Asa Dotzler: Firefox and more

What made you decide to leave Microsoft for Mozilla? Were there any hard feelings from your former colleagues?

I've been a nightly tester for some time, and a Firefox user since back when Firefox was called Phoenix, and it wasn't version 3.0 but 0.1. Now I wanted to start to actually develop for the Mozilla ecosystem, in form of a Thunderbird add-on. Problem is, the overall documentation of the Gecko platform is lacking a lot. For example: I wanted to write an extension that needs to extract an e-mail's custom header. There is a basic class reference available nsIMsgDBHdr, but it doesn't say that this interface only contains a small subjet of header data.

Can developers expect better documentation in the future, and what about Thunderbird? I guess the MoMessagingCo hasn't employed people to document code, yet. Does MoCo do something about that?

I consider myself to be a Firefox power user but certainly not an expert because there are too many components of Firefox for me to master each one.
With that being said, I'm admittedly somewhat ignorant to Internet security issues. I know obvious things and I'm careful of what comes and goes from my computer but for the most part, I put a tremendous amount of trust into your hands and of those of other Mozilla developers.
My question to you is, how confident are you in Firefox's security that I and millions of others are basically running Firefox on auto-pilot?
You too are trusting Firefox to keep your data and identity safe but are we making a mistake by taking Firefox at face value right out of the box without making significant changes and adjustments?

Just a quick note, userfriendly just mentioned firefox 3 http://ars.userfriendly.org/cartoons/?id=20080624 . Sorry, didn't have time to get this posted somewhere else.

1. Could you share some numbers that quantify how much its open source nature helps better software in terms of security.

For example: how many of the vulnerabilities found in Firefox/other Mozilla products in the last year were discovered due to a Mozilla Foundation/Corporation outsider (like a security research firm or a hacker) scanning the source code manually or with software, and how many were discovered by attacking the binary, as they would a commercial product?

2. Has there been an attempt to set a browser security index across vendors? A formula that counts overall attack surface, number of eyeballs, number of bugs found, how critical these bugs are, window of exposure, time to patch, etc.

3. Is there a way Mozilla Corp. internally measures its achievements in the security front? Minimize window exposure, number of attacks?

4. What new challenges do you expect or are already facing as Mozilla prepares for a new set of products that take the browser to places it haven't been before (by Mozilla's hand at least): Weave (to the cloud), Firefox Mobile (to mobile devices), Prism (deeper into the desktop)?

5. Is the Mozilla security bug bounty still in place and running? I haven't heard much about it in recent months or years. Telling it exists to friends and colleagues and that you (Mozilla) actually pay for getting reports about security problems is a very easy way to explain in part what this "openness" thing is about. It sends quick good vibes.

I have always been concerned about the security of Mozilla Add-ons. I have been reluctant to install Add-ons that are not widely popular. In preparation for this question, I visited the Add-ons site and saw the "We Recommend" add-on:
Sxipper 2.1.3
https://addons.mozilla.org/en-US/firefox/addon/4865

Now, if I was interested in having Sxipper help with my passwords (bank, etc), how do I know they are not sending (collecting) this information for malicious purposes? Does the Mozilla "We Recommend" mean that the code has been reviewed by Mozilla staff and is not malicious? I don't think so, but if there was some kind of "certification" of add-ons, it would provide an improved trust level. I think I have even seen some add-ons that the user "supports", by everytime you purchase something at Amazon, their add-on includes their affiliate link. To me, that is wrong, and should be considered malicious. If the developer really wants to include something like that, it should be turn off for install and then the user can manually select the option to turn it on to help support the developer. There are all kinds of ways add-ons could be malicious in a minor way (remote image loads) to serious ways (passwords, credit cards, etc).

At the moment, I have 8 add-ons (including DOM Inspector and Talkback) listed within my Firefox 2.0 installation, but have 3 "disabled" because I don't use them much and not sure if they might be a security risk.

Am I wrong about my concerns, or are there some safeguards in place that would prevent it? I trust "Mozilla", so I use Firefox and Thunderbird, but I don't know the developers of the Add-ons, so I am reluctant to use. Any plans for a "Certified (no security risks) Add-on for Mozilla" type of thing?

Just one question? It's already been two weeks, so when will Firefox 3.0.1 be released to fix that infamous critical security vulnerability discovered at its launch day?

I know people using Fx and having been bitten by an unsecure plugin, which didn't ask to be updated...
What's your opinion about the security of firefox users because of insecure plugins ?
I've heard that there is some mechanism to help with unsecure plugin in FX 3
How does it work ?
Can Fx alert me if there's a known security pb with a plugin and I've not updated ?
Can Fx automatically block the plugin/ warn about an insecure plugin version ?
What's the process behind that (ie if there is a flash exploit in the wild, with a fix available by adobe but a lot of fx users haven't yet updated, what should Fx do ? Nothing ? Warm the user ? secure the user by disabling the plugin even if it disable functionality ?)

What are your opinion on Noscript, and do you see any of its features would better security if incorporated into Firefox?

Asa,

I think its time for answers :)