Mozilla: Security a Significant Focus


Mozilla is moving forward on a number of initiatives to ensure that Internet security improves. Among the efforts is a new approach for determining and measuring security metrics.

With more than 170 million users, Mozilla has a large footprint of Web surfers using its Firefox browser. As such it’s in an enviable position to help not only secure its own users but to implement best practices that make the entire Web a safer place for all.

“All these different programs are designed to be open and solicit feedback and also be useful to projects beyond the Mozilla project,” Window Snyder, chief security officer at Mozilla, told

A training effort now in the development phase will help educate the community about secure development practices. Mozilla is also working on threat modeling for the next version of Firefox and intends to make some of that information public.

The security metrics effort, announced earlier this year, is designed to figure out what matters in security and then measure and track those metrics. Snyder explained that the first step of the process, now wrapping up, is about determining what the company needs to look at in terms of security metrics. The next step is figuring how to get that information out of bugzilla and capture it on an ongoing basis. After that the challenge is to get information out and generating raw numbers. At the end the company will do analysis on that information to identify trends, correlate factors and draw conclusions.

Tracking security is an ongoing concern in the software industry. Oracle (NASDAQ: ORCL) and Cisco (NASDAQ: CSCO) use a system called Common Vulnerability Scoring System (CVSS), while Microsoft (NASDAQ: MSFT) recently announced its the Exploitability Index project. Both projects rely on evaluating the risk potential from exploitation. Mozilla’s security metrics will take a different route.

“We did look at exploitability at the very beginning and we decided that was a factor that is hard to capture and not all that useful,” Snyder said. “We don’t have a lot of evidence that Firefox users are being exploited.”

Snyder did admit, however, that Mozilla sees the security research community coming up with proof-of-concept attacks, but she argued that’s different than users actually being attacked.

“We believe it’s out there, but it’s not one of the factors we’re focusing on because we can’t identify a lot of data for it,” Snyder commented. “Right now what we’re really focusing on is the effect of our security efforts.”

Mozilla will try and determine the how quickly it patches and users update, how code changes affect security as well the effectiveness of the tools it uses to find and prevent issues.

At Black Hat in 2007, Mozilla introduced a new fuzzing tool called JsfunFuzz and Snyder noted that they have a staffer now that does nothing but build and use fuzzers.

Next page: Coding practices

Page 2 of 2

Coding practices

Mozilla has made significant progress in its coding practices to ensure higher quality secure code overall. Johnathan Nightingale, Mozilla’s human shield, is a key part of the company’s security effort, and he noted that code testing has expanded in a number of areas.

“At last count we ran about 60,000 automated tests on multiple platforms for Firefox 3,” Nightingale told “Every time there is a check-in we run a new group of tests.”

In comparison, the company ran only about 2,000 unit tests for Firefox 2. In addition, as of the Firefox 3 release, Mozilla has moved to a new distributed code development platform. They had been using Concurrent Versions System, or CVS , and are now using Mercurial, a more collaborative and distributed approach.

“The real value of Mercurial is not that it makes testing easier — it makes it easy for small groups to put together a high-quality code base on their own and then merge it once it’s safe,” Nightingale said. “In the old days of CVS, that was a hard thing to do,” he continued. “Mercurial makes it easier, which in turn makes our coding practices a lot safer by default.”

New errors

Over the course of the last year, new errors have been popping up in Mozilla and elsewhere around the Web.

“What happened for us starting last year is we started seeing interactions between applications as a problem,” Snyder said, drawing a comparison to the problem of handling Uniform Resource Identifiers, or URIs . “That for us was a new category,” she said.

Firefox 2 was patched multiple times in 2007 and 2008 for various URI handling errors. URI allows browser to load up other applications, for example a PDF viewer or QuickTime movie player.

“Because we’re an entry point into the operating system, we try and be a robust entry point, and any data we’re handing off to other applications needs to make sure it’s reasonable and safe,” Snyder said. “We need to make sure we’re seeing well-constructed queries to other applications and think about how we can be a first level of defense,” she added.

Overall the idea of cross-site content and mashups are a concern for Mozilla as it tries to figure out what the safest way is to share information between sites.

“It’s something that has been hotly debated at Mozilla,” Snyder said, adding that the problem is for the whole Web rather than just Mozilla. “Mozilla is in a great position to influence how the Web ends up implementing that in a way that protects user privacy.”

News Around the Web