Websites with malicious content are a growing problem,
so tools to detect this content and alert the user to its presence
are quite welcome. A plugin for Firefox called
Firekeeper uses the ideas behind
detection systems (IDS) and applies them to web traffic. Firekeeper
uses some of the rule syntax and pattern matching code from
Snort, the venerable open source IDS,
providing it with a solid foundation.
As with any IDS, the basic function of Firekeeper is to inspect the traffic
that it sees, applying some pattern matching smarts and a set of rules to
determine what actions it takes. The possible actions are to alert the
user and allow them to decide what to do, stop processing the HTTP response
without user interaction or to accept and continue processing, also without
consulting the user. Alert rules can also provide extra information
that will be displayed with the alert in order to help the user make an
informed decision about what action to take. This information can
take the form of text strings to describe the content as well as references
to URLs, CVE entries and Bugtraq IDs potentially giving the user a wealth
of descriptive information.
Firekeeper can do pattern matching on three different parts of the HTTP or
HTTPS response: the URL, headers and body. The simplest form matches literal
strings in the various pieces of the response, but there is also a
Perl compatible regular expression (regexp) engine that can be applied to
each piece as well. The documentation warns of serious performance
implications from having too many regexps, especially ones that do not
contain a literal rule to narrow the search space; good advice for
most applications that use regexps.
Firekeeper can be downloaded from the project site and it installs flawlessly
if one is willing to add the site (hosted at mozdev.org) to the list
of trusted plugin locations and ignore the unsigned nature of the code.
The source is available from the site as well so those with concerns about
the security bypasses can build their own version. It comes with a handful
of default rules
and a test page to
try them out as well. Visiting various sites with Firekeeper enabled while
working on this article did not noticeably slow down the browser for the
author and, other than the tests, did not trigger any rules.
Any IDS is an invasive program and has access to all sorts of information
one probably wants to keep private, particularly decrypted network data.
This makes IDS programs high profile targets for exploitation. If an
attacker can send a packet or series of packets that can subvert the IDS,
they can potentially eavesdrop on all network traffic, even encrypted
traffic. Because Firekeeper has access to the decrypted HTTPS traffic,
there is reason to be concerned that the plugin could be subverted via
the same kinds of remotely exploitable vulnerabilities that have impacted
Snort, a recent example is
Firekeeper implements a small subset of the Snort functionality, which should
make it less likely, but users of the plugin should be aware of the
An IDS is only as good as the rules that it uses, and newer exploits (and
will not yet have rules available, leaving a window of vulnerability.
Firekeeper does have provisions for loading rule files from external sites
(which, of course, has its own set of security issues) that would help
propagate new rules quickly, at least for users who restart their browser
Firekeeper is certainly not for less technical users and probably never will
be. There is too much knowledge and understanding of web protocols and
security threats required to understand the alerts and too many false
positives to turn the alerts into blocks. And like many security tools
and techniques, this is no panacea; it will not stop all browser-targeted
attacks, but it does have its uses. An alert that a site has tried to
exploit a browser bug, even one that does not affect the browser version
being used, is still useful information which can help users to avoid dodgy sites.
to post comments)