For any Firefox fans out there, Mozilla has released version 4, which you can download now. Firefox 4 contains a number of improvements, but the most relevant to this blog are its security updates.
One of Firefox 4’s new features is called Content Security Policy (CSP). This feature helps to prevent Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) attacks. In the past, extensions like NoScript could try to prevent XSS attacks, by just preventing one site (or domain) from injecting script into another site (or domain). However, this basic XSS detection often results in false positives, as some developers actually design sites to work that way. Mozilla’s new CSP feature takes a more active approach. Web servers share special headers telling the browser what sort of content or scripts to expect. Mozilla won’t processes any content that the server didn’t specify, thus potentially avoiding injected scripts. That said, for all this to work the web sites we visit need to start supporting CSP headers.
Another new feature is Firefox’s support of the Strict-Transport-Security header. When you go to sites like gmail.com, you really want to visit the HTTPS version of the site. However, if you don’t bother typing the full URL into your browser, you may accidentally visit the normal HTTP site first, before being redirected to the HTTPS version. This little transition could provide attackers with what they need to exploit a Man-in-the-Middle attack (MitM). The Strict-Transport-Security header — which Firefox 4 supports — allows a web site to specify that it will only allows HTTPS connections, thus preventing the scenario mentioned above.
If you use Firefox, I highly recommend you download version 4 for its security and performance improvements. Don’t forget to also grab the latest version of NoScript, which I never browse without. – Corey Nachreiner, CISSP (@SecAdept)