real world security

There are lots of bogus security metrics out there, not the least of which is the often quoted number of vendor disclosed patched vulnerabilities. I've complained about this being used as a primary metric in the past and suggested that a more important metric was the time it takes a vendor to fix the problem.

Window adds another piece to that by talking about the time it takes to actually deploy the fix to users. This is an area where Firefox does a pretty amazing job, and as you can see from Window's post, we're getting better with each release.

Quickly fixing bugs and getting fixes in the hands of as many users as possible is a major cornerstone of our approach to security. No software of any complexity is bug free and with so much money to be made and havoc to be created, the bad guys are going to find and exploit software flaws. Our ability to update the overwhelming majority of Firefox users in just a few days is pretty amazing and means that our users are going to be some of the most secure on the Web.

Posted by asa on June 18, 2007 4:56 PM

reactions, thoughts, comments, etc.

If it is a question of resources (bandwidth, mirrors, ...) as suggested, one could argue that it could make Firefox safer if it had a bittorrent client build-in and used that for updates. WSPTOTC.

Posted by: Anders | June 18, 2007 9:19 PM

Are Firefox patches really big enough to take advantage of BitTorrent? A quick look through the FTP site shows that the updates to the Windows releases (the most used) and Linux releases are typically only a few hundred KB. I don't think I saw a single one that hit 1MB. The Mac versions are larger, some hitting ~2 MB, probably because of duplication in universal binaries.

Does anyone know what the minimum file size is for BitTorrent to be worth the overhead, as compared to HTTP or FTP?

Posted by: Kelson | June 18, 2007 9:39 PM

Parse error in section two, sentence one.

Posted by: Huh? | June 18, 2007 9:48 PM

Kelson is right. The patches are so small that BitTorrent isn't really a big win for us. We're still trying to tease out why some people get updates on the first day and others on the fifth or sixth day, but certainly some of it could be that not all users use a browser every day. Also, it could be that some users decide to hold off on applying the update for several days even though they've already received it (since it does take a Firefox restart.) I think our infrastructure -- our capability for distributing the updates, is actually in tip top shape and we will start to look at other parts of the system (the client experience, user education, etc.) for further reducing the time it takes for our users to get the latest secure version of Firefox.

Posted by: Asa Dotzler | June 19, 2007 10:08 AM

There's one big hole in the Firefox update procedure. Generally, updating in Windows can only occur from an administrative account. By default, limited users do not have read/write privilege in the "Program Files" directory and cannot update. (This does not apply to FAT file systems, which have no provision for privilege.)

Posted by: VanillaMozilla | June 25, 2007 2:47 PM