September 27, 2006

Mozilla moves on security

There are already a couple of improvements signalled at Mozilla in security terms since the appointment of Window Snyder as single security chair, for those interested (and as Firefox has 10-20% of the browser market, it is somewhat important). Check out this interview.

  1. Understanding of what the word 'security' means:
    What is the key rule that you live by in terms of security?
    Snyder: That nothing is secure. ...

    ( Adi Shamir says that absolutely secure systems don't exists. Lynn's version: "can you say security proportional to risk?" I say Pareto-secure ... Of course, to risk practitioners, this is just journeyman stuff. )


  2. Avoidance of battle on the plain of "most secure browser":

    So the answer, in one word: Is Firefox more secure than Internet Explorer?
    Snyder: I don't think there is a one-word answer for that question.

    If ever there was a battle that was unwinnable, that was it. It quite possibly needed someone who had extensive and internal experience of MS to nail that one for Mozo.


  3. Here's the one I was curious about:

    You dealt with security researchers at Microsoft and will deal with them at Mozilla. How do you see the community? There have been several cases where researchers have gone public with Firefox flaws.
    Snyder: The security research community I see as another part of the Mozilla community. There's an opportunity for these people, if they get excited about the Mozilla project, to really contribute. They can contribute to secure design, they can suggest features, they can help us identify vulnerabilities, and they can help us test it. They can help us build tools to find more vulnerabilities. The spectrum is much broader (than with commercial products) in ways the research community can contribute to this project.

    Earlier, Snyder said:

    Snyder: There has been a lot of great work done. I think there is a great opportunity to continue that work and make the entire process available externally.

    Is this a move towards opening Mozilla's closed security process? If so, that would be most welcome.

And in other news, Firefox 2.0 is almost here:

Version 2.0 of the software will still feature a raft of new features including an integrated in-line spell checker, as well as an anti-phishing tool (a must-have accessory that's in Opera 9 and will be included in IE 7),...

Hopefully someone will get a chance to review it the anti-phishing tool (!) and compare it to the efforts of the research community over the last few years.

Posted by iang at September 27, 2006 03:36 PM | TrackBack
Comments

related to "security proportional to risk" ... old standby
http://www.garlic.com/~lynn/2001h.html#61

and one of the first places that I encounted the issue:
http://www.garlic.com/~lynn/2006q.html#36

however, a couple recent posts looking at the "threat model"
aspect of "security proportional to risk"
http://www.garlic.com/~lynn/aadsm25.htm#32
http://www.garlic.com/~lynn/2006r.html#28

the original thread was can you trust rfid/contractless chips to not leak information. the "threat model" aspect is what kind of information might be leaked.

in the "yes card" vulnerability ... lots of past posts
http://www.garlic.com/~lynn/subintegrity.html#yescard

the information is used in "something you have" authentication operation ... i.e. cloning/copying information can be sufficient for performing fraudulent transactions.

in the passport scenario ... it is supposedly personal information that is part of "something you are" authentication. the photo still has to be matched against your face.

the leakage of personal information can still represent a privacy vulnerability ... but it depends on the type of information and the associated useage.

we had to looked at some of this when we were working on x9.99 financial industry privacy standard ... including reviewing eu-dpd, hipaa, and glba. during this work, i put together a merged privacy taxonomy and glossary
http://www.garlic.com/~lynn/privacy.htm

see notes at:
http://www.garlic.com/~lynn/index.html#glosnote

and the oft repeated past comment ... much of current financial transaction infrastructure is based on static data authentication ... and therefor is quite vulnerable to any sort of leakage;

from the security PAIN acronym

* privacy (or sometimes CAIN and confidentiality)
* authentication
* integrity
* non-repudiation

the existing financial transaction infrastructure tends to rely heavily on authentication that requires privacy/confidentiality (i.e. the information has to be kept hidden and never exposed).

x9.59 financial standard
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959

moved it from privacy/confidentiality requirement to an integrity requirement. the x9a10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments. x9.59 changed the transaction paradigm from requiring the information to be hidden in order to have security to requiring integrity in order to have security (i.e. it isn't necessary to hide an x9.59 transaction in order to preserve the integrity of the financial infrastructure for all retail payments)

Posted by: Lynn Wheeler at September 28, 2006 12:07 PM

re:
http://www.garlic.com/~lynn/aadsm25.htm#33

oh and "security proportional to risk" just raised in real time in comp.arch regarding theft of trade secrets ... and comment that it may lead to eliminating dialup internet use for telecommuting

my reply/comments:
http://www.garlic.com/~lynn/2006r.html#29

we had looked at this issue some 25 years ago with regard to dail-up telecommuting. one of the issues found was that hotel PBXs are a major vulnerability ... almost anybody can get into them and install various kinds of evesdropping.

the result was the corporation built special encrypting dial-up modems ... that included stuff like session handshaking and session dynamic key exchange ... which was then mandated for all offsite (dial-up) connection into company facilities.

as i've mentioned in the past, the company's internal network was larger than the arpanet/internet from just about the beginning until possibly sometime mid-85.
http://www.garlic.com/~lynn/subnetwork.html#internalnet

and link encrypters were required on all network links that left corporate facilities. sometime in the mid-80s, it was also claimed that the internal network had over half of all link encrypters in the world.

misc. past posts mentioning the hotel pbx vulnerability:
http://www.garlic.com/~lynn/aadsm12.htm#4 NEWS: 3D-Secure and Passport
http://www.garlic.com/~lynn/aadsm14.htm#1 Who's afraid of Mallory Wolf?
http://www.garlic.com/~lynn/aepay11.htm#37 Who's afraid of Mallory Wolf?
http://www.garlic.com/~lynn/2002j.html#52 "Slower is more secure"
http://www.garlic.com/~lynn/2003j.html#17 pbx security from 20 years ago
http://www.garlic.com/~lynn/2004g.html#34 network history
http://www.garlic.com/~lynn/2004q.html#57 high speed network, cross-over from sci.crypt
http://www.garlic.com/~lynn/2005r.html#12 Intel strikes back with a parallel x86 design
http://www.garlic.com/~lynn/2006p.html#35 Metroliner telephone article

Posted by: Lynn Wheeler at September 28, 2006 12:55 PM

http://www.mozilla.org/projects/security/secgrouplist.html Hmm, I am wondering why Window Snyder isnīt on the list yet?

Posted by: Mozilla Security Group at September 28, 2006 01:55 PM

Firefox is snapper than Internet Explorer, the fixes have bogged the Microsoft boat.

Posted by: Jimbo at September 29, 2006 06:04 AM
Post a comment









Remember personal info?






Hit preview to see your comment as it would be displayed.