Make no mistake about it, Mozilla is committed to making the web a safer place for its users. Although browser security remains somewhat dubious–all of the main browsers perform well in various security tests tests, although, questions about NSA backdoors persist–for their part, Mozilla has been very outspoken against government surveillance programs. In an effort to back up such rebellion with concrete results, Mozilla’s commitment to a secure browsing environment was again put on display today with the introduction of two new services designed around the secure web concept.
The first, which is the result of a partnership with BlackBerry, who refuses to go quietly into that good night, involves the concept of bug fuzzing. The cool name has a simple, but seemingly effective concept in its design:
Mozilla and BlackBerry’s work on security research techniques are in the area of fault injection. Fault injection (also known as “fuzzing”) is a method of automated security testing that is used to identify potential security concerns that can be fixed before users are at risk. Fault injection is a testing technique where specially designed software is created to inject a variety of unexpected or malformed data into a specific application, program or area of code. The goal is to uncover areas where the software does not properly handle the malformed data. Through fault injection it is possible to identify potential security weaknesses that can be proactively addressed before there is ever a threat to users.
In other words, fuzzing tests to see if a site will harm a user. If so, the technique “fixes” the problem, which, in turn, protects the browser (using a Mozilla product, of course). What is involved in these fixes is uncertain, especially if it involves a destination site. Aside from warning the user, or, perhaps blocking potentially malicious content, there isn’t much the service can do to fix a potentially harmful site.
Unless, of course, it involves gaining access to the server hosting the site in question, and that goes a little bit above and beyond the call of duty for a web browser. Nevertheless, adding another layer of security for web users to rely on is certainly not a bad thing, especially if it successfully blocks infections. It should be noted that BlackBerry seems to be quite enthusiastic about their involvement in the program:
[Adrian Stone, Director of BlackBerry Security Response and Threat Analysis says] “Security is an industry-wide challenge that cannot be solved in a vacuum, and that is why BlackBerry and Mozilla security researchers are working together to develop new and innovative tools for detecting browser threats before they can affect both mobile and desktop customers. Through this collaboration, BlackBerry and Mozilla are working together towards the common goal of advancing security protections for customers as well as improving the threat landscape overall.”
Who knows? Maybe such a commitment will help BlackBerry’s attempted rebound, at least in the eyes of the corporate world. Mozilla also announced the 0.3 release of Minion, their open source security testing platform which allows:
…any team to set up the basic requirements to perform automated scanning and testing of websites and services by providing sensible defaults for plugins that enable scanning of many types of web applications and services.
A quick look at the blog post for the Minion update reveals a lot of tools and flexibility regarding these security tests.
