[LINK] RFC: Is Firefox 3.5 a reason to join, or leave?

Roger Clarke Roger.Clarke at xamax.com.au
Sun Aug 16 21:50:10 AEST 2009 

Firefox 3.5 has had a number of security and functionality problems, 
but perhaps it's settling down now, at 3.5.2:
http://www.mozilla.com/en-US/firefox/3.5.2/releasenotes/

As a Firefox 3.0.<recent-version> user, I'm concerned about a number 
of aspects of v3.5.  For starters:

-   what's changed?  This helps, but isn't all that useful really:
     http://www.mozilla.com/en-US/firefox/features/

-   does it over-write 3.0.x, or is it an additional installation,
     leaving 3.0.x in place

-   what range of security-settings does it offer, e.g. relating to:
     -   cookie prevention
     -   cookie management
     -   data disclosure in GETs and POSTs
     -   support for multiple identities

     It's a concern that the security enhancement it trumpets is a
     response to a minor problem rather than a major one
     ('Private Browsing', aka 'don't let your Mum see what you've done')

-   crucially, how 'insecure-by-design' is it?

     Put another way, is this designed for users or web-server managers?

     Under 'The Cutting Edge', these are a serious concern:
     -   HTML5
     -   Cross-Site XMLHttpRequest

     So it's designed to enable AJAX engines?
     (which equate to server-side control over the browser)

     And it's enhancing the very features that facilitate
     web application attacks and drive-by infections?


I'd appreciate insights and leads.  I suspect others might too.

_________________________________________________________________________

 From http://www.rogerclarke.com/EC/Web2C.html#AltT (2006-07):

"Another limiting factor[of 'Ajax engines' within browsers] is the 
insecurity inherent in such techniques. The corporation's 
applications are capable of being manipulated, subverted or hijacked, 
because a considerable amount of active code is visible client-side 
(e.g. Paul 2007).

"From the user's perspective, however, control of the browser-window 
by code delivered by an application running on the server represents 
subversion of the concept of the Web and hijack of the functions of 
the browser. Marketers have repeatedly tried to bully the Web into a 
means of 'pushing' ads to consumers, despite the inherently 'pull' 
nature of the HTTP protocol. AJAX at last provides an environment in 
which the advertiser's dream of web-casting can be implemented. 
Perhaps 'billboards on the information superhighway' were trumpeted 
by Schrage (1994) a decade too early. And, now that they can be 
delivered, they come with a capacity for ad-targeting far greater 
than was feasible at that time."


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list