.
Not everyone agrees that such Content Restrictions is the way to go. Microsoft has created a cross-site scripting filter in Internet Explorer 8 that blocks probable attacks from reaching the victim's browser. The company has also introduced a new feature, called X-FRAME-OPTIONS, in Internet Explorer 8, which can be enlisted by sites to restrict the use of scripts in iframes--a trick employed by attackers to run code invisibly.
Such efforts, and the difficulty of incorporating CSP into the software giant's Web architecture, .NET, makes it likely that Mozilla's CSP won't be adopted by other browser makers, argues Vela, who plans to present his own solution at Black Hat. "I sincerely don't think it's going to be largely adopted," he says, "mostly because it's so complicated."
Mozilla, which declined to comment beyond the blog posting, will likely have the technology ready to incorporate into Firefox in 6 to 12 months, says Hansen. "The next step is to get eBay and MySpace to pick it up and say, 'Hey, this is great,'" the researcher says.
E-mail
Audio »
Print
Favorite
Share »
Digg this
Add to del.icio.us
Add to Reddit
Add to Facebook
Add to Twitter
Slashdot It!
Stumble It!
Add to Newsvine
Add to Connotea
Add to CiteUlike
Add to Furl
Googlize this
Add to Rojo
Add to MyWeb
Massachusetts Institute of Technology
Tags
Firefox hacking Internet security software Web