Update 08062007: Window Snyder and Mike Shaver in RSnake's post clarified the comment. As expected, this was Mike's personal commitment to the remediation process and not Mozilla's official security policy. Still that's plenty cool with me. Having seriously dedicated people on our side can be just as good as any lip service policy statement.
Web Browsers are under serious attack and the security of the Web hangs in the balance. Over 1 billon people use the Web and no one but the most security conscious power users have any chance at protecting themselves - and sometimes not even them. We REALLY need browsers to be significantly improved because the security of the entire Web depends on it. Consider how many security/privacy extensions you have installed and the behavioral traits you’ve learned along the way. What percentage of the people on the Web do you think possess this level of knowledge?
During Black Hat RSnake and I got to talking a lot with several members of the Mozilla security team. They are all really good guys and gal (Window Synder) working to establish solid working relationships with the security community. This is a good thing, a very good thing, and something I’ve been asking them to do for a while. They’ve listened. Mozilla invited us to their cookies & milk after party, gave us some free T-Shirts, and even bought us an expensive sushi dinner at Caesars. Can’t beat that! By their actions Mozilla clearly wants to get engaged with the industry, voice their commitment to improving the current situation, and hear the ideas of others. But here’s where it gets really interesting.
Apparently during one of the Black Hat after parties, RSnake and Mike Shaver, Mozilla’s Director of Ecosystem Development, discussed the speed of the browser’s critical patch release cycle. Mr. Shaver claimed Mozilla could roll critical patches out in ten days. RSnake quickly challenged the remark, to which Mike whipped out his business card and hand wrote “Ten #$%*ing Days” demonstrating his seriousness. Now, I didn’t witness this take place first hand so I can’t say for sure how many drinks RSnake handed Mr. Shaver over the course of the conversation. This was after all late at night in Las Vegas during Black Hat so anything is possible, but I’ll RSnake at his word that he was coherent, though I’d expect Mozilla to provide clarification.
Whether or not you think Mozilla can make good on the claim, what I like is that there are people over there passionate and ballsy enough willing to stick their neck out because ours already is. Also, it’s important to understand the difference between traditional vulnerabilities like buffer overflows, which Mr. Shaver was probably talking about, and long standing attack techniques such as intranet port scanning and history stealing. These types of attacks and the dozens of others like them take longer to fix because they are more fundamental to the overall browser security model. Unfortunately according to my sources, restricting intranet connections from public IPs will probably not come until Firefox version 3 and content restrictions being even further out. Ugh.
Still the good news is contacts and relationships are being made. Mozilla is listening and reading the research posted across the web security industry in blogs, mailing lists, and message boards. Progress will take time, but we’re moving forward. Perhaps those with the necessary desire, software development skills, and time can help Mozilla create what they need and kick start the effort sooner, especially on the content restrictions front.