German’s official cyber-security response team is advising surfers not to use Firefox pending the release of a patch to defend against a critical unpatched vulnerability. This is the second time in two months that Germany has taken such a step. Earlier in January, the German government issued a similar warning to IE users. I did a post about it titled Germany warn users against Internet Explorer.

The zero-day vulnerability in the latest full version 3.6 of Firefox was discovered by security researcher Evgeny Legerov last month.  Legerov controversially offered to sell exploit code he developed.  Mozilla acknowledged the security vulnerability on Thursday and promised the the next version of 3.6.2, due at the end of the month, would plug the hole.

I have to applaud the German government for taking such a proactive approach to online security of it’s citizens. I have to wonder what would be the response to such an approach my the US government here. As to the advice given, I’m of two minds really. Whereas home users are at liberty to switch browsers as often as their underpants, corporate users may not have that luxury. Whole scale software migrations in a corporate setting is no small undertaking. Ig it were, I doubt Google would have gotten hacked for using IE6.

Vulnerabilities in all browsers are discovered over time. Corporate users, does the musical browser approach really work even if it were possible? I think not. My advice: Test and Upgrade as soon as is feasible.

Microsoft has been ordered to introduce the browser “ballot box” following a ruling by the European Commission that Microsoft’s practice of pre-installing Internet Explorer on every new computer was anti-competitive. The Commission accepted Microsoft’s offer of rolling out the ballot box across its range of Windows machines, which it believes will make it easier for computer users to choose an alternative browser to Internet Explorer. See ballot below:

The ballot box will be pushed to Windows users running XP, Vista and Windows 7, via an automatic software update, and will only be shown to computer users who are not already running a different default browser. The list of offered browsers are:

* Avant
* Google Chrome
* Mozilla Firefox
* Flock
* GreenBrowser
* Internet Explorer
* K-meleon
* Maxthon
* Opera
* Apple Safari
* Sleipnir
* SlimBrowser

I’m not sure how I feel about this. Competition is always good however users savvy enough to care already know they can download and run any of these browsers. I agree with Microsoft on the point that this will just add to the confusion of many users.

The open source engine that forms the basis for Google’s Chrome has spawned an ostensibly new browser, Comodo’s cleverly named ‘Dragon’. Internet Explorer might be the most used, Firefox the most fashionable and Google allegedly the fastest, but firewall and tools outfit Comodo says that its new browser has enough tweaks to make it marginally the most secure. Based on Chromium project code, Dragon can give warnings regarding the type of SSL digital site certificate and whether any present provide enough security. In the case of domain SSL certificates, which can be bought through a wide range of agencies around the globe, the answer is almost certainly not.

The browser is also configured to transfer as little data to websites as possible, in particular on software errors the company says would normally be transmitted for troubleshooting purposes. This could betray a user’s browsing history.

Although identical to Google’s Chrome in terms of look and feel, delving into the options tab reveals this subtly different outlook. The crash report checkbox found in Chrome is missing, although it has to be said that the latter can be unchecked on the former and is not mandatory. The other security features such as control over cookies are all from Chrome.

Read the full article

Six days ago, I posted that Mozilla had reported in a security notice that two experimental add-ons for its Firefox browser contain trojans that affect Windows machines. Mozilla has since retracted that accusation against one of the extensions. In a statement posted to its blog last night, Mozilla said: “We’ve worked with security experts and add-on developers to determine that the suspected trojan in Version 4.0 of  Sothink Video Downloader was a false positive and the extension does not include malware.”

Good Grief! One would think that work would have been done BEFORE defaming a company.

If you are a Firefox user, as I am, you probably have one or more “add-ons” installed to enhance your browser capabilities. For example, I have add-ons installed to show the ip address and country location of the web servers I connect to. I also have another to block all scripts from running in my browser by web servers unless i explicitly allow it. These add-ons help protect my computer while browsing the web.

I received this email from the good offices of Google today:

In order to continue to improve our products and deliver more sophisticated features and performance, we are harnessing some of the latest improvements in web browser technology.  This includes faster JavaScript processing and new standards like HTML5.  As a result, over the course of 2010, we will be phasing out support for Microsoft Internet Explorer 6.0 as well as other older browsers that are not supported by their own manufacturers.

We plan to begin phasing out support of these older browsers on the Google Docs suite and the Google Sites editor on March 1, 2010.  After that point, certain functionality within these applications may have higher latency and may not work correctly in these older browsers. Later in 2010, we will start to phase out support for these browsers for Google Mail and Google Calendar.

Google Apps will continue to support Internet Explorer 7.0 and above, Firefox 3.0 and above, Google Chrome 4.0 and above, and Safari 3.0 and above.

Starting this week, users on these older browsers will see a message in Google Docs and the Google Sites editor explaining this change and asking them to upgrade their browser.  We will also alert you again closer to March 1 to remind you of this change.

In 2009, the Google Apps team delivered more than 100 improvements to enhance your product experience.  We are aiming to beat that in 2010 and continue to deliver the best and most innovative collaboration products for businesses.

Thank you for your continued support!

Sincerely,

The Google Apps team

France and Germany have warned web users against using ALL versions of Microsoft’s Internet Explorer in the wake of the recent attacks against Google and other sites where vulnerabilities in the browser have been implicated. One of the attacks allowed hackers in China to gain access to email accounts of  human rights activists. Although Microsoft admitted that its browser was the weak link in the attacks, it rejected the warning as too strong saying that the security threat was low. It has since urged users to upgrade their browser to Internet Explorer version 8. Microsoft also recommends users set their browser security zone to “high”.

In order to change settings for Internet Explorer, select Tools then Internet Options…

Select the Security tab. On this tab you will find a section at the top that lists the various security zones that Internet Explorer uses. More information about Internet Explorer security zones is available in the Microsoft document Setting Up Security Zones. For each of these zones, you can select a Custom Level of protection. By clicking the Custom Level button, you will see a second window open that permits you to select various security settings for that zone. The Internet zone is where all sites initially start out. The security settings for this zone apply to all the web sites that are not listed in the other security zones. I recommend the High security setting be applied for this zone. By selecting the High security setting, several features including ActiveX, Active scripting, and Java will be disabled. With these features disabled, the browser will be more secure. Click the Default Level button and then drag the slider control up to High.

It is also imperative to be very diligent in keeping your browsers fully patched. Most internet attacks via the browser are preventable as these attacks target vulnerabilities for which patches are already available. The victims simply have not installed them. If you use Internet Explorer, Microsoft puts out patches once a month. Your system should be set up to automatically download these patches and notify you or install them.

As to abandoning Internet Explorer, will this call be echoed my other countries ( including the US), I doubt it.  Most non-technical users aren’t following this story. Those on whom this may have a effect have most likely grown to prefer Mozilla’s Firefox or Apple’s Safari browser anyway. As I’m a Firefox user, maybe this will increase their market share.

Following up on yesterday’s post, the advice was to ascertain the legitimacy of the web site by verifying the digital certificate. So what is a web site really? It’s just files located on a server somewhere. As you “browse the web”, your browser connects to the web server where those files are stored, downloads and displays them to you. The digital certificate resides on the web server and is transferred to your browser when you connect to a web site using https. The certificate contains two important items: the identification information of the web server and the encryption key that allows your browser to create an encrypted tunnel to the web server. The encrypted tunnel protects  your web traffic from attackers.

So https indicates your communications to the web site is encrypted. Clicking on the golden lock displays the digital certificate and identity information. But what if your browsers decides it doesn’t like the certificate? Well it warns you. Ever seen these before:

If you have spent any amount of time on the web, you will have eventually come across these warnings. What do you generally do? Flee for your life? Read the details? Continue on to the web site anyway? Well, don’t just ignore this warning! There are multiple reasons why your browser might balk at pproceeding to the requested web site.

Certificates are generally issued by companies like Verisign and Thawte after the entity requesting the certificate has verified its identity. The certificates are digitally connected to a root certificate located at the issuer. Browsers are pre-configured with a number of more popular root certificates. That is why, when you access your online bank account, your browsers automatically recognizes the certificate and allows you to proceed without issue. The certificates are valid for a specified period of time and require renewal. If the certificate has expired, your browser will detect it and you will see the warning displayed  above. If your browser does not recognize the source of the certificate ( i.e no connection to a known root certificate), you will see the error message as well. This is the case when web site owners decide not to purchase a certificate issued by one of the aforementioned third-parties and create their own certificate which still provides the same functions: claims an identify and enable encryption.

This last point is key. Anyone can create a certificate. I can create a certificate in seconds claiming my laptop to be https://www.your-online-bank.com. Tools that enable a man-in-the-middle attack mentioned in yesterday’s post automatically do this.  Now, as your browser will recognize the lack of digital connection between my fake web site certificate and the real root certificate, it will warn you with one of the  errors displayed above. Beware that you don’t make it a habit of clicking to continue without giving it a second thought.

Here is a post by Stan Schroader warning users of a new Facebook clickjacking attack. Clickjacking is a malicious technique where users are tricked into clicking on hidden link  that leads them to a webpage they didn’t intend. If this is  web site that hosts malicious content, things can get a little hairy. If you are using a Firefox browser as I am,  one way to protect yourself is to install the NoScript plugin which prevents users from clicking on invisible page elements.