I enjoy my Fire Fox, really.
Chris said something to me a few weeks ago. He says that the reason that FireFox is deemed to be so secure, over and above IE, is because it hasn’t gained the popularity and user base as IE has. He says that as soon as FireFox’s user base gets larger and larger and you start to see a bigger percentage of internet browsers using it as their browser of choice – – all those fun little hackers will begin to pay more attention and start to find more and more ways to exploit security holes in Fire Fox. They’ll spend more and more time on the product, as they currently do the browser that 90% of the surfing population uses, IE.
Simply put – – the hackers didn’t see FireFox’s user base to be broad enough to bother exploiting. Things appear to be changing.
He sent me an article today. He just had one thing to say: “And So It Begins” :
A newly uncovered vulnerability in most browsers can allow hackers to spoof the URL displayed in the address bar and the SSL certificate, a security firm warned Monday. The one exception? Microsoft’s Internet Explorer.
Danish security company Secunia posted an alert describing the vulnerability — which affects Mozilla, Firefox, Safari, Opera, and Konqueror — as a “moderately critical” problem.
The vulnerability impacts every browser built atop the open-source Geko browser kernel — nearly all except IE — because of a flaw in handling International Domain Names (IDN). Hackers can register domain names with certain international characters that resemble other commonly-used characters, said Secunia, to spoof the address and trick the user into thinking they’re at a legitimate site and/or it’s secured by SSL.
Such spoofing vulnerabilities are typically exploited by phishers who try to dupe users into divulging financial information at bogus Web sites that resemble real-life banking, credit card, or retail sites.
The vulnerability has been confirmed in the latest version of Firefox, v. 1.0, as well as in Mozilla 1.7.5, Opera 7.54u1, Opera 7.54u2, Safari 1.2.4, Konqueror 3.2.2, and Netscape 7.2. Other editions of these browsers, however, may also be at risk, said Secunia, which posted an online test on its Web site.
Currently, none of the vendors have provided fixes for the flaw.
And so it begins, indeed.
I think we’ll start to see more and more exploit vulnerability as these browsers gain more and more popularity. It will be interesting to see if FireFox is the tight browser choice that some die hard FF’ers have always claimed it to be.
You can disable IDN support in mozilla products by setting ‘network.enableIDN’ to false. There is no workaround known for Opera or Safari.