Reading Internet

Feb 05, 2006 11:26 # 41652

Martin *** posts about...

The myth about Firefox being the safer browser

60% | 2

I know bashing the guys at M$ has been the major leisure acitivty of a whole generation of wonnabe hackers and self-overrating coders meanwhile. Some guys were even clever enough to make a full time not so badly paid job out of it. Okay, hats off to you guys, so be it... Other guys of that generation took the first opportunity to draw their paychecks from any well-named company as well, once they had the chance, others never got that chance and continue their personal little war.

I'm getting more and more tired of hearing this lame prayer-mill-like recited phrase of Firefox being so much more save to use. Some people feel the urge to make it a war of belief and to measure the degree of geekness (which is no longer used as a word to describe your technical understanding, but only as a character benchmark: geek == good guy, non-geek == bad guy).

Did anyone ever think about, WHY Firefox is the safer browser to use?

Oh yes, of course the Open Source fraction will raise its banners now and tell us about the victory of that concept over proprietary solutions, about how much more brain power goes into development, how more efficient all that is... stuff like that.

Its all true, guys, its all true!

Yes, Firefox *IS* the safer browser, I wont deny that..

But why? FF is just another piece of software developed by humans. Humans are making mistakes and no human can think of every possible combination of environments, possible errors, criminal energy and user dullness. Professional software development is a constant process of redesigning, refactoring and learning from ones own mistakes. Claiming to be the better developer by birth, concept or philosophy and therefore to be able to produce the better software is nothing but sheer arrogance.

In fact the only reason for it is the fact that just 15% of the people online are using it!

If I'm trying to attack a network for criminal purpose, of course I will be using the door most people use. The more people using it the higher my chance for success, just for statistical reasons. Another part of it is the fact that usually people using FF are more aware of security problems anyway, which means they have taken measures for their own safety, which add to the usual standards. Why should I attack a stronghold, when I could walk in through the main gate? Its not the software that is safer overall, but the package including first and foremost the user handling it.

As long as FF or any other browser is used just by a (better informed) minority, its not interesting for criminal attacks. And dont you think FF got no errors, mistakes or far open gates in it! There are as many security holes as in any other network software as well, just that its not so often exploited for criminal reasons, but found by the coder community itself and therefore not exactly announced on CNN for understandable reasons. Sometimes I wish FF had reached the 50% share of market already, all that drivel would cease abruptly, OR even more likely, some people would be surprised all of a sudden to finally realize how "safe" their browser really is....

FF *IS* the safer browser to use.. at the moment. Not cause its programmed any better and the better software per se (I'm not talking about features, UI or usebility), but just because its not a frequent target for now! So... what will the campaign "Spread firefox" do to its reputation in the end? ;)

This is NOT an Anti-Firefox or Anti-Opensource post in any way, not a Pro-M$ one. Its just a thought about reasons, a warning of thinking in camps, of pure believing in and mindlessly reciting any heard phrases. Think yourself!

After decades of construction my website is finally up an running:

Feb 05, 2006 21:27 # 41669

charlie *** replies...

Re: The myth about Firefox being the safer browser

I think most of us realize the slogans "the safer internet browser", "the future of internet browsers", and "reclaim your inbox" are extreme exaggerations.

Actually, I think the best thing about Mozilla is the customize ability.

Please contiune to vote AND post.

Feb 06, 2006 00:53 # 41675

Aynjell *** replies...

Re: The myth about Firefox being the safer browser

I don't care how "safe" it is, but the fact that the code is open, and that it is available on all platforms seals the deal for me. I don't consider closed code "safe", ever, so for me, saying it is safer is an understatement.

I can handle a closed source game, I mean, sheesh, it's a game. Are they collecting info about how well I pwn newbs? Good, everyone should know how much I own... but what kind of pr0n I like and what forums I post in are my business.

It is possible to make software perfect, it's just extremely hard. Even if firefox is the most common browser, I doubt it will be any less safe. It has it's weaknesses which are it's strengths as well... but I doubt that it will ever be eclipsed by a browser that is damn near integrated into the OS kernel.

Lastly... it has been said that Opera is safest, though I don't consider it safe either (closed code). You are right that no one human can think of it all... but that is the benefit of open versus closed code... no one person has to.

I should be ashamed of myself.

This post was edited by Aynjell on Feb 06, 2006.

Feb 06, 2006 22:33 # 41700

charlie *** replies...

Re: The myth about Firefox being the safer browser

it has been said that Opera is safest

Opera is probably the safest becuase only 1% of the population uses it. :)

Please contiune to vote AND post.

Feb 06, 2006 22:37 # 41702

andromacha *** replies...

Re: The myth about Firefox being the safer browser

it has been said that Opera is safest

Opera is probably the safest becuase only 1% of the population uses it. :)

I do use it, and sometimes it drives me totally crazy, because of some minor bugs it has :P I have to admit that sometimes I almost prefer IE to Opera, because of such problems. Lately, for instance, I am having problems in viewing certain web pages, but oh well... as long as Nao works, I am fine :P

Italy no longer accepts illegal immigrants. Mr. B sink their boats!!!!!!!

Feb 06, 2006 23:44 # 41704

majic *** replies...

Re: The myth about Firefox being the safer browser

but what kind of pr0n I like and what forums I post in are my business.

Yes you are absolutely right and with the recent news that google is keeping every single search record is frightening. They are tracking search results per user id, so if you are logged into Gmail as I am almost 18 hours a day then you will also have all your searches and (secret searches (pr0n)) tracked. I didn't used to be paranoid but I am now. The things I search for are my own business not anyone elses. I'm a good citizen but I do have things that I want to keep secret too. Nothing illegal but certainly there are things I search for that might embarrass the hell out of me if it got out.

As for closed source vs. open source browser it doesn't interest me. I am taking quite a fond liking to Opera these days. The thing about IE that gets me is that the "Developer" of said software acts like the Web stopped evolving back in 2001. Sure IE 7 is in our midst but will it be an adopter of web stardards or a bastardization of them? Security? Security starts with the user and it plays a big part. I can have all the security in the world and if I'm careless in my usage I can infect my computer with all sorts of malware.

As for safeness of the browser one has to look within and change their browsing habits. We all know where most of the crap comes from but yet we still keep infecting ourselves. Damn this lust of porn.

PS - Jaz "Quote Selected Text" is still broke in Firefox 1.5

Feb 07, 2006 00:06 # 41705

Aynjell *** replies...

I've noticed...

?% | 2

Yes, quotes are still broked, in teh same way they are broke in konqueror.

I should be ashamed of myself.

Feb 08, 2006 15:08 # 41731

null tells about...

Re: The myth about Firefox being the safer browser

?% | 1

I wouldn't say that IE's market share is the only reason why it's less secure.
There are bugs in every piece of software, no question (helloworld.c might be the only exception, barring any unknown fatal bugs in the compiler or OS). But there are a lot of factors that can influence the amount and type of bugs.

Not knowing all of IE's and Firefox's code by heart (let alone knowing what it does), I can't give 100% reliable numbers for each browser's safety.

But I can look at the people behind those products, and their past and present issues.

For example, there's the way a company approaches a bug in their product. Ideally they publish a patch and inform their customers. In most cases this is what happens.
Still, Microsoft advises you not to click on hyperlinks in IE. You shouldn't surf on more than one website at a time in order to avoid spoofing. In pre-SP2 times, MS suggested that IE users disable JavaScript altogether because their Windows Scripting Host architecture was too flawed to allow the removal of security holes without breaking other stuff. (SP2, which above all else was a security update, broke dozens of applications with its tighter security.) We have important MS people blogging about how MS neglected security for years in favour of adding new features to their products.

And considering Mozilla's ever-rising market share and that most worms nowadays are made by professionals with financial motives, it's safe to assume that they're more motivated than ever to attack Firefox and Thunderbird.

Furthermore, let's have a look at some of MS's security holes before they started taking security seriously when they began to lose significant market share due to their neglicence. These are off the top of my head, I know there are tons more even though I can't remember all of them right now.

NT4 display drivers: MS knew that their display drivers were buggy when they decided to integrate them into the kernel (run as privileged code) in NT4, but they did it anyway because they absolutely wanted the performance gain. As a result, even an unprivileged Java applet which drew outside its part of the screen in a certain way could BSOD an NT4 box.

ActiveX: Starting with IE4, webmasters could include ActiveX controls into their website, which would be automatically downloaded and installed by IE. ActiveX controls are effectively binaries that run unrestricted and with the logged-on user's full privileges - I don't think it's necessary to explain the security implications of that.

IIS: The ways in which you could hack an IIS box by buffer overflows, execution of pre-installed unprotected admin tools, using illegal paths to call cmd.exe or other exploits caused by poor design are countless.

Apache vs. IIS: In 2003, while almost three times as popular as IIS, Apache servers were hacked almts 5 times less than IIS5 servers. This means that for every compromised Apache box (Windows or *nix), there were more than 14 compromised IIS boxes. It can't just be the popularity there.

Terminal Services: Early versions offered 'encryption' that enabled an attacker to effortlessly fake any server or hijack any connection.
Microsoft then 'fixed' it by adding server authentication based on asymmetric encryptions. However, the encryption was based on one single private RSA key hard-coded into the Terminal Server executable. Anybody with just a trace of technical knowledge could extract the key from the executable and generate their own server authentication keys.

Reappearing bugs: Some critical bugs, like the broken MIME handling in IE/Outlook Express, resurface or appear in similar form in newer versions of the products. This is a good hint at how much of an effort to create a permanent fix for the bug was made in the first place.

IE: Would anyone dare to estimate the number of security holes in IE rated 'critical' or higher?

These are but a few examples. Microsoft products have a long list of security problems caused not just by the occasional bug, but obviously caused by sheer incompetence or just plain unwillingness to take security seriously.

Mozilla and Opera definitely aren't perfect, but given Microsoft's incredible security record it's clear to me which of the big browsers is not to be trusted in a 100 years.

When life hands you a lemon, that's 40% of your RDA of vitamin C taken care of.

This post was edited by null on Feb 08, 2006.

Feb 08, 2006 18:47 # 41742

Martin *** replies...

Re: The myth about Firefox being the safer browser

?% | 1

Tough topic and pretty much done with really... only meant to cause fire and create broken china (and interesting reads on webboards ;) )!

All I'm asking for is a more objective view, taking a step back from the good vs evil issue and trying to act as an observer, not as someone taken a side. I'm using FF myself and I *do* know why. Still I'm trying to not point fingers, but I'm more interested in explanations and understanding.

I dont think its fair nor correct to call any software developer incompetent or not interested in security problems, if you haven't actually seen his code. Not at all, if you're having the necessary background knowledge of technical dependencies yourself. Doing so nontheless is just the same old Redmond-bashing-game, that has pretty much worn out meanwhile, if you ask me. We both know when comparing FF and IE, its like comparing a tent with a house. I didn't mean to compare the two in my initial post, but only tried to make a point about FF. But ok...

IE is part of a suite, a program package and can never be examined as a standalone product, because its roots go deep down into the OS and there are dependencies, which make every developer shiver just while trying to imagine it. IE was sort of docked to an existing suite, when Redmond realized there was a market developing they didn't expect. It was done in a hurry and using as much of the existing suite as possible. Over the years it was even more integrated into the huge structure of pseudo-interacting software, but never really lost the smell of an unfinished attachment to something bigger, pretty much like everything coming from over there. Imagining the company's structure its easy to see why this is so. But lets face it... there are few more than just a handful of lunatics in some dark cellar working on it and still it appears to be unprofessional. One can blame the company's aggressive marketing for still making it a success - success in the sense of market share, not exactly usefulness.

But a lot of mistakes were made already. Its always easy for the second born to avoid mistakes already being made. FF had the chance to a) learn from the mistakes of the competitor and b) from the mistakes in its own roots (netscape, mariner, gecko, xpfe). The most important thing to learn was to make it as slim and functional-reduced as possible, surprise, surprise. Not trying to measure competence in developing, which project is easier to handle and maintain from the developers view: IE or FF? Or, asked different: If you take out the emotions and brand names for a minute, which project would you like more to work with? FF of course, cause it's giving you more freedom, creativity and mobility. You bet, you'd get the same answer from every IE developer as well! I actually heavily doubt its a lack of competence in that evil company over there at Redmond, but more a problem of administration and grown structures.

One may reply 'I'm not interested in psychologial or company internal issues of projects, I want to have a product to use', sure, but its not Redmond that makes using its browser a replacement-religion!

Still the amount of users, just the statistical numbers, combined with their knowlege about safty relevant coherencies is a major factor in that field of development, irrespective of brand names or legions of developers behind it. But I guess its safe to say we will actually see the result, since the amount of FF users will be growing on and on, with that attracting the more avarage users, so the criminal energy as well and last but not least similar safty issues in amount as well as in quality.

After decades of construction my website is finally up an running:

Feb 09, 2006 08:16 # 41752

null replies...

Re: The myth about Firefox being the safer browser

I dont think its fair nor correct to call any software developer incompetent or not interested in security problems, if you haven't actually seen his code.

Well besides the marketing department, most MS people don't make a secret out of the decision to neglect security in favour of new features, so I think that in this case it's fair.

only meant to cause fire and create broken china (and interesting reads on webboards)

Heh, I think you managed that quite well :-) (besides the broken china)

When life hands you a lemon, that's 40% of your RDA of vitamin C taken care of.

Small text Large text

Netalive Amp (Skin for Winamp)