Security

Firefox 17 Gets Friendly With Facebook, Wary of iFrames

Mozilla has made its Web browser more social — and more secure — with the release of Firefox 17.

The latest version of the foundation’s popular browser includes a plug-in that displays notifications and instant messages from Facebook in a sidebar.

The plug-in is the first implementation of the Social API introduced by Mozilla in July. The feature, must be activated through Facebook.

In addition to the Facebook plug-in, Mozilla made more than a score of changes in Firefox 17, including an update of the Awesome Bar, the end of support for Mac OS X 10.5 Leopard, and improved security with click-to-play blocklisting and iFrame sandboxing.

Smart Implementation

Web browsers need to support what people do on the Web, observed Eric Vishria, CEO and cofounder of browser competitor Rockmelt.

“Social is huge for people,” he told TechNewsWorld. “It’s one of the largest activities that people do on the Web, so by building it into the browser directly, you make it much more convenient for people to do that along with their general Web browsing.”

While integration with the social networks is baked into Rockmelt, Mozilla uses an API that allows the networks to plug into Firefox. “There are plenty of differences in the implementation, but the core concept is very smart,” Vishria said.

Approach Validation

Mozilla’s move to tighten Firefox’s integration with social networks is a natural progression. “We said two years ago when we launched the company that we expected every browser developer to build social capabilities into their browser,” Vishria said.

If the other major browser makers follow Firefox in adding social to their repertoires, would a small player like Rockmelt be squeezed out of the market? Vishria doesn’t think so.

“I don’t think it will squeeze us out because we have a two-year head start,” he maintained. “What it does, more than anything, is validate our approach. The only question is, is it too late for Firefox?”

Mozilla did not respond to our request to comment for this story.

Better Security

As well as better social integration, Mozilla made Firefox 17 more secure by adding support for iFrame sandboxing and click-to-play blocklisting.

An iFrame is a window to the Internet inserted on a Web page. They’re invisible to users, and they allow content from other places on the Net to be displayed in an area of a page.

By placing what’s going on in an iFrame in a sandbox — a segregated area where the content’s access to a system’s workings can be limited — devices can be protected from some malicious threats.

“It allows developers to protect their users from untrusted content,” Chester Wisniewski, senior security advisor at Sophos.

“It’s there for website developers,” he added. “iFrames aren’t automatically sandboxed. Consumers are protected only when a developer chooses to use the feature.”

Naughty iFrames

Sandboxing iFrames is a feature of HTML 5.0, explained Trend Micro. Research Manager Jamz Yaneza. “It gives Firefox developers more secure control over the sources of their content,” he told TechNewsWorld.

Yaneza, though, isn’t a big fan of iFrames. “iFrames have been used time and time again by bad guys to inject malicious content into websites and to cause users to click on pages with malicious ads,” he said.

Nevertheless, the sandboxing feature does add to the browser’s security, he observed. “Every security feature that prevents automatic execution of content is definitely a plus,” he said.

Click-to-play blocklisting will also improve Firefox’s security profile, according to Randy Abrams, research director atNSS Labs.

That feature will warn a user if they’re using a plug-in, like Adobe Flash, that’s subject to an update. Often plug-ins are updated to address security problems, so using the latest version of a plug-in is a best practice for the security conscious.

Since the feature only issues a warning, its protection for users is less than absolute, Abrams noted. “You can still choose to do the less than prudent thing if you want to,” he said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels