29 October, 2013 § 6 Comments
I haven’t written up one of these blog posts in a while. The previous one was in August 2012 for Firefox 15. Coincidentally, that post mentioned a subtle change to the site identity area of the web browser.
In today’s release of Firefox, there is another subtle change to the site identity area of the browser. Pages that are a part of Firefox itself, whether it be the built-in home page (about:home), our troubleshooting page (about:support), or others now sport a special Firefox branding within the location bar. The goal of this branding is to increase awareness and trust with these pages.
Clicking on the Firefox name or the two-tone Firefox logo next to the name will show a popup notification that explains that this is a secure Firefox page.
23 July, 2013 § 3 Comments
For many years there has been an increased emphasis towards increasing the visibility of a website’s identity. Pages served over HTTP lack a verifiable identity, while pages served over HTTPS begin to have aspects of their identity verifiable.
When a page is viewed over a valid HTTPS connection, the web browser is able to verify the identity of the domain that it is communicating with. Firefox uses this information to place a “site identity” graphic next to the website’s URL. Clicking on this site identity graphic provides more information about the connection.
Clicking on the More Information button shows how often this website is accessed, in an effort towards building trust and pointing out potentially untrustworthy websites.
When a page is viewed over a valid HTTPS connection using an Extended Validation certificate, the web browser places the certificate’s Organizational Name between the site identity graphic and the website’s URL. With Extended Validation, the web browser not only can confirm the identity of the domain that it is communicating with, but it relies on the vendor who issued the certificate to have verified the identity of the owner of the website. Again, clicking on the More Information button in the site identity panel will show prior access information.
Within the past couple weeks a new site identity view was introduced. Now when visiting privileged Firefox webpages such as about:home, about:config, and about:addons, the site identity area will show a Firefox logo along with the “Firefox” name. Clicking on the either of these will show a panel that confirms to the user that this page is a secure Firefox page.
This feature is expected to reach users on our Release channel during the last week of October, 2013. If you’d like to play with it today you can download and install a build of Firefox Nightly.
28 August, 2012 § 10 Comments
Today marks a new release for Firefox, version 15. For this release I spent most of my time working on two larger areas along with some other bugs in various places. The new plugin click-to-play setting continued to gain features and stability, and there was also some follow-up site identity work to take care of.
Work on our plugin click-to-play continues to this day, as it will be the ground work for soft-blocking malicious plugins in the future. If you’d like to help test out the feature, you can go to about:config and enable the plugins.click_to_play preference.
Enabling the feature will disable plugins by default, increasing your security and reducing memory usage while you browse the web. For more information about click-to-play plugins, see my two previous blog posts about the initial rollout as well as site-specific permissions.
Firefox 14 introduced a refresh to our site-identity area of the location bar. Most of the changes to the site-identity got “uplifted” to our Firefox 14 release so as to not introduce back-to-back changes. The most notable change in the site-identity area between Firefox 14 and Firefox 15 is higher contrast security icons in the location bar. The locks are now darker and should be easier to differentiate from the globe.
Two smaller changes that are worthy of note for Firefox 15 are related to Windows integration and our standalone image styling.
Firefox 15 brings with it unique icons for the three jumplist tasks that are associated with Firefox. I blogged previously about them, so you can read more if you are interested.
Since we released our new styling for standalone images, we got a lot of feedback from people who had trouble with the way that we rendered transparent images. Starting with Firefox 15 we have reverted to showing transparent images on a white background.
We took special care to bring the best experience that we could to this situation. Images that are slow to load or need to be re-decoded will not have the white background flash in to view. This new white background is only applied after the image has finished decoding, so if you are loading an opaque image you should never see the white background. Try it out with this image.
23 April, 2012 § 61 Comments
Starting with yesterday’s Nightly build of Firefox, we have introduced a change to how we display site-identity in the address bar. These changes are intended to increase the security of our users as well as reduce some visual weight.
Since the dawn of time, we have included the site favicon in the address bar as part of the site-identity block. While the favicon can represent a piece of a site’s identity, there are some sites that set their favicon to a padlock. This behavior can trick users in to thinking that a site is using a secure connection when on an unsecured connection. Starting with yesterdays’s Nightly, we will no longer include the favicon in the address bar.
Websites that use SSL certificates with Extended Validation will now have a green padlock next to the certificate owner’s organization name.
Websites that use SSL certificates without Extended Validation will now have a grey padlock. The effective hostname will no longer appear next to the padlock. This information is redundant with our darkening of the effective hostname in the website address.
Websites that do not use SSL certificates or have mixed-content will fallback to a globe icon.
These changes are planned to reach our Release channel in mid-July.
20 April, 2012 § 18 Comments
Today I landed an implementation of site-specific permissions for Firefox’ opt-in plugins. I previously wrote about Firefox 14’s non-default support for opt-in (also known as click-to-play) plugins last week.
That blog post garnered a lot of attention. Over 25 news sites covered the news, and the blog post was viewed close to 3,000 times.
Many people downloaded the Nightly version of Firefox to test out the feature, and a few people have told me how they are now using the feature full-time. Today’s addition of site-specific permissions makes using the feature much easier.
With site-specific permissions, users can whitelist sites that they visit often and trust. Sites that are whitelisted will activate plugins automatically upon load.
To add site-specific permissions, click on the plugin block in the location bar. The doorhanger that appears contains a dropdown with options to: Activate plugins; Always activate plugins for this site; Never activate plugins for this site; and Not Now.
To manage these permissions, users can click on the site-identity block next to the website address. From there, click on “More Information…“. The Page Info dialog will now appear. Clicking on the Permissions tab of the dialog will show any site-specific permissions that are stored for the current site, as well as the ability to change any of those permissions.
This feature will remain disabled by default in Firefox 14. David Keeler is also helping implement the feature, and has most recently been working on adding the ability to only enable plugins of a specific runtime (Flash, Java, Silverlight, etc). For more information on the status of the feature, see our feature page for Opt-in Activation of Plugins.
11 April, 2012 § 84 Comments
Whether you hate them or love them, content accessed through plugins is still a sizable chunk of the web. So much so, that over 99% of internet users have Flash installed on their browser. However, plugins can also carry with them extra vulnerabilities and system slowdowns.
A couple days ago I landed an initial implementation of “click-to-play plugins” in desktop Firefox. To see and play with the feature, download a Nightly build of Firefox, go to
about:config, and enable the
plugins.click_to_play is enabled, plugins will require an extra click to activate and start “playing” content. This is an incremental step towards securing our users, reducing memory usage, and opening up the web.
I’m currently working on implementing the ability for plugin activation settings to be remembered on a per-site basis. I hope to get these changes landed within the next week before the deadline for Firefox 14.
If you are curious and want to learn more about our plans for opt-in activation of plugins, you can take a look at the feature page on our wiki.
21 June, 2011 § 2 Comments
Recently, my girlfriends Gmail account showed that it had been accessed from Poland, France, and the United States, all within a couple hours of each other. This breach of security was horrifying, and pointed out how easy it can be for someone to access another persons account.
We’re not sure how her password leaked. Maybe it was through a phishing site or some malware/key logger on her machine. But that was neither here nor there. The plain fact is that her account was granting access to unknown parties without her permission.
Not too long ago, Google announced 2-step verification for Gmail. With 2-step verification, the user logs in with their password, and then enters in a code that was obtained using their mobile phone. A friend of mine also uses a similar procedure for his World of Warcraft account.
I’ve signed up for 2-step authentication as well, and don’t mind the subtle inconvenience. If you are a Gmail user, you should try it out today.
Features like these make account security much stronger, and it is time that more secure websites start offering it (especially online banking).