Analysts: Firefox 4 security a step up

The Content Security Policy is a particular favorite for analysts who reviewed Firefox 4.

Mozilla this week released Firefox 4, the newest version of its free and open source Web browser. The product includes a number of features designed to enhance security.

One new feature, Instant Web Site ID, allows users to ensure that a site they're on is legitimate before they make any purchases on the site. With one or two clicks they can access a sites identity information, including details such as how many times they've visited the site, and whether passwords have been saved.

Get your morning news fix with the daily Salted Hash e-newsletter! Sign up today.

Another feature, Private Browsing, lets users protect their browsing history. It can be useful for applications such as doing online banking on a shared computer or checking email from an Internet cafe. A Do Not Track feature lets users opt out of online behavioral tracking by sites and keep their browsing habits private.

Additional security features include Content Security Policy (CSP) (designed to shut down cross-site scripting attacks by providing a mechanism for sites to explicitly tell the browser which content is legitimate); Securing Website Connections (Firefox keeps attackers from intercepting data by automatically establishing secure connections to Websites that offer secure https servers); Secure Updates (the browser looks for a secure connection before installing or updating add-ons or third-party software); and Customized Security Settings (to control the level of scrutiny Firefox gives a site).

CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

Rob Enderle, principal analyst at Enderle Group, says prior defenses against cross-site scripting attacks used in earlier browsers "gave too many false positives and folks turned the feature off. CSP is more intelligent and will more likely be left on, protecting the user against the attack."

Features such as plug-in check capabilities are important because as browsers get more secure "we see folks starting to focus on exploiting security holes in popular plug-ins," says Jeffrey Hammond, principal analyst at Forrester Research. "This shift in hacker tactics makes it really important for all users to keep their plug-ins up to date with the later patches."

Hammond also likes the Do Not Track and Private Browsing functions, which he says are also implemented in the latest version of Microsoft's Internet Explorer 9.

Also see: 10 IE Browser Settings for Safer Surfing

"They've both made enhancements to prevent cross site scripting attacks, and they've created easier-to-understand user messages to make it harder to execute phishing and social engineering attacks," Hammond says. "They are both significant releases, and users are better off using either compared to their former versions."

Enderle agrees. "Both are very secure when taken against their predecessors," he says.

Firefox 4 is available to download for Windows, Mac OS X and Linux in more than 80 languages. It will also be available on Android and Maemo devices soon.

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.