Web browsers are ground zero for Internet security threats, and the debate over responsibility for preventing those threats has resulted in a Gordian knot. The people behind the new add-on for Firefox called Cocoon (download) want to cut through debate by serving the entire Web to you via proxy. (Cocoon is also available at GetCocoon.com.)
Made by Santa Barbara, Calif., start-up Virtual World Computing, Cocoon's goal is to put the Internet on a server to prevent individual users from having to touch it, Cocoon Chief Executive Officer and co-founder Jeff Bermant said in an interview today at CNET's San Francisco offices. The add-on, which has about 4,000 users since it entered into private beta 18 months ago, creates a safe state in which the user can browse the Internet by forcing all interactions between the computer in front of you and the Internet to occur over protected SSL connections to Cocoon's servers. Those servers, in turn, are guarded by Security-Enhanced Linux, which was developed by the United States' National Security Agency.
Cocoon opened its beta to the public in January of this year.
Cocoon installs as a toolbar just below the location bar in Firefox 4, although the add-on supports the browser back to Firefox 3.6. You can turn it on or off using the universal power button icon on the left of the toolbar, or "pause" Cocoon lock/unlock button that's next to it. Settings are available from a hard-to-see drop-down arrow just next to the lock button.
On the right are buttons for your Cocoon history, mailslots, and help. Next to those are real-time site-function buttons, so you can bookmark sites on the fly with the thumbtack--similar to the bookmark star in other browsers--or jot down a note attached to the site that only you can see using the notepad icon.
When running Cocoon, the browser will open into Private Browsing mode, although you can switch back to normal mode while still using Cocoon. It will also redirect your Home button to the cocoon:home site, and it installs a Cocoon toolbar as well as Cocoon-specific buttons on the Firefox add-on bar. Note that Cocoon doesn't work with the Google toolbar because of the competing interests of Google search and Cocoon's emphasis on privacy.
Cocoon's features are laudable, the most important being the subtlest: whatever you're looking at in Firefox with Cocoon is being shown to you remotely. You can test this after installing Cocoon by checking your IP address with Cocoon on, and then again with it off: you will see two different addresses, which means that your Internet connection is being routed through Cocoon's servers.
One of the side benefits of this, said Bermant, is that Netflix users will be able to watch streaming content from outside the United States since Cocoon's servers are in the U.S., and Netflix blocks streaming content to IP addresses that indicate a non-U.S. server.
All your personal browsing data is stored in the cloud and encrypted, so only the user can access it, and you can view it only over a secure connection. This is similar to how LastPass functions. All your interactions with the Web are opt-in, not opt-out, so that your privacy gets elevated above all other concerns.
Another excellent feature in Cocoon is that it comes with an unlimited number of on-demand e-mail "mailslots" are provided to help you keep your primary e-mail address private. If you've installed Cocoon, you can see how it works by navigating to any site that requires an e-mail address to log in, such as Twitter, Facebook, or Gmail. If Cocoon has been activated, the mailslots feature will ask you if you want to create a new e-mail address to register a new account for that site.
Cocoon Chief Technical Officer and co-founder Brian Fox added that the mailslots function like traditional brick-and-mortar mail drops. "You can not send e-mail from a Cocoon e-mail, but you can forward it to a Gmail account, for example," he said.
There's anti-cookie tracking that prevents advertisers from stalking you as you jump from one Web site to the next, much like Internet Explorer's tracking protection. Cocoon also incorporates support for Mozilla's new "Do Not Track", although Bermant remains skeptical of its effectiveness because, he said, "It requires advertisers to play nice, and they've never done that." Fox said that Cocoon uses ClamAV for its core antivirus engine, which it uses as part of its protection mechanisms.
Since you're browsing remotely, threats like cross-site scripting attacks and drive-by downloads are blocked. You are still vulnerable to social engineering, however, and short of full-frontal lobotomies, there's little to be done about that besides education and awareness.
Cocoon also comes with a note-taking feature that allows you to type up notes on Web sites as you visit them.
Bermant and Fox have big plans for Cocoon. They want to include features such as browser history and settings importation; implement granular controls for better whitelisting and blacklisting; and provide some level of parental controls. A version of Cocoon for Internet Explorer 9 is in the works. They're also looking at small businesses, anticipating interest from companies that want to strike a better balance between privacy and Web access. Fox noted that mobility is likely to play a major role in Cocoon's future, too. "Security and privacy are two important aspects of mobile browising," he said, "And they are sorely lacking."
Cocoon looks like a serious contender for one of the best add-ons of the year. It's a smart and effective tool, easy to toggle on or off, and plugs nearly all of the security holes the average user will encounter. The big hang-up, however, is price, and that many users simply do not pay for add-ons.
Right now, Cocoon is available as a free trial for the first 30 days of use. After that, it costs $6.95 per month, or $55.00 for a one-year subscription, a 35 percent discount. Bermant and Fox say that "a freemium option is not off the table". As important as security is, and as affordable as $55 per year sounds, it's hard to imagine widespread adoption of Cocoon's safety wrapping until it's made more accessible.