
Feeling safer online with Firefox - nachtigall
http://blog.astithas.com/2017/01/feeling-safer-online-with-firefox.html
======
bhauer
Awesome changes.

One suggestion: In the Control Center™, I would recommend using the past-tense
for the current state. E.g.,

    
    
        Receive Notifications           Allowed X
        Access Your Location            Allowed X
        Maintain Offline Storage        Allowed X
    

As it exists in the screenshots, the present tense is used, and the X button
seems to be associated with the word "Allow." Further clarification could be
achieved by making the X button actually say "Disallow" and giving it a border
separate from the word "Allowed." E.g.,

    
    
        Receive Notifications      Allowed   [Disallow]

~~~
toggle
> Further clarification could be achieved by making the X button actually say
> "Disallow" and giving it a border separate from the word "Allowed."

I agree. An X usually means "close" or "hide this thing," whereas here they're
using it to change a setting. It really looks like there should be a toggle
switch there.

~~~
past
This is exactly right that X means "close" or "hide this thing" and this is
what it does in this case as well: it removes the non-default setting and
hides the list item.

------
pawadu
I am sure there are people who would love a browser that can control their car
or pacemaker and report their bank balance on the welcome page.

But I personally would feel far more secure if there was a firefox-lite where
no sensitive stuff (access camera, share screen) were included to start with.
And I don't mean turned off by default, I want it removed at compile time.

~~~
sp332
As mido22 said, the alternative right now is a closed plugin (Flash) or
installing software on your computer completely outside of the sandbox.
Putting these features in the browser in a controllable way is a step forward.
If you don't need them, Firefox is open source and I'm not just saying that to
be glib. You can easily grab the source [https://developer.mozilla.org/en-
US/docs/Mozilla/Developer_g...](https://developer.mozilla.org/en-
US/docs/Mozilla/Developer_guide/Build_Instructions) and compile it with
--disable-webrtc [https://developer.mozilla.org/en-
US/docs/Mozilla/Developer_g...](https://developer.mozilla.org/en-
US/docs/Mozilla/Developer_guide/Build_Instructions/Configuring_Build_Options)

~~~
sp332
Replying to myself: ok so I just tried this and it's not that easy. The
bootstrap script installed a bunch of dependencies but didn't install rust for
some reason. Also Ubuntu 14.04 doesn't have the right version of gcc available
so you have to get that basically too. The hg clone operation took forever and
timed out a few times. Then my computer ran out of RAM during the build and I
had to close some programs and start it up again. Pretty much a giant pain,
and I don't even want to try Windows where the first step is "install Visual
Studio"!

~~~
nmjohn
FWIW, on a fresh ubuntu 16.04 install, this is what needs to be run:

    
    
        sudo apt update && sudo apt install python build-essential -y
        wget -O bootstrap.py https://hg.mozilla.org/mozilla-central/raw-file/default/python/mozboot/bin/bootstrap.py && python bootstrap.py
        cd mozilla-unified/
        ./mach build

~~~
sp332
That takes care of rust too?

------
sgustard
The status "Use the Camera - Allow - X" can be confusing. Is the site
currently allowed to use the camera, or not? The word Allow could either mean
"currently allowed" or "click to allow." The X could mean either "currently
blocked" or "click to block."

~~~
spacehunt
The X has a tooltip that says "Clear this permission and ask again" so it's
quite clear to me.

~~~
azdle
Right, but it would be much more clear, without needing to read the tooltip,
if it just said "Allowed - X", which IMHO is pretty clear that it is currently
allowed and can be revoked with the 'X'.

~~~
MichaelGG
Agree - this was the first thought I had and came here to comment on it.

When using the UI it's a bit more clear: you can't click "Allow". But just
looking at the screenshot, I had the impression this was a request dialog
somehow. I thought Allow was clickable to give permission, and the X was to
dismiss being told the site wanted to know about the permission request.

The little X doesn't seem like a common UI element to indicate "block", but
it's probably ugly to say "Allowed - [Block]".

Another idea might be to write "Currently allowed" or "This site has access
to" under the word "Permissions".

------
coldpie
The incorrect system time detection is a small feature, but actually pretty
neat. I've run into that before, when testing time-sensitive features in my
software and forgetting to change it back, then wondering why on Earth nothing
secure works anymore.

~~~
chrisper
Any reason why you would not try time-sensitive stuff in a VM?

~~~
coldpie
Easier to change the system clock than set up a VM :P Especially for macOS.

------
w8rbt
I run FireFox on Linux for personal on-line banking. It's the only browser
that I am able to run with Tomoyo Linux in enforcing mode (level 3). I'm sure,
if given enough time, I could build a Tomoyo policy for Chrome, but it's far
more verbose than FireFox and the last few times I tried, I gave up.

~~~
hackuser
If you don't mind answering: How usable is Tomoyo for you overall? How much
extra time does it consume? Are there things that just don't run? Are there
many bugs in applications that do run? (Also, which distro are you using?)
Thanks!

~~~
w8rbt
Debian 8. I find Tomoyo to be the most usable of the LSMs. You can be up and
running in a few days with rather complex policies. I could not get Chrome to
work with it. It just reads and writes all over the place in ways that are
hard to manage. No bugs yet.

------
drdaeman
Am I only the one who finds "new" (well, it was there for about an year, I
believe) "Site Identity and Permissions Panel" panel to be literally useless
for the "site identity" part?

It has no information on CA, whenever it's first time you saw this exact
certificate or not, whenever a "weak" or "strong" ciphers are used (and if PFS
is enabled), etc - things one'd really want to see if they care about their
connection encryption and authentication. It's all still available, but hidden
after long sequence of button clicks. Heck, it would be useful to have client
certificate and HTTP auth status there as well - it would actually make those
nice things closer to being usable.

I really fail to understand why it can't be displayed in a sanely concise
manner - and why things that were there before were removed. Surely there's a
plenty of screen space and it's not like it would scare Joe Sixpack off to
Chrome, or confuse anyone. Or analytics show it otherwise?

~~~
past
There have been a number of user studies done by Mozilla and other browser
vendors that clearly show end users only have a basic grasp of the security
properties of the web. So yes, more details in main UI elements leads to
confusion. It's just 2 clicks for those of us who know what a certificate is
(Ctrl/Cmd-I is even faster).

~~~
drdaeman
> It's just 2 clicks

Three, actually. One on the i+lock icon pair, one on the right-pointing arrow,
then one on "more info". If I'd need more details (like issue and expiry
dates, which is pretty common thing to be interested in), then it's 1 more
button "view certificate". And if I'd happen to be interested in certificate
public key properties (algorithm and key size) it's a really long story, 6
clicks away from the address bar.

It certainly makes sense to not show something right away, on the first click.
But the current UI hides quite essential information (to those who can
understand it) way too deep. I'm really not persuaded it would hurt usability
and confuse users if such information would be 2 clicks away, rather than 4-6.

(And, really, it mustn't hurt to show at least "have I visited this page prior
to today? yep, 234 times" on the very first click. And probably won't confuse
anyone much to also see something like "TLS1.2, modern ciphers" or "TLS1.0,
legacy ciphers".)

> Ctrl/Cmd-I

Toggles bookmarks sidebar for me. I'm unaware of any shortcut to open page
info.

------
thinkMOAR
As long as more and more features get added the more the attack surface
increases on firefox and all other browsers.

Feeling safe, and being safe are two different things.

Same goes for self signed (or expired) certificates and 'not secure'
connections, they are not per definition 'not secure'.

~~~
pawadu
Could not agree more (see my other comment). Firefox should slim down to
reduce the attack surface.

~~~
Analemma_
Reduced attack surface or standards compliance; pick one.

------
agumonkey
Nice post, it's hard to realize progress made in secondary UI elements such as
security panels.

------
Dylan16807
Making it easy to see permissions for the current site is great, but why is
there no way to see _all_ the sites that have special permissions? Firefox
used to have about:permissions but that was removed last year.

~~~
past
about:permissions was an incomplete experimental UI, but a fully functional
replacement is high on our priority list. We are waiting on a new design from
the UX team at the moment.

------
mard
It's a step in right direction, but would certainly feel safer if in addition
to cookies/storage/geolocation permissions, Firefox allowed to whitelist
JavaScript on certain domains out of box, with no need to resort to NoScript.
Using NoScript results in two different whitelist mechanisms with completely
different UI which breaks the browsing experience.

Ironically, as far as "privacy-oriented browsers" go, Chrome has domain
whitelisting of Cookies/JS/Plugins easily accessible from address bar and it
works as expected.

------
nfriedly
> In the new design, permission prompts stay up even when you interact with
> the page.

I think this is going to be a nice improvement. It was way to easy to "loose"
the permissions dialog in the older flow.

------
Auzy
I love firefox.. My big problem as a late though seems to be that sites stop
loading intermittently, need to be refreshed or I need to wait (and I don't
have this problem on Chrome).

Also, I got kind of annoyed when one of their leaders came begging for
donations by email, but are getting paid FAR beyond normal wage.

------
Hydraulix989
Extensions still run in Private Tabs, unlike with Chrome, so they are free to
phone home about your private browsing as much as they'd like. This is the
real privacy hole that still needs to be fixed.

------
akjainaj
The only thing that would make me feel safer would be the sandbox.

~~~
hackermailman
Mbox exists for this or FireJail, Sandboxie (Windows)or OSX sandbox-exec
[https://pdos.csail.mit.edu/archive/mbox/](https://pdos.csail.mit.edu/archive/mbox/)

[https://wiki.mozilla.org/Security/Sandbox](https://wiki.mozilla.org/Security/Sandbox)

~~~
sha666sum
Sandboxie is nonfree and after a trial period only allows sandboxing one app
at once. Firejail just had a local privilege escalation exploit, but I'm still
using it (although more cautiously than before). Mbox appears unmaintained,
and sandbox-exec isn't even for a platform I use.

I'm quite glad that Firefox implements sandboxing of its own.

~~~
hackermailman
Look at the sandbox used for SubgraphOS (Debian/Jessie only)
[https://github.com/subgraph/oz](https://github.com/subgraph/oz)

~~~
geofft
The goal of browser sandboxing is to protect different sites _from each
other_. It does me no good if some malicious ad uses some plugin bug or
JavaScript heap spray or something, and my sandbox successfully prevents the
exploit from escaping the browser, but the same browser also has my bank open
in another tab.

Given that 95% of what I do on my personal computer is in the browser,
sandboxing the rest of my computer from the browser is sort of a
[https://xkcd.com/1200/](https://xkcd.com/1200/) situation.

------
khana
I'm excited to see FF undertake security this way. It's the right thing to do.

------
therealmarv
Firefox is not even looked at pwn2own competition because it's too easy to
hack and not using good OS or sandbox protection
[https://it.slashdot.org/story/16/02/12/034206/pwn2own-2016-w...](https://it.slashdot.org/story/16/02/12/034206/pwn2own-2016-wont-
attack-firefox-because-its-too-easy)

~~~
Santosh83
How do you know with such certainty that it is because it is too easy to hack
and not because Chrome is the current "big fish" among browsers and Google
gives monetary rewards to white hats, both of which could reasonably fuel
disproportionate interest in breaking Chrome?

~~~
AdmiralAsshat
Reasons aside, the fact remains that when a group of white-hat hackers says
they "won't bother" with a given target, it doesn't speak well to that
target's security. There are no-doubt tons of exploits in Firefox still
waiting to be found, as there are in Chrome, Opera, Edge, etc. Given that the
Tor Browser is built on top of Firefox, it's a huge loss for everyone that
Firefox is not being included in the attacks; the vulnerabilities that the
white-hats find would be reported and promptly plugged, rather than left open
for nefarious three-letter agencies to exploit.

~~~
noja
> Reasons aside

No. Reasons not aside. Reasons are very important.

~~~
AdmiralAsshat
If we don't know what the reason was, and they won't elaborate on it, what
importance does it have? Pwn2Own 2016 already happened. Firefox wasn't
included, for whatever reason. The damage is already done at this point, as
its exclusion created the _impression_ that it was "not worth attacking".

If the guys had said, "We didn't bother with Firefox because they weren't
willing to pay us as much as Google or Microsoft", okay. But they didn't. What
they said was:

 _' We wanted to focus on the browsers that have made serious security
improvements in the last year,' Brian Gorenc, manager of Vulnerability
Research at HPE said."_

And now Firefox looks weak by comparison.

~~~
bzbarsky
> If the guys had said

Why would they have said that, even if it were true? What's the upside for
them?

I agree the net result is the same whether they were honest or not, of course,
which is again why there was no upside for them to say that if it were true.

