• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Firefox 4 Improves Speed and Security

March 23, 2011 By Corey Nachreiner

For any Firefox fans out there, Mozilla has released version 4, which you can download now. Firefox 4 contains a number of improvements, but the most relevant to this blog are its security updates.

One of Firefox 4’s new features is called Content Security Policy (CSP). This feature helps to prevent Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks. In the past, extensions like NoScript could try to prevent XSS attacks, by just preventing one site (or domain) from injecting script into another site (or domain). However, this basic XSS detection often results in false positives, as some developers actually design sites to work that way. Mozilla’s new CSP feature takes a more active approach. Web servers share special headers telling the browser what sort of content or scripts to expect. Mozilla won’t processes any content that the server didn’t specify, thus potentially avoiding injected scripts. That said, for all this to work the web sites we visit need to start supporting CSP headers.

Another new feature is Firefox’s support of the Strict-Transport-Security header. When you go to sites like gmail.com, you really want to visit the HTTPS version of the site. However, if you don’t bother typing the full URL into your browser, you may accidentally visit the normal HTTP site first, before being redirected to the HTTPS version. This little transition could provide attackers with what they need to exploit a Man-in-the-Middle attack (MitM). The Strict-Transport-Security header — which Firefox 4 supports — allows a web site to specify that it will only allows HTTPS connections, thus preventing the scenario mentioned above.

Firefox 4 contains many other old and new security features which you can read about on Mozilla’s site, or in this SANS ISC handlers diary post.

Besides the security improvements I mentioned above, Firefox 4 is also a lot faster. Browsers like Chrome and Safari have done a lot to make the browsing experience much faster, mostly by improving JavaScript rendering. Firefox 4 includes similar improvements, making it three times faster than Firefox 3.x, and on par with the fastest browsers on the market.

If you use Firefox, I highly recommend you download version 4 for its security and performance improvements. Don’t forget to also grab the latest version of NoScript, which I never browse without. – Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Security Bytes Tagged With: firefox, noscript, xss

Comments

  1. Bernard Cane says

    March 23, 2011 at 10:54 am

    WOW! WatchGuard Sec Ctr you guys are the best! Thanks for the great tips and safety notices!!!!!!!!!!!!!!!!!!!!!!

    Reply
  2. safe says

    April 7, 2011 at 2:32 am

    It was a helpful experience for me to discover this webpage. It definitely stretches the limits with the mind when you find useful info and make an effort to interpret it properly. I am going to review this web site oftentimes on my PC. Thanks for sharing

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
  • TikTok is Banned, Kind Of
  • How Not to Update Software

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • How Not to Update Software
  • Naming APTs
  • TikTok is Banned, Kind Of
  • Scratching the Surface of Rhysida Ransomware
  • An Interview with ChatGPT
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use