Saturday, August 20, 2011

The Security Consequences Of Mozilla's Rapid Release Schedule

'Mascot' image from the Mozilla ADD-ONS Blog

Continuing on a topic from my last post I want to focus on the security threat created by the 'rapid release' schedule the Firefox browser is now on.

I won't dispute the positive aspects of this move for Mozilla, however from a security standpoint it creates multiple hazards. A 'Ready or not, here we come' dictum may be OK in some cases, but it's a recipe for trouble when it comes to security.

Like it or not Mozilla bears the responsibility for not just it's browser alone, but also for taking into consideration the extended 'technosystem' of add-ons that have a somewhat symbiotic relationship with Firefox. They also have a responsibility to contribute to overall Internet security.

When so many of their users have security software that either integrates with or is a standalone 'add-on' to Firefox (and these users are to be commended for contributing to the overall security of the Internet),  rushing ahead and leaving them vulnerable is irresponsible and thoughtless.

Rushing to get something done often results in mistakes. You can rush things and get your product out first, but it rarely results in a quality product (and in this case you can add "secure" to that).

I realize that Mozilla can't simply wait until every 3rd-party piece of software is updated on their own schedule. There has to be some form of cooperative effort to find a middle ground however.

The consequences of the current situation are giving even more ground to the security threats confronting Firefox users. You wouldn't leave your children home alone (before the sitter gets there) while you go to work, and a wilderness guide wouldn't forge ahead and leave people behind to fend for themselves.... would you?

As people mature they learn to consider the consequences of their actions and hopefully become less self-centered. I realize that many businesses don't act this way, but good ones do (in varying degrees) and those get my respect (and patronage).

This world needs more cooperation not less.

Edit/add [8/20/2011 1:05 PM]:

I left out (in my haste!) the people on the security software side of the equation who need to do their part by starting their update process as soon as they can. They too have a responsibility to work in cooperation with Mozilla so both end up with a reliable product and safer users.

Wednesday, August 17, 2011

Caught In The Middle

Numerous issues are impacting me that have me caught in the middle and [nearly?] powerless to change (at least in the near-term). The first two affect many people, not just myself.

The first is the recent (and ongoing) fight over the debt ceiling and budget. I and many people like me that are living solely on their Social Security/Disability income had to wait literally until the last moment, not knowing if they could pay their bills. You know, little things like rent, utilities, food & medications..

The right-wing's lack of concern for some of the more vulnerable citizens is disheartening, and the notable favoritism shown towards the upper class and corporations combined with their manifest contempt of those in need is despicable. I want to mention that the silence ("willful ignorance"?) on this subject by vast majority of the media is disgraceful, and will be looked back on (along with many other examples) as a major failure of the Fourth Estate during this time in our nation's history. The abdication of power and responsibility by this Fourth Estate has enabled  those with selfish and dangerous ambitions to take our country in a direction far from the ideals so thoughtfully laid out by our Founding Fathers.

Caught between Mozilla - Firefox and security software

Since Mozilla started it's rapid release schedule for the Firefox browser many of the security add-ons & extensions I rely on haven't been updated to work with the current version (at the time of this post Firefox 6.0 has just been released). Previously, security software companies such as AVG (LinkScanner), Symantec-Norton, M86 Security (SecureBrowsing) and others had plenty of time between 'major releases' of Firefox to update their software (so it will work with whatever changes the new version of Firefox has).

That time has been drastically cut since this 'rapid release' initiative began.

This is from the "Mozilla Firefox: Development Process" page:

"Firefox uses a schedule-driven process, where releases take place at regular intervals. That means each release happens regardless of whether a given feature is ready, and releases are not delayed to wait for a feature to stabilize. The goal of the process is to provide regular improvements to users without disrupting longer term work."

- Further down the page:

Security Releases

"This proposal makes security updates occur along with Firefox releases, meaning we'll no longer be maintaining old branches. Having security branches for each major update is untenable if we release as often as we aim to."
Extension Compatibility 

"Extension compatibility is the trickiest part of the transition. In particular, it's not what the policy should be when a user has extensions that are incompatible with a new Firefox release. Each release will have at least 12 weeks to identify extensions that are no longer working, but this issue will be complicated."
On the Future Release Blog there's a post named "Every Six Weeks".
"We’re studying the effects of the process carefully; it’s a big change and we will be flexible in our approach as new information comes in. We may decide that 6 weeks is the wrong interval, for instance, though it’s worth remembering that Firefox maintenance releases have been released on 6-8 week intervals for years, and sometimes included major changes. We’re also paying close attention to the impacts this cycle has on our ecosystem of add-ons, plugins, and other 3rd party software that interacts with Firefox. We’re working with large organizations, too, to understand how rapid release can fit into their software deployment systems."

"Whatever adjustments we make, it’s clear that rapid release is a major improvement in our ability to respond to the needs of our users and the web. Every 6 weeks we have a new Firefox to evaluate and, unless some surprising and irreconcilable breakage is discovered, release to the world. No one will have to wait a year for the developer scratchpad now in Beta, or the massive memory and performance improvements already on Aurora, or the slick tab management animations soon to land on Nightly. Rapid release is already paying dividends, and we’re just getting started."

Johnathan Nightingale
Director of Firefox Engineering"

Now as far as the security software (companies) side of things, I haven't read any comments directly from them about this issue. 
I have heard directly from M86 Security after I posted a comment on Twitter about their "SecureBrowsing" browser add-on:
Firefox just updated to v5. When will your plug-in be updated?
(Posted 22 Jun)
Their reply:
@TRDaggett We do not have a definitive date at this time, as we are currently reviewing Firefox 5. We'll keep you posted
(Posted 27 Jun)
It's now August 17th and Firefox 6.0 has now been released.... and if you go to the M86 SecureBrowsing (FAQ) page it says:
5. Q: Where will SecureBrowsing work?
    A: SecureBrowsing has been designed to work on the most commonly-used Internet tools.
         The current version of M86 SecureBrowsing supports the following:

 Web Browsers:
  • Microsoft Internet Explorer 6.0, 7.0, 8.0 and 9.0
  • Mozilla Firefox 3.x and 4.0
  • Google Chrome 10
 BTW, Google Chrome's current version is 13x.
Despite the fact that @M86Security told me "We'll keep you posted", I've heard nothing from them [to date]. So if they were "reviewing Firefox 5" and still haven't gotten back to me by the release of Firefox 6..... 
1.) They don't care enough about their users to (proactively) keep them informed.
2.) They're not able to keep their SecureBrowsing product updated (for 2 major browsers) in a timely manner leaving those users unprotected.
3.) M86 Security SecureBrowsing needs to append the FAQ page "Web Browser" information with a note regarding future updates to Firefox and Chrome or remove them from the list.
(Make a decision M86 Security. Then please inform your users.)
I also use the (free to Comcast Internet customers) Norton Security Suite. This version complicates the update issue even further because it's different from both Norton Internet Security and Norton 360 and [probably] has it's own 'team' of people working on it's updates (including various browser add-ons).

I noticed that if I open up the Norton interface on my desktop and click on Identity Protection [View Details] it says that Norton Safe Web and Identity Safe are both on and working!

I called the Norton Security Suite support folks today and was told that they were working on the browser compatibility updates but they wouldn't provide any time table as to when they would be released. I want to mention that the support call must have gone to India because there was a noticeable delay and the woman was very hard to understand, So the combination of those two factors made for a poor quality support call (which I have to say has not been the case with most of my previous support calls involving outsourced support centers in India). It was unfortunate that I was already irritated by several factors including the fact that this was my second call to Comcast support about this matter. The first customer tech support person tried to transfer me to Norton support but used the wrong number, aborted, came back to tell me what she did, and then on the second attempt ended up transferring me to Netgear support!
Finally, AVG LinkScanner (which I've used for years, since before AVG bought them out and ruined incorporated LinkScanner into their products) partially works with Firefox 6.0 but the feature that checks web [page] links and search results (like Google) hasn't been updated yet. AVG has been quite a bit quicker than Norton to update their Firefox add-ons. I can still use the AVG Toolbar to search via the AVG secure search feature or open the desktop LinkScanner interface and enter (and scan) a URL manually. It's not as convenient, but it adds a valuable security resource to my kit.

Mozilla's rapid release schedule has created a security issue for Firefox users who rely on various security add-ons and extensions. I'm not saying that the problem is solely because of the faster schedule though. Other security add-ons (like Giorgio Maone's "NoScript" and Wladimir Palant's "Adblock Plus" ) have kept pace, but it seems likely that the security software produced by the bigger security companies has a much different (and complicated) process that it has to go through. A good analogy is probably that of an aircraft carrier vs. a Coast Guard cutter.
As I recall after Firefox version 5.0 was released my Norton Toolbar* and IPS 'broke' and after a few weeks some protection features (like search results) were updated but the toolbar wasn't (and still hasn't been updated).

Ultimately I hope to see [at least] two things happen. Security software companies who's products integrate with Firefox (and Google Chrome) will adapt to a faster update schedule, and Mozilla will adapt their release schedule to better enable security add-on software to stay current (and 'on the job'!). Rapid release schedules are great but not if it results in leaving your users vulnerable. 
Best practices call for a 'layered' approach to security. We need to work together as much as possible to increase Internet security.

*The Norton Toolbar includes the Identity Protection features like the 'Identity Safe' that I used daily. [Among other things] It securely stored passwords for websites and automatically logged me in to those sites. It also held 'cards' that I could fill with customized identity information which in turn could be automatically entered into forms on web pages.