More options. Not more money.
Internet Explorer 8, Firefox 3, Google Chrome 4, Apple's Safari 4, and Opera 10 include features that block sites known to host malware and malicious downloads. All but Opera also let you browse without leaving any tracks. But just as important as these protections is ensuring that whichever browser you use is thoroughly patched.
Filtering out bad sites
Firefox's built-in antiphishing tool claims to update its bad-site database 48 times a day, according to Mozilla's Firefox security page. Firefox 3 uses Google's Safe Browsing service to automatically block sites that are known to host malware. The Google Code site describes how Safe Browsing works in Firefox.
To verify that attack-site blocking is enabled in Firefox, click Tools > Options > Security and make sure "Block reported attack sites" is checked.
Firefox will prevent known-bad sites from opening when "Block reported attack sites" is checked.
(Credit: Mozilla Foundation)The same feature is built into Google's own Chrome browser. You can ensure that malware-site filtering is on in Chrome by clicking the wrench icon in the top-right corner, choosing Options, and selecting Under the Hood. "Enable phishing and malware filtering" should be checked. The Google Chrome Help site describes the feature. (Hint: This page looks very similar to the description on the Google Code site.)
Google's Chrome browser blocks known-bad sites when "Enable phishing and malware protection" is checked.
(Credit: Google)The SmartScreen technology in version 8 of Internet Explorer blocks known-malicious downloads as well as bad URLs. Other new security features in IE 8 include automatic blocking of click-jacking and cross-site scripting attacks, automatic crash recovery, and highlighting of the actual domain name in the address bar. The Microsoft Security site describes the SmartScreen Filter and includes links to a SmartScreen FAQ and information for site managers.
Apple's Safari browser added phishing and malware blocking in version 3.2, which was released in late 2008; read about this and other security features in Safari 4 on the Apple Safari site. Likewise, Opera's Fraud Protection predates the phishing and malware filters in IE and Firefox and is enhanced in the latest version 10. But attack-site blocking is only one of Opera's many security features, which you can read about on the Opera site.
Browsing in private
To activate private browsing in Firefox 3, click Tools > Start Private Browsing, or simply press Ctrl-Shift-P. You can set Firefox to start in private-browsing mode by clicking Tools > Options > Privacy and check "Automatically start Firefox in a private browsing session." The Mozilla support site provides more information about this feature. Likewise, put IE 8 in private-browsing mode by clicking Safety > InPrivate Browsing, or by pressing Ctrl-Shift-P. You can also open a new tab and click either Browse with InPrivate or Open an InPrivate Window.
IE 8 also lets you control the information about your browsing habits that's shared with Web tracking services. To activate this feature, click Tools > InPrivate Filtering Settings and choose "Let me choose which providers receive my information." This opens the InPrivate Filtering settings dialog, where you can turn filtering off, choose which services to block from tracking you, or automatically block all trackers.
Internet Explorer 8's InPrivate Filtering lets you block some or all Web tracking services.
(Credit: Microsoft)You can open an incognito window in Google Chrome by clicking the wrench icon in the top-right corner and choosing "New incognito window," or simply press Ctrl-Shift-N. The incognito icon (a shadow figure in a fedora and glasses) appears in the top-left corner of the browser window. The Chrome support site offers a more detailed description of this feature.
Opera lacks an equivalent private-browsing capability but does offer private searching and other identity-blocking features, as described on the Opera site. To activate private browsing in Safari, simply click Safari Settings Menu > Private Browsing.
Automatic and not-so-automatic browser updates
Patching is a way of life with nearly all software, but especially with browsers and the media players associated with them: Adobe Reader, the Flash Player, Apple's QuickTime, and Sun's Java, among others. All of a browser's security features can be rendered useless by a piece of malware that takes advantage of an unpatched hole in the program.
Firefox 3 alerts users to the presence of an update and now also notifies you when your Flash Player is out-of-date. Internet Explorer 8 updates via the Windows Update/Microsoft Update services. Google Chrome made a splash by being the first browser to update itself in the background without requiring any prompting from users. Safari updates automatically via Apple's update service, which also serves up patches automatically for QuickTime, iTunes, and other Apple software. Opera also notifies you automatically when a new version is available.
But updating is too important to leave to others. Back in April, I described Secunia's Online Software Inspector and downloadable Personal Software Inspector, which identify out-of-date programs on your PC. The programs mentioned in that post have all been updated since, but Secunia's services should point you to the most recent versions.
(Note that Secunia sometimes reports a program as being out-of-date when in fact you have the latest version. On my PC, it continually reports my up-to-date Flash Player as being in need of an update, for example. But the free service Secunia provides is worth putting up with this and similar minor annoyances.)
Earlier in November, Firefox surpassed 25 percent usage share of Web browsers, according to Net Applications.
(Credit: Net Applications)Mozilla released a third beta of Firefox 3.6 on Wednesday, adding stability and performance features, and said it hopes to lock down the code soon for its first release candidate.
The new beta, for Windows, Mac, and Linux, includes a component directory lockdown that makes it harder for other software to meddle with the open-source browser's state by preventing that software from sidling into the same folder as the browser's own components. The result should be fewer crashes, said Mozilla's Johnathan Nightingale in a blog post, and Firefox still is open to third-party extensions via its official add-on mechanism.
The change should improve security, too, added another Mozilla programmer, Vladimir Vukecevic, who wrote in his own blog post that Mozilla is considering bringing the change to Firefox 3.5, too.
"Creating binary components to interface with the operating system or with other applications is fairly straightforward, though ultimately dangerous. Binary components have full access to the application and OS, and so can impact stability, security, and performance," Vukecevic said.
Also in the latest beta of 3.6 is a feature that lets the browser run some Web-based JavaScript programs asynchronously, which is to say without being so picky about the order the scripts run. This can improve the speed that Web pages load, Mozilla said.
The biggest Firefox 3.6 feature most folks will notice is Personas, the reskinning add-on that's now being built in. More than 10 million Personas have been downloaded so far, Suneel Gupta and Myk Melez of the Personas team said Wednesday.
Mozilla is working to release a final version of Firefox 3.6 before the end of the year, and one sign the project is wrapping up is that the developers are locking down the features and changes that can be added into the release candidate 1. Code freeze for RC1 is scheduled for Wednesday but might be at risk, a Mozilla planning site said this week.
Firefox is steadily gaining in use. Last week, Web traffic monitoring firm Net Applications announced Firefox cleared 25 percent share of those using browsers worldwide--not dethroning Internet Explorer by any means but still winning over new users. Mozilla estimates there are more than 300 million Firefox users total, and this week said there are more than 300,000 testers using the Firefox 3.6 beta
Google's Chrome, meanwhile, is appealing to some of the same browser enthusiasts who were Firefox's first users. One of its big selling points is speed, and Google is working on other ways to make the Web faster, too. Chrome gives it a vehicle to test such ideas out in the real world, a strategy that Apple, Opera, and Firefox have employed to advance the Web state of the art.
One Mozilla programmer, Alexander Limi, revealed a speedup technology called Resource Package for Mozilla, too, on Tuesday. His proposal calls for bundling many Web page elements up into a single compressed file that can be retrieved in a single Web-page request action. Browsers are limited in the number of such actions they can take in parallel, so consolidating the interactions can make pages load faster. The approach is backwards compatible with existing browsers that don't support the feature, he added.
"If the feedback is good we're likely to try and get this implemented for Firefox 3.7," said Mozilla evangelist Christopher Blizzard in a blog post Tuesday.
There's no way to reduce to zero your risk of picking up some piece of malware while browsing. You need layers of security to keep viruses, Trojans, and botnets at bay—the more layers, the safer your browsing. (Of course, the more layers, the slower your browsing, too, so don't get carried away.)
Much emphasis has been placed on the enhanced security features of the latest versions of the popular browsers. Whether one is any safer than another is anybody's guess, but no browser gives you more ways to thwart a Web-based attack than Firefox via its wealth of security add-ons.
Link checkers add warnings to search results
Search results are often difficult to trust, even when the URL looks familiar. Phishers are adept at planting dangerous links that look like harmless ones. Link checkers provide you with an indication of the trustworthiness of sites before you click their links. (Note that several of the products are available for Internet Explorer as well.)
Some of the programs, such as McAfee's SiteAdvisor, give the thumbs-up or thumbs-down based on a single company's research. Web of Trust (WOT) bases its recommendations on the collective intelligence of a network of volunteers. LinkExtend is a link-check aggregator that combines the analyses of eight different services.
McAfee SiteAdvisor adds a safety indicator to Web search results.
(Credit: McAfee)While the recommendations of link checkers are helpful in identifying safe sites, you can't take their yeas and nays as gospel. For example, sites that offer downloads of system utilities may be flagged as dangerous because the programs require access to the operating system and thus could do major damage in the wrong hands.
Track the trackers
You know popular Web sites download software that tracks your activities on their sites, but do you know who's doing the tracking? Find out with the Ghostery add-on that pops up the names of the trackers as the page opens. The program puts a small "ghost" icon in the bottom-right corner of the Firefox window that turns orange when trackers are present. Click the link that appears to the right of the icon to find out more about the trackers and block them individually or entirely.
The Ghostery Firefox add-on lets you know who's tracking your activities on the site.
(Credit: Ghostery)
View encryption specs
When you open an encrypted Web page, a lock icon appears in the bottom-right corner of the Firefox window and the URL in the address bar begins with "https." But there's more than one form of encryption, and knowing which type and strength of encryption in use can be handy.
The CipherFox add-on puts in the bottom-right of the Firefox status bar the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cipher and keysize currently in use. Double-clicking the entry opens the CipherFox dialog box, where you can disable RC4 encryption and display partial SSL/TLS. (Note that the developer accepts donations to support the product.)
Take charge of Web password management
Firefox's built-in password manager lets you create a master password and remember passwords for specific sites, but if you want to get serious about managing your passwords, get LastPass, a password manager that provides much more granular control over your sign-ins.
After you download and install the add-on, an icon is placed in the top-right corner of the Firefox window. Click it to open the LastPass menu, which lets you manage your identities, open the LastPass Vault, jump to favorite sites, and generate secure passwords. You can also import or export sign-in IDs, compose and print secure notes, and assign keyboard shortcuts for specific actions.
In addition to Firefox and IE, LastPass is available for Google Chrome and Apple's Safari browsers. LastPass backs up your passwords by storing an encrypted copy on its own servers. And because you can access your passwords via the Internet, you can use LastPass on any Web-connected device, although use of LastPass on an iPhone or other smart phone requires a Premium membership, which costs $1 a month. (You can also put LastPass on a USB thumbdrive for use with Firefox Portable and other portable apps.)
Mozilla, racing to release Firefox 3.6 before the end of the year, has released a second beta of the open-source browser for Windows, Mac, and Linux.
Firefox 3.6 beta 1 introduced most of the new features, most visibly the ability to customize Firefox's look through Personas, less than two weeks ago. But among the 190 patches in the new beta is what Mike Beltzner, Mozilla's director of Firefox, described in a blog post as "a mechanism to prevent incompatible software from crashing Firefox."
There also are a number of deeper changes in Firefox 3.6 that Web developers likely will be more interested in. Note that one of them, the ability to use color gradients with formatting technology called Cascading Style Sheets (CSS), has changed syntax in between Firefox 3.6 beta 1 and beta 2.
Mozilla is trying to accelerate the pace of Firefox releases; Firefox 3.7 is set for release in the first half of 2010 and 4.0 some time later that year. The project faces new competition from Google's Chrome browser.
(Credit:
Mozilla)
It's been just under four months since Mozilla launched its pilot program for contributions, a way for users to donate to add-on developers for their time and effort.
The program was launched in tandem with a redesign of Mozilla's add-ons site that gave developers their own profile pages. Many add-on makers were already running donation programs through their own sites, but wanted the option to show up in Mozilla's catalog too.
Already it appears to be working, but on a smaller scale than some developers might have hoped. For the half dozen developers that CNET News talked to, none has made enough from it to, say, quit their day job. While Mozilla would not reveal specifics on which developers are getting the most contributions, it did provide us with the total amount given: around $20,000. An organization spokesperson said that most of that came in September and October.
Of the 500 or so developers who are participating in the program, the average contribution falls somewhere between $5 and $6, with the largest thus far being $150. All have gone through PayPal, which is the sole way to pay through Mozilla's add-on site. PayPal then gets a small fee out of each transaction, something that comes out of the developer's pocket, although this varies based on how much the user gives.
Other ways to make money
Some developers believe Mozilla has gone about the payment problem in reverse. With the current contributions program developers are given the chance to ask for money before the user even downloads the free add-on. So why not give them a way to ask for a contribution after a user has downloaded and installed it?... Read more
Five years ago, Mozilla made it clear that the browser wars weren't over after all.
In the 1990s, Netscape had lost its dominance in the browser market to Microsoft's Internet Explorer, and the Netscape-spawned open-source project called Mozilla had sunk into obscurity. Even a federal antitrust suit accusing Microsoft of anticompetitive practices with its browser and Windows was not enough to turn the tide.
But on November 9, 2004, Firefox 1.0 emerged to fight back again.
The project, originally named Phoenix to symbolize rebirth from Netscape's ashes, has now clawed its way back to account for nearly a quarter of the browser usage today. Microsoft may not be on the run, but it's on the defensive, gradually building its browser development effort back up into fighting form.
... Read moreMOUNTAIN VIEW, Calif.--For almost all of its existence, Mozilla Messaging has been known for Thunderbird--e-mail software with the traditional view that a person's PC is the center of their computing existence.
Now, though, the Mozilla Foundation subsidiary's scope is expanding beyond the confines of the computer under your desk or on your lap. In the near term, the new Thunderbird 3 is becoming more integrated with the Web. And in the longer term, the Raindrop project has the potential to lift your inbox all the way to the cloud.
"For us it's really important to have Thunderbird. It's also important to not stay in the blinders of that scenario," Mozilla Messaging CEO David Ascher said in an interview at the company's headquarters here. With Raindrop, "We're focusing on best experience for messaging in a Web application."
Mozilla Messaging CEO David Ascher
(Credit: Stephen Shankland/CNET)The change reflects the changing nature of computing. Where Thunderbird's chief competition once was now software such as Microsoft's Outlook, it's now also got to reckon with Google's Web-based Gmail service and its ilk, Ascher said.
Thunderbird is still a priority. Thunderbird 3 is set to arrive next week in near-final form--though nearly a year later than had been planned--but Mozilla Messaging has high hopes the new version will be faster, easier to use, and more versatile through the addition of third-party extensions.
Universal inbox
Raindrop is something of an ultimate inbox in the company's vision, a Web application that draws not just from e-mail but from other communication conduits such as Twitter, Facebook mail, and instant messaging. Its goal isn't just to consolidate today's overabundance of communications channels, it's to help prioritize what's important and put off what's optional until a more convenient time.
"We're breaking the notion of one list coming in, in chronological order," he said. What just arrived isn't necessarily the most important thing to do, though human minds are prone to thinking it is.
Some aspects of Raindrop's future are more certain than others. It's way to early to say when the company might release its first version of the actual software, but one thing that's settled is that Raindrop won't be a service Mozilla offers. Instead, the software will run on others' servers--at Internet service providers, for example.
"Hosting a messaging system for the world is not something we can afford right now," Ascher said. Still, it's revealing that the company chose to create Raindrop as a server-based technology accessible through a Web browser rather than as PC-based software.
Will Raindrop rule the roost?
In the longer term--say 2015--might Raindrop replace Thunderbird as people's messaging interface of choice? Perhaps.
"I suspect some people will and some people won't," he said. "I think desktop software still has a bunch of user benefits that will last for quite awhile."
Persuading everybody to freely cooperate with Raindrop could be tough. Sites like Facebook like their central positions in people's electronic lives and like to serve ads next to their content. In time, though, Ascher believes they'll come aboard.
"I think in the long term, openness wins," he said.
Even without Raindrop, Thunderbird 3 will integrate with the Web. It's got Firefox's engine built in for displaying Web pages, a fact that means the software can display Web content.
That ability means Thunderbird can, for example, show Yahoo and Google calendars in separate tabs. There's little in the way of integration with those services today, but it can be added, Ascher said. He expects plenty more add-ons will bring it closer to the cloud, too. He didn't mention it, but even Raindrop could be added in its own compartment.
Mozilla Messaging smells money
Mozilla Messaging is part of a peculiar organizational structure. In the beginning the non-profit Mozilla Foundation oversaw the open-source software that was the core of Netscape Communicator. Eventually, that software split into two main components: the Firefox browser and the Thunderbird e-mail software.
The foundation set up two subsidiaries to oversee the two projects, first Mozilla Corp. for Firefox in 2005 and second Mozilla Messaging for Thunderbird in 2007. Ascher has since 2007 led the latter, which employs six engineers and nine others.
It also draws on the expertise of many volunteers in the open-source world who translate the software, write add-ons, and help debug it. Because of this help, Mozilla Messaging gets by with only one quality assurance employee and one marketing employee, and Thunderbird 3 will arrive in more than 40 languages.
The subsidiary today gets its funding from its nonprofit Mozilla Foundation parent, which in turn receives the lion's share of revenue from search advertising revenue that results from searches Firefox sends Google's way. Ultimately, Ascher wants Mozilla Messaging to be financially self-sustaining. But how?
"I'm not sure yet. I think what we're looking for are rev models like Firefox--revenue models where the user benefits and doesn't have to pay anything, and somehow enough money flows into Mozilla Messaging to fund development long-term," Ascher said.
That may sound like a lot of hand-waving, but Ascher points out he has no investors looking for a big and quick return on the money they invested, so Mozilla Messaging is a relatively cheap operation to run.
Ads? No thanks
One route the company won't take is advertising, the approach that's vital to Gmail, Hotmail, and Yahoo Mail, as well as to Firefox.
"I don't think people benefit from advertising in mail," he said. "One reason it works for search engines is people often are searching to buy. They're happy to see ads. It helps them. I don't think that works in e-mail."
Today, there are probably somewhere between 10 million and 20 million Thunderbird users, said Rafael Ebron, Mozilla Messaging's director of marketing. That's a far cry from Firefox, whose users total more than 300 million, Mozilla says.
But both projects can punch above their weight. Just being a freely available alternative--whether with Thunderbird or with Raindrop--can steer other products and services, Ascher believes.
"Firefox had an influence over people greater than its market share," Ascher said. "I don't think we'd need to manage everybody's e-mail servers for us to have an influence over the e-mail landscape and make sure everybody has a better experience."
MOUNTAIN VIEW, Calif.--Thunderbird 3, an update to the e-mail software that Mozilla hopes will give it some of the advantages its Firefox browser has enjoyed, is due to arrive in near-final form next week.
Mozilla Messaging plans to issue release candidate 1 of Thunderbird 3 as soon as Monday, with the final version expected later in November, the e-mail-focused subsidiary of the Mozilla Foundation said Thursday.
"We're down to the last few bugs," said Chief Executive David Ascher. "Feedback with the last beta was enthusiastic." Thunderbird 3 beta 4 can be downloaded for Windows, Mac, and Linux.
Mozilla Messaging CEO David Ascher
(Credit: Stephen Shankland/CNET)Thunderbird doesn't get as much attention as Firefox, the chief product of the Mozilla Foundation's other subsidiary. But with Thunderbird 3, Ascher and Mozilla Messaging are trying harder to take advantage of one technology that's helped the browser's fortunes: add-ons. They could be written for Thunderbird 2, but only with what Ascher termed an act of heroism; Thunderbird 3 makes add-ons much easier.
One area where add-ons show up is a new Thunderbird 3 feature, Google and Yahoo calendar functions in the software--using its built-in Firefox engine for handling Web pages, naturally.
"There are a bunch of actions that start in e-mail that really involve the Web," Ascher said. Another example he said Mozilla Messaging will write if some enterprising person doesn't do it first: an add-on to help people assess whether to follow a particular Twitter user who just signed up to follow you.
Another add-on that's already under way is Lightning, which parallels Outlook's calendar functions. A Thunderbird 3-compatible version should arrive about the same time, he said. Ultimately, Thunderbird should be able to integrate with either Lightning or Web-based calendars, including the automation of operations such as accepting event invitations.
Better search
The add-ons also dovetail with a significant new Thunderbird feature, improved search. With Thunderbird 2's folder-based search approach, people often didn't set up searches so they could find what they needed. With Thunderbird 3, it returns all results that match the text, not just what's in a particular folder.
"It's really important to search everywhere," Ascher said. As with Google, "You type a word, and you get results."
Of course that can retrieve a lot of unwanted results. So the search results page offers a variety of ways to winnow that search down--limiting it to particular people, to messages with a specific tag, or to a particular time frame selected from a timeline that presents messages using the search term.
These functions to refine the search, which Mozilla Messaging calls "facets," are another area where add-ons can help, Ascher said.
Also coming in Thunderbird 3 is a simpler start-up process. The software is set up in advance to automatically set up the increasingly complicated server configuration for various accounts. I tried it with Gmail, and it indeed was up and running in moments after I entered only my name, e-mail address, and password. The software comes with several profiles built in, and it makes intelligent guesses if it doesn't know, but people will be able to write their own modules that can be shared, too.
Another feature in the new version is the archive, a feature borrowed from Google's Gmail that's a kind of digital purgatory. E-mails sent to the archive are still available through search, but they don't clutter up the inbox. Folders are still available for those who want to file messages the traditional way.
"The original idea of e-mail, putting messages in folders one by one, was reasonable when we got ten messages a day. Now that we get a couple hundred or more, that's a huge burden," Ascher said. "We made archive really easy and complemented it with (an) easy-to-use search experience.
Streamlined interface
One big interface change is the addition of tabs. Mail accounts, folders, and individual messages can show as new tabs rather than new windows. It's one of a number of efforts to provide a more streamlined interface.
One other is moving some message-specific operations to the message window--reply, reply to a mailing list, forward, archive, and other options. Another: the main toolbar has been cleaned up so only essential actions show, though others can be added through customization. And people can be added to the address book with a single click of a star next to their names--not unlike Firefox 3.5's one-click bookmark operation.
Some routine tasks--labeling a message as junk, for example--are designed to be faster, he added.
"If you look at the number of seconds saved over the population of Thunderbird users, it tends to be several lifetimes per year," Ascher said.
One new feature in Thunderbird 3 is a simplified account setup. You enter three bits of information, and Thunderbird often can take it from there.
(Credit: Screenshot by Stephen Shankland/CNET)
Mozilla may have released the first beta of Firefox 3.6 nearly two months late, but the organization believes the final version still will arrive on schedule before the end of the year.
The Mozilla wiki page on version 3.6, code-named Namoroka, listed early September for the scheduled release of the first beta, but it actually arrived October 30. Despite that, Mike Shaver, vice president of engineering, said Mozilla wants to release the browser before the holidays and is sticking by the overall schedule for the open-source Web browser.
"We're still looking at a release candidate in November and (final) release in December at this point," Shaver said in a Tuesday interview.
That means Mozilla has a compressed schedule for producing the final version, but Shaver said coders are working hard. "We're not going to coast into it," he said. "We're going to continue shipping beta updates aggressively."
Those involved in open-source projects, with different motivations and pressures than those in the traditional proprietary software industry, sometimes have an attitude of "we'll ship it when it's done." Mozilla, though, recognizes that time matters even for an open-source project.
"We've always been more quality-driven than time-driven," Shaver said. "But we understand timing in the market matters to our users and our competitiveness."
Mozilla released Firefox 3.5.4 for Windows, Mac, and Linux on Tuesday to patch six critical security holes and some other problems.
The new browser version also improves stability and fixes a problem with clearing browser history, according to the release notes. Mozilla updated the corresponding version of its earlier browser to fix some of the same security problems by issuing Firefox 3.0.15.
The six vulnerabilities potentially could let remote attackers take over the computer by running their own software on the machine. For details, check the Firefox security site.
Meanwhile, Mozilla is on the brink of releasing the first beta of Firefox 3.6, a version that will add the Personas feature for a customizable look. Mozilla, trying to move to a faster Firefox release cycle, is debating whether to issue 3.6 as a minor release that arrives automatically or a major release that people must actively download.
Also Tuesday, Mozilla released SeaMonkey 2.0, which combines the Firefox browser and Thunderbird e-mail software into an all-in-one package. It uses Firefox 3.5.4.
