Asa Dotzler: Firefox and more

Or why not switch to a browser with a somewhat satisfactory security record. Get Opera.

Ha! Opera fanboys. They're hilarious. ...and quick to post evidently. I wouldn't think Opera fanboys would post to a MoFo blog within 10 minutes. I guess Opera flames faster than Firefox.

Jere, gtfo. Please do not spam every post (Opera fanboys in general) turning it into an "Opera is better than FF" fight. NOBODY CARES. It's a MOZILLA BLOG, PROMOTING MOZILLA PRODUCTS.

As a linux user, I find that suggestion to use a patronisingly windows-biased browser highly offensive. I don't go to your browser developer's personal blogs screaming "Use Konqueror!!1", and I ask that you get the maturity to stop doing it here.

SANS is reporting that there's exploit code out for this one:

http://isc.sans.org/diary.php?storyid=1212

Urk. Trying not to add to the trolling or spamming, but I would like to point out that both Fx and Opera support quite a range of operating systems, and developers are trying hard to do so. Now, to get back to the point of this blog, which is, er, ragging on IE. ;-)

That exploit does not affect the IE7 Mix06 Refresh build.

Refering to the second bug: "..because the bug does not appear to cause anything worse than a browser crash...".
Lovely.

Regarding Opera, in case anyone was wondering why Secunia doesn't list any "unpatched" flaws, as per http://operawatch.blogspot.com/2006/03/opera-853-likely-to-be-released-soon.html

"Opera usually coordinates its browser updates with Secunia, so that Secunia doesn't release any information about security vulnerabilities in the browser before a patch is made available."

The unpatched security holes in Firefox listed by Secunia are 2 years old. Even Secunia can't wait that long.

OK, maybe Opera has less holes than Firefox in Secunia, but it doesn't have extensions!

And remember Firefox is Open Source, therefore it's safer BY DEFINITION. Just imagine all the volunteer eyeballs glaring at the Gecko code, looking for bugs and holes... you can't beat it!

Bah, have to look at the source code to read Jere's trolling :)

Asa, could you change the single-quote to a double-quote in [a
href='http://blog.washingtonpost.com/securityfix/2006/03/exploits_released_for_unpatche.html"]exploits are out[/a] ? Funny how MSIE, Opera and Firefox all break in the same way with this code. Hurray for compatible error correction!

@Joe: I'm not really sure, but I'll assume you've written with tongue firmly in cheek. Having extensions does not make a browser safer (witness the Greasemonkey 0.3 fiasco a while back). Not does being open source make a browser safer. Attention to detail by the developers, goodwill from security testers, and plain lower marketshare are all more important.

Hey, my family considers Internet explorer "frankenstien" of browsers with all these damn patches, and exploits it keeps getting.

check this:

http://news.yahoo.com/s/ap/20060324/ap_on_hi_te/waiting_for_windows
http://www.techweb.com/wire/security/183702044

Asa, I'm willing to be you payed particular attention to this part of the article :P

Security Fix learned the location of one Web site being used as a virtual drop box for user name and password data stolen from people who'd visited the network of hacked sites (the SANS Internet Storm Center has a great post detailing exactly what one of these data-dump reports looks like). One of those victims was Abdel Marriez, a truck driver from Astoria, N.Y. The malicious program stole credit card information and credentials he used to access his e-mail online.

Marriez said he couldn't understand how the code could have landed on his computer, since he said he is fastidious about ensuring his Norton anti-virus program has the latest updates from Symantec. After this experience, he said, he plans to change browsers.

"IE and me are through, that's it," Marriez said.

....
Rather than download a "beta" (read: potentially unstable) version of IE or wait around for Microsoft to issue a fix, a far better idea would be to ditch IE altogether (or only use it only when absolutely necessary). I use Mozilla's Firefox for everyday browsing, but your mileage may vary. There are other options, of course, such as Opera and Netscape, to name a couple.

What amazes me is how many Windows users seem to blindly equate Internet Explorer with access to the Internet -- in much the same way that many America Online users are unsure whether they can use someone else's browser once they've signed on to their account. Even after you tell people that they may have just been whacked with a virus due to a flaw in IE, they still use it.

Case in point: One guy I contacted to tell him his site was serving up this exploit code went to check his home page and then told me his browser just crashed on him. I had to ask: "Don't tell me you just visited the site in IE?" He had. I could only shake my head and sigh.

Asa,

Markup error again. You really should look at your blog post in a browser, after making updates...

[p][strong]update 4:[/a]

The latest version of IE7 Beta 2 Preview Refresh is not affected.

"The latest version of IE7 Beta 2 Preview Refresh is not affected."

You have to love Microsoft's naming schemes. It's pre-beta 2 reloaded!

First: this is a public blog, meaning that everyone can post.

Sure, "The Secunia database currently contains 0 Secunia advisories marked as 'Unpatched', which affects Opera 8.x.", but you can't read the source code, so, you can't be sure if Opera Software ASA is hiding bugs.

That's why you can't compare the security between an open-source software with a closed-source software.

You have to be running Win XP SP2 in order to use IE 7. It will not install on anything less.

Asa, I find this a particularaly funny article http://www.eweek.com/article2/0,1895,1943687,00.asp via /.

Dam: did you read all the source code of Mozilla/Firefox, and assured yourself there where no security bugs in it? It all depends on how you define security of course, but what matters for end-users is:

1. Number of security issues found
1a. Number of issues communicated to browser staff to solve before making them public
1b. Number of issues communicated directly to the world, making browser developers scramble to solve the issue
1c. Number of issues secretly exploiter before they are public knowledge
2. The speed of solving by the browser developers
3. The ease of updating your browser

Being open or closed source only plays a role by hopefully changing the relation between 1a on the one hand and 1b and 1c on the other hand. It is disingenious or plain ignorant to claim that 'open source' means 'more secure' by definition.

Open source may be not more secure by definition, but it is more trustworthy by definition. What does that mean? That means if some open source projects is not so secure, it will be noticed. And it's more likely to be noticed if it's a popular project that is used by many people. So the more popular the open source projects gets the more trustworthy it gets.

Trustworthy means that developers are honest and very straight up with their users about the security situation. And that's very, very important.

On the other hand, compare this to a closed source vendor, which always has financial incentive to deceive its users. While it might in some cases be technically more secure, it is in all cases less trustworthy.

So Open Source is only more secure for programmers then. Everyone else has to take it on faith just as if it was closed source.

Why should I believe a community of programmers over a business? Wouldn't they also have their own agenda? One wants money for a product, the other wants noteriety, fame, recognition, money, etc..

So, the source is available, but what good does that due to the average consumer? If Opera offered their code, I wouldn't want to see it.

As the average consumer, I have little faith* that anyone other than those who have stake in the success of the product will dedicate time and resources to fully understanding the security of the code/product. Then how is that different than closed source?

IE and Opera are both closed source. Firefox might as well be closed source as I have no interest in trying to understand the code. IE has demostrated countless security exploits, and Opera has not. I've chosen Opera. I would be just as willing to choose Firefox based on the same criteria.

*I understand there is a core developement team of Firefox, and a foundation and all that- which to me, garners trust, or "control" much more than the fact that everyone in the world can double check it. I trust a team with consistency and dedication much more than the teaming masses.

Secunia says only 2 vulnerabilities remain unpatched in FF [ 1 ]. What a marketing opportuninty here for FF:

achieve 0 ( cero ) vulnerabilities versus IE's 21 ( and counting ... ) !!

May be in the next FF 1.6.0 changelog?

[1] http://secunia.com/product/4227/
[2] http://secunia.com/product/11/

Eddie,

I enjoyed reading your comment, thanks.

As the average consumer, I have little faith* that anyone other than those who have stake in the success of the product will dedicate time and resources to fully understanding the security of the code/product. Then how is that different than closed source?

It is different because closed source vendors have stake in SALES of the product. That's very different from success, my friend. Because success sometimes means shipping with fewer features, or shipping later, or not shipping. Success sometimes means admitting "our product sucks, please don't buy it yet...we're sorry, let us work on it another year and try us again then!". That's success. But that doesn't necessarily do much for sales because not enough purchasers are enlightened yet and don't understand how to vote with their dollar properly. So someone who wants to make money has to cator to the largely non-enlightened market that will buy up anything glitzy, anything packaged well, and anything with good reputation.

So, the closed source vendor has a very powerful monetary incentive to keep any negative news about their product down in order to protect their reputation. I'm talking about things like news of security vulnerabilities and negative reviews. And we see this happening all the time. Closed source vendors are fighting tooth and nail against vulnerability full-disclosure -- which is really nothing more than free speech with regard to publically available artifact (software that is in wide use should be considered public and not private, but that's another topic). Closed source vendors are also well known for suppressing and outright manipulating the reviewers. This is well known in the gaming industry, and there are some closed source software products that have clauses such as "you may not review our product without our authorization". I may be wrong, but I believe Oracle does that, and maybe others. I've never heard of an open source project rigging a benchmark to get higher numbers for the press, but I've heard of NVIDIA and ATI doing it. Why? It's simple! It's not because they are naturally evil, but it's because they have a very very STRONG monetary incentive to do so.

So, please don't confuse incentive to sell with incentive to produce excellence. The desire for excellence of product quality is very much an irrational desire. In some ways it is like love. In order to sell well you don't need excellence. You don't need your software to be technically successful. All you need is successful sales, but that doesn't mean technical or social success. Technical success is obvious right? By social success I mean getting excellent documentation, getting excellent non-deceitful support, being able to interoperate without any artificial barriers. Interoperating with other people's software is indeed a social thing. For example, if I use Google Maps to map all my friends homes and use that to foster a discussion between me and my friends. That's highly social. If I am encouraged to share, that's social. If I am prohibited from sharing something that's in my power to share, that's anti-social.

Also, let me be frank with you as a developer. Pretty much any open source dev I've ever seen is miles and miles and miles higher in expertise than 99.99% of closed source devs I've seen. I don't know why that is. Maybe it's because they do it out of love? I don't know. But fact is, a really HUGE number of morons who couldn't code their way out of a wet paper bag, work writing closed source for a living. Let me tell you about them. They look and talk like nice people. They wear suits when asked. They have great credentials, great degrees and great certificates. They just can't code worth crap and they don't care about what they do deep down. They come to work, do their thing and go home. That's what overwhelming majority of closed source development is like. There are SOME exceptions, but notably in companies that actively try to fight against that by hiring unorthodox people who really love what they do and who don't wait to be kicked in the ass prior to learning something new.

So, since I've been a little bit on both sides, I assure you that closed source quality is just mostly hype, and as far as trustworthiness goes, you shold definitely be on guard when dealing with any closed source vendor due to reason I have outlined above. Yes there is some really good closed source software and companies. But your current understanding of the entire process is completely uninformed.

Frankly I don't think product quality excellence can be incented in any way at all. When the urge to produce products of excellent quality arises, it does so spontaneously and despite all kinds of counter-incentives. To sell well you do need your products to be of moderate quality, but anything more than a moderate level of quality (such as excellent quality) just gets in the way of making more sales.

Leo-

Thanks- I don't disagree with you overall statement. I do believe my opinion is uninformed, but not too far out of the perspective of most average consumers.

But the last half gets to what I think my point was- you say: "let me be frank with you..." and then make what I percieve to be an outragous claim- 99.9%? I mean- I buy the fact that working on something because you *love* it and not because you're paid to do it (ie- a job.. work.. etc) would yield a better result, but hell- just like that time I decided to take up mountain biking, or my first marriage, those were build out of love and passion too! But now, they are collecting dust and/or debt and I've moved on. As it applies to Open Source, I'm afraid the most passionate users may move on to be replaced by others from the community that like the product and want to keep it alive, but don't necessarily have the spark that the originator did.

I'm also being narrow sighted somewhat in that I'm only looking at my experience with Opera and Firefox right now. Opera forums are active with developers, QA, Marketing, etc... they field feature requests, respond to bugs.. at least with the regularity of what I've seen from the FF community (granted, I've never submitted bug requests/wishes, but I have seen many "why isn't this memory leak fixed yet! type posts in FF forums). Opera appears to be focused on creating a quality browser, most of the "sales" driven aspects you mention, while I'm sure they exist at Opera, do not easily show themselves (except the earlier mentioned relationship with securnia?- I didn't get what that post was implying). I should also say that I happily paid the student fee for Opera as I enjoyed the innovation they brought forth and wanted to contribute to it.

Anyway, Leo, thanks again- it has got me thinking.

-Eddie

I also forgot that passionate work can cut both ways. Someone only is going to be deeply involved in a project like that as long as it scratches his/her itch. That dev may not want to play anymore when things like usability, user exprience, feature/scope creep all come into play- when you're working on your own tool, it's apt to work the way you think which may not be the same as everyone else (certainly consumers don't view software in the same way developers do).

I think this is evident by the microcosm of OS developers making extensions for FF- since they are at the surface, the are the most easily visible aspect of FireFox. The "cool" stuff. Let's face it, we all want a reliable, predicatable, safe, secure browser that renders all our pages and is rock solid. But the wow factor is in extensions- and those are part of the core FireFox- so (again from my perspective.. the regular joe) every time I upgrade my browser, I have to rely on everyone else to upgrade their extensions. What if that person doesn't care anymore?

Eddie,

Of course I'm exaggerating when I say 99.99%. It's like when you read about 10,000 things in ancient Chinese texts. It just means many. I hope you're not taking it seriously and I hope you don't think I really believe in my 99.99% figure. Of course I pulled it out of my rear end to convey an idea. :)

And, Opera team is just a really good team. That's all there is to it. (And so is Mozilla team)

What I am saying is that some people think that open source automatically means unwashed hippies, unamerican, commies getting together and writing some nasty patch job. And they often also think that monetary income automatically implies responsibility and quality. And I'm just saying it's not guaranteed.

Really good programmers solicit peer reviews of their code. But many programmers in closed source environments are very protective and defensive of their code. Not all! Of course someone who doesn't want criticism can release open source software too, but I really don't think many other devs will join a project with a leader who hates to be reviewed and criticized. So once some open source project gets above a certain level of participation, it usually implies that most of the egos are in check, or else it couldn't get that far. But maybe I am wrong and there is a hole in my thinking somewhere.

Eddie,

What if that person doesn't care anymore?

That's a good question. Personally, I don't think there is any insurance against this in either closed or open source worlds. They just disintegrate in different ways. If closed source vendors don't care anymore, their quality slips, their sales slip, they get bought out by some other company and snuffed out of existence, they declare bankruptcy. The monetary incentive is only going to slightly delay the inevitable decline which happens when people don't care anymore.

In the open source world, if no one cares, yup, it goes unmaintained and it stops working well with newer versions of other software, old bugs don't get fixed and maybe become more annoying, etc.

But I have to ask you this: why did the person stopped caring? Is it because the product sucks? If yes, maybe that product needs to die ASAP, and in that case, propping it up with money just makes the death more of a torture. Is it because of a deeply personal change and NOT because the product sucks? If so, it means the product will be picked up by other maintainers, if it's open source, but if it's closed, it will just disappear, unless someone has the strength to sell it to some other company and that other company has the strength and will to continue to develop it.

So, I don't see any good protections against people changing their priorities in life. But if the project/product is really good, I don't think it will go on without love, at least, not if it's open source. :) And if it's an open source project and it does go on without love, then maybe it's not so good? Maybe it was just me who thought it was good and the community thought it sucked? Maybe if I learn how to live without it I can find ways to be even more productive?

another one:
http://www.cbronline.com/article_news.asp?guid=E23CEBF7-134A-460B-ACAD-050BBF8C632A

Good food for thought. Thanks.

Latest Web Scam Uses BBC News as Bait
http://www.sci-tech-today.com/story.xhtml?story_id=13300EUL9K29

Bug Spoofs Internet Explorer Addresses (another bug) http://news.yahoo.com/s/cmp/20060405/tc_cmp/184428646