Paid Advertising
web application security lab

Firefox 3.0 Address Bar Change Proposal

A few days ago Sylvan von Stuppe posted about a proposed change to Firefox 3.0 that changes the way the address bar works. I hadn’t heard this proposal, but it’s an interesting one. Basically they grey out the parts of the URL that aren’t the domain. Sylvan correctly pointed out that although that’s good for showing users that they are connecting to sites other than the one they meant to go to, it has nothing to do with the content on the page. XSS is still an obvious way around this, as the malicious content can be injected onto valid pages. According to Zeno MITRE is about to disclose that XSS is the attacker’s choice.

Although I should say that I do think this idea is a fairly good one, but there is at least one other problem with it. Almost all websites have IP addresses associated with them (except in the case of virtual hosts that also require a Host: header). Just because it’s an IP doesn’t mean it’s bad. I can’t tell you how annoying I think Thunderbird’s anti-phishing filter is to me always thinking every URL with an IP in it is a phishing attempt. That’s just not a good way to know if something is malicious or not. But I would like to see the consumer research that says people will actually use this and not be fooled by it. I’m always a little wary of “look for the ____” type security given how poorly the “look for the lock” security education has proven to work for SSL.

4 Responses to “Firefox 3.0 Address Bar Change Proposal”

  1. Awesome AnDrEw Says:

    Interesting idea, but I agree with your thoughts on how poorly these scenarios usually turn out. I believe Internet Explorer 7 not only shows a lock, but also changes the addressbar light green when a certificate is valid, or red when it’s not at which point the page is blocked until you acknowledge the warning.

  2. Frederick Young Says:

    Yeah, they have something called an EV SSL which is a lot more expensive than a regular SSL certificate. The only difference (it is the same encryption etc) is that there is a more involved background check for the EV SSL, it is more expensive, and in IE 7 (soon firefox and other browsers I am told) it will turn the address bar green.

    So its good from a consumer standpoint (I think the selling slogan is “Green means go”), but similar to regular SSL’s from a security standpoint.

    My concern with anything that “confirms” the security of a website is that it lulls users into a false sense of security. I talk to alot of people that “look for the lock” and think that the because there is a lock on the website, it cannot possibly do anything bad. I have even talked to some website designers / hosts etc think that a SSL certificate (and thus HTTPS) prevents stuff like SQL injection and XSS.

  3. xcite Says:

    It’s just like the plug in Locationbar2. Although with that plug in, it only grays out the protocol and the subdomain (if any). Then it turns blue the domain, and anything past the domain it turns black.
    It has a couple of other things you can do with it, for example it can space out every part of the URL.
    ex. http:// www. /search? q=cookies

    Hope sylvan didn’t get this idea from this plug in.

  4. jason Says:

    A more interesting (to me) potential side effect is that this will “train” users to ignore everything but the domain portion of a url.

    The reason i find that interesting, is that url cloaking may become even more effective in that event ( example: )