doron's blaahg

Just for info: Mozilla die 1 is now fixed bug 264956, Mozilla die 2 is open bug 265027. Mozilla die 3 doesn't crash on 1.8a4/W2K.

Filing bug #2 in the Firefox component is wrong, this is a gecko parser issue.

And I am sure there are tons more left :)

But note that mozilla/firefox has been built with more security in mind. Sure, it is more obscure and greater exposure will reveal more flaws, and this one aint a great flaw to have! However, it is not as simple as your rhyming phrase would have it.

Generally speaking then, it seems far more secure than IE...

How can you say its built with more security in mind? There is no proof, and we've had holes in pretty much every component.

A little test with his online-crashing tool didn't crash my Firefox 1.0PR and I reloaded the page aprox. 20 times.

Personally I'm glad to see this posting of vulnerabilities. It just raises the awareness and importance of fixing them. No software is 100% bulletproof, but the fact that the Mozilla organization takes security seriously, and aggressively goes after these software flaws makes it a much more suitable and secure solution in the long run.

RE: The online version doesn't crash Firefox... read what he says on the webpage. The online version is a "lite" version. For the real test, you need to download and install the full suite.

What a red herring! Microsoft's use of a different compiler doesn't make their code any good. If you don't like a Mozilla/Firefox compile, can't hack using an OS with integral stack protection, and can't hack browsing the web as a user rather than an administrator, recompile it. Problem solved.

Certainly in this case FireFox/Gecko is less secure (though reproducible test cases will make this false at some point). However, I think your assertion is far from proven by this. Security is somewhat of a soft term. At one end of the spectrum security is allowing various ActiveX controls to be installed while not realizing it. At the other end, it is protecting against buffer overflows (which can end up installing software without realizing it :)). Which product has more overflows? Which one allows malicious web-sites access to your data/machine more? I don't know.

I think your assertion is as likely true as it is false. I think obscurity has made security difficult to compare between the browsers. Sighting this single example as proof that it is not more secure seems a bit lacking to me.

IE hasn't had a hole that allows activex to be automatically installed in ages. What happens is sites keep asking to install them, and users end up pressing OK. Windows XP Sp2 started the yellow bar thing rather than showing a popup window, which Firefox copied.

The whole activex install angle is pure bullshit.

Err, that doesn't make IE more secure, it just makes it less prone to crashing.

With FF1.0 I would agree with that... the PR is very crashy and unstable. I absolutely hate the PR as it is very unstable for me, the previous versions were far superior.

"How can you say its built with more security in mind? There is no proof, and we've had holes in pretty much every component."

" I'm sure the "Firefox Is More Secure" fanboys will find some weird way to play it to Mozilla's advantage"

Umm did I somehow get transferred to Microsoft's Blog site?

I've always thought that we should all be open about Firefox's/Mozilla's problems but I think your taking it a little too far. Reading your comments its almost as if you resent Firefox's userbase and don't think its a more secure alternative to IE. The main thrust right now for using Firefox is that's its safer to use than IE. If you really think that's not true (which is exactly what your saying) something is really wrong here.

"The whole activex install angle is pure bullshit."

Sorry missed that one. Again I ask, what's with the hostility? I see real resentment here.

Mozilla die 3 _doesn't_crash_ on my Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913 !!!

The whole "more secure by design" was centered around one difference, to my understanding: Mozilla (and by extension Ffx) is an *application*, and not integrated into the OS. As such, vulnerabilities run with user-level privileges, rather than system-level privileges. Of course, this is mostly meaningless, since the majority of Ffx users are running it as admin...

But that's not why Ffx feels more secure; it's why they can get away with using that catchy phrase. For why it feels more secure, or why/if it *is* more secure, I'd have to go into a lot more detail, most of which I don't know.

> Someone give him the bounty? :)

that's ridiculous, crashers are not security issues.

that said, I agree that too much emphasis is put on security by the marketing people... best proof: mozilla 1.7.1, .2 and .3.

> Reading your comments its almost as if you
> resent Firefox's userbase

I think Doron resents the people who spout off about things without thinking about them, yes. I suspect a lot of Mozilla developers resent them. I do.

> and don't think its a more secure alternative to
> IE.

Quite frankly, it's not clear to me whether it's a more secure alternative. A lot of the firefox front-end code (and "front end" is a very broad category here) has never had review of any kind, much less security review. So who knows what's hiding in there?

Note that IE has never ever tried to delete anyone's Windows desktop, for example. A user bitten by that may not think Firefox is secure...

Also note that I'm just saying we have no basis for comparing the relative security of Firefox and IE, not that Firefox is less secure. But the people claiming loudly that it's always more secure in all ways are doing Firefox a great disservice in the long run as security vulnerabilities _will_ get found.

> The main thrust right now for using Firefox is
> that's its safer to use than IE.

Perhaps that's a mistaken main thrust?

> If you really think that's not true

It may well not be.

> (which is exactly what your saying) something is
> really wrong here.

Yes. That's what Doron was saying too. The really wrong thing is people making claims without being able to back them up.

My active X comment was not neccesarily directed at IE and it was not neccesarily implied that it was not some feat in social engineering. Mostly, that security is a fuzzy concept and there are multiple angles to look at it. Because of that, I did not think your assertion was very knowable. Because IE has less parsing crashes does not mean it is better in any other way from a security perspective. Then again maybe it is???

Also note (tangent), that fanboys and advocates alike are smart to play off of a percieved weakness in its competitor. It could bite them in the ass some day, but on the other hand until gecko is a more targeted system; the marketers probably won't need to worry about security as much as its competitor.

>I've always thought that we should all be open bout Firefox's/Mozilla's problems but I think your taking it a little too far. Reading your comments its almost as if you resent Firefox's userbase and don't think its a more secure alternative to IE. The main thrust right now for using Firefox is that's its safer to use than IE. If you really think that's not true (which is exactly what your saying) something is really wrong here.
>Posted by: none at October 19, 2004 12:23 PM

Having Firefox more secure than IE is accomplished by making it more secure, not by claiming it is.
BTW I think that after Firefox will have gained a good share, after the false spreading campaign end, in two months it will get back to a 0.5%

http://seclists.org/lists/bugtraq/2004/Sep/0214.html
^ Look, an exploit in IE in XP SP2 that lets ActiveX run without asking. Note, it should probably still show the information bar, but I haven't tested it.

Using the crasher thingy offline hasn't crashed Firefox yet, 30 minutes and counting. I'll try it in IE as well.

http://www.asan19.dsl.pipex.com/ie/Crash.htm

Crashes IE and not Mozilla. Doesn't do it on SP2, but that's a given.

I guess in my blabbing I'm trying to say that IE still has the parse errors, it just doesn't die because it's compiled with the null pointer protection crap. Firefox can be compiled in a similar way but currently isn't (something about a library dependency or something). In the long run, IE's bad code parsing still exists, while Mozilla is fixing it at the source (i.e. they're not compiling with null pointer protection crap, they're fixing the bug where it's located).

As far as browsers go, I've used IE, Opera, Konqueror, Firefox, and Mozilla. Firefox and Mozilla are the only two browsers that I feel safe and comfortable in (Opera makes my head hurt [colors, layout, a gazillion menu items under one menu] and Konqueror annoys me with its weird rendering and menu item names).

http://seclists.org/lists/bugtraq/2004/Sep/0214.html

Forgot about the SP2 issue, if I remember, it isn't as easy to exploit as it seems.

My point is that saying Firefox (or Mozilla) is more secure is something that can bite us back, and fanboys (see spreadfirefox.com) keep repeating and advocating it to everyone.

No modern browser is secure.

And I was being sarcastic about giving him the bounty :)

Hah! I made IE crash with that thing after 3 minutes of running it! Firefox is still going strong ^_^.

I love Apache *g*

But Firefox is definitely a "browser you can trust" because all the source code is open and it is designed to be secure from the bottom and they don't hide information about the bugs. I can at least trust that my content will display right in Firefox as when I have experienced bugs that caused a problem with display on my website they have been fixed completely within a month. You can also trust the future of the web and standards being open if Firefox gets enough of Internet Explorer's market share. But if you are really concerned about security the number one thing you should do is stop using DOS and Windows. You can't build a fortress on top of sand.

What a bunch of bull. Any idiot can write a suite to crash a bunch of browsers and then remove all the test cases that made their browser of choice crash and say, "See how much better my favorite browser is"? Notice how he omitted the test for the libpng vulnerability that every other browser got patched in early August, but IE still crashes on.

The only thing to be gleaned from this is that none of the browsers is perfect, either in security or in stability. But any turkey can produce a suite of tests to prove any point they want to make.

Doron, Boris: what can You suggest to do? I can clearly see Your point. More! I can agree that what spreadfirefox does is a little bit... too offensive for me and, ... overwhelmed.
But i think it's clear that the World needs secure browser. Can we make it? How? If we cannot than who?

Don't find it offensive, I'm admiring Your honesty, but it's much better to talk about the ways to fix it than about a problem itself, isn't it?

"But Firefox is definitely a "browser you can trust" because all the source code is open and it is designed to be secure from the bottom and they don't hide information about the bugs."

The only advantage is that we can patch faster, that is really it. Most holes are not found by looking at code, they are found by writing tests and trying to fool the browser. And open source doesn't give any benefits in that case.

As for how to make Mozilla more secure - Netscape used to do security reviews (even inviting non-Netscapers), perhaps we need to get something like this going again.

bz, doron, you're going a bit too far in an attempt to turn down the hype, and you've forgotten a few things that we have done better. For example, IE's habit of ignoring server MIME types and trying to guess the content type created a whole bunch of security holes. That comes down to our general approach of being stricter than IE.

We do patch faster, and that matters. Also the fact that you can update your browser without causing your entire desktop to implode is a good thing.

It's too bad we didn't do fuzz testing earlier, but the fact is we've always known about plenty of HTML inputs that could crash Mozilla *or* IE...

BTW I doubt the VC++ safety checks made a difference in this case. They'd just terminate the app to prevent an exploit, which looks just like a crash.

> and they don't hide information about the bugs.

Er... actually, that's _exactly_ what Mozilla does. Hide information about security bugs until the bug is resolved in shipping versions. This includes hiding the information from people who could conceivably fix the bug, sometimes. We think it's a decent tradeoff with the bug being exploited by script kiddies, but that's another issue entirely.

roc, I happen to agree with you that overall we're more secure than IE. I'm just deeply concerned that people who have no idea _why_ that is and who make obviously false statements (like the "don't hide information about the bugs" one above) that cause the project as a whole to look dishonest... A lot of people outside the project have no idea who's in a position to know something and who's just spouting off. They just assume people who're talking are supposed to be talking.

So you are saying as a web content developer and designer I know nothing about how Firefox works. Maybe not on the low level code but I do know about it from a user and designer perspective. So you are saying all you care about is from the programmer's perspective and not how Mozilla works in the real world. Are you claiming I am making up that I had a bug fixed within a month? You can check the records if you suppossedly know so much about Mozilla. I feel much more safe about Mozilla and Firefox because they fix things that Microsoft never does. I was never able to get both xml and xhtml to work with Internet Explorer on the same site. I would output XHTML from Abiword and it never looked right in Internet Explorer but looked perfect with Mozilla derivatives as well as Opera. To even talk to M$ it costs 200 dollars per incident. Mozilla never charged me. Giving a Security bug bounty is a lot more transparent then the M$ not announcing bugs and pretending they don't exist until they have a patch.

Robert: we actually started ignoring mimetypes and doing what IE does under certain conditions :)

> How can you say its built with more security in mind? There is no proof, and we've had holes in pretty much every component.

Interview with Ben Goodger:
http://news.com.com/2008-1032_3-5406708.html

Some people say Firefox has a better security reputation than IE only because it doesn't have enough market share to attract the attention of bug hunters and malicious hackers. Is that a fair estimation of the difference between Firefox and IE?
No. Firefox is better designed in a number of ways--we have no "mode" that allows untrusted content to be executed automatically, for example--no "safe zone."

Another reason: Market share does not predict security. Apache has more market share than has Microsoft IIS, which has more holes than Apache.

----
This might not completely be proof, and it is not intended to be a defence of firefox for the sake of defending it. It is more to comment on your "absolute" statement that "Mozilla is NOT more secure, its more obscure." It's a nice catchy phrase but is it right? To play devil's advocate, I don't necessarily think Ben provides "proof" in what I quoted above, but it shows another nice statement that counters your nice statement.

But this crash thing needs to be resolved, for sure :)

> So you are saying as a web content developer and
> designer I know nothing about how Firefox works.

Not at all. I'm saying that a lot of people who know nothing about how Firefox works pretend like they do. I'm basing my "know nothing" conclusion on the incorrect statements they make, not on their occupations.

I have no idea what you personally do or do not know, since I've never met you before.

> So you are saying all you care about is from the
> programmer's perspective and not how Mozilla
> works in the real world

I'm not sure how you managed to draw that conclusion.

http://secunia.com/product/11/
http://secunia.com/product/3256/

I'll let for you to decide, what is more secure.

Benjamin: apparantly you do not know enough about Mozilla to know that Boriz Zbarsky and Robert O'Callahan are two of the lead Mozilla developers, so yes, they *do* "suppossedly know so much about Mozilla".

:)

~Grauw

>(a) Mozilla is NOT more secure, (b)its more obscure.

Part (a) Is a truism - something is either secure or not, since no browsers are secure, none are more secure than each other.

Part (b) Mozilla comes with source and there are well known vulnerabilities in specific versions - by what definition are you using to make it obscure?

Nothing against Ben, but I don't consider him an expert in Gecko, where holes are located.

Yes, Mozilla has less known holes, but that does not mean its more secure than IE - if we had the same marketshare and less holes, then that would mean something.

Also, a lot of IE holes are due to it reusing system software like msxml. Mozilla has had holes because of other software we use as well.

Mozilla is probably more secure and possibly designed to be more secure, but there is no proof.

And fixing holes isn't enough - many regular users do not upgrade. There used to be tons of Netscape 6.0x users, and they only upgraded to 7.0 when we made a huge marketing campaign (3x million downloads). Just because we can fix issues decently fast doesn't mean everyone is secure.

actually, it still is more secure.. If you've ever tried to submit a valnerability to Microsoft, and dont publicise it, its not rare for them to takes 3 months to fix it, even if the flaw is serious. The only way to protect Microsofts customers against discreet users of the exploit, is to publicise the flaw.

Meanwhile, the most serious of flaws in mozilla seems to be fixed overnight (this one I dont consider that serious, and actually a bit overrated).

Even worse, MS has stated they wont protect non winxp-sp2 or greater customers anymore who run IE, so win2K internet explorers are at very high risk. I think its safe to agree that at the very least, mozilla security is much better then IE on win2K security.

oops, I mean,users of IE less then winXP sp2

I thought that the main point was how the marketing measured with reality. All my other popints about Mozilla being the browser that you can trust like about it supporting open standards is something I know quite a bit about through real world experience as I have moved my life's work from Windows to Linux to Windows to Mac OS X with totally different applications and was still able to access it as I used open formats and I could depend on cross platform viewers like Mozilla and the open nature of PDF, Flash, and HTML formats. Even though I don't do anything very complicated with my site design (rendering wise) I always have to make adjustments for IE and my page doesn't always look best in Internet Explorer because it doesn't support open standards. The latest issue was support for transparent PNGs. As far as security wise I do personally trust Mozilla more as many people do and that says something if you care what non-programmers think. The most important point I can make about security is to not use Windows or DOS - that is what I should have *starred*. Whether you use a secure or insecure browser it is still more important that you have a secure system to put it on. It does no good to have a secure browser but not have a system with permissions that are compatible with your applications or to have a firewall that has gaping holes in it. And of course the most important thing to do if you want to preserve information is to make frequent backups.

> Mozilla die 1 is now fixed bug 264956

No it isn't. It is marked as fixed but the patch is not yet checked in. neither in the trunk nor in the 1.7 branch. I haven't checked the aviary branch but I suspect the same.

The mis-statements about security in this thread scare me, especially considering how many contributors to the thread have their fingers in the code.

Several people have tried to claim that crashes are not a security issue. But they are: causing the browser to crash is an opening for a "denial of service attack". It is still a serious threat, because it causes people to (for example) fall back to a less secure protocol.

Somebody else said that much Mozilla code has never been reviewed for security. Even if that is not exactly true, it sounds scarily close to the truth. Not only does it need to be reviewed, it needs to be regularly tested for security.

I'm sure they do much of this for IE, although clearly they do not do it very well. I know they do it for the major WAP browsers, too.

Finally, yes, refusing to launch ActiveX automatically and being separated from the OS are security advantages of Mozilla, but not overwhelming ones. That alone is certainly not enough to dub it "more secure" than IE.

I think it is wise to take Doron's position and objectively evaluate the evidence (or, as Doron is pointing out, the lack thereof) of Mozilla's "security." I use Firefox, but not because I think it's more secure. Firefox has features that I like: tabbed browsing, live bookmarks, nice UI, small footprint (hdd,memory), etc. Other than enterprises, this is what the vast majority of casual computer users look for. It doesn't matter to them whether the browser is standards-compliant or open-source: they just want stuff to work.

While user awareness of security is undeniably growing, remember that people use computers because it allows them to do things; not because it allows them to do things securely. Furthermore, security is an element of software design only as far as a countermeasure to possible attacks. You can't possibly account for every attack vector when you're trying to get a product out the door, so to claim one product as more secure than another is difficult, especially since the situation with IE is complicated due to its being integrated with the OS.

Of course, Microsoft had its reasons for this, both good and unfair, and it has produced some unfortunate results (death to Netscape, security holes, etc.) However, it gave all Windows users (meaning most computer users) a web browser out of the box and it gave developers a stable HTML platform to build from. So when a security issue with IE arises, according to Microsoft, which I think is completely understandable, they must rigorously test each patch they make for their products before releasing them to ensure compatibility (the patch may not install correctly, but that's another story...). Imagine the nightmare of installing a security patch (arguably every month) and a developer finds that his web application is now broken (*again*) due to new functionality implemented in the patch. The developer would probably find a different platform to build from, but Microsoft is too good of a business to allow them to do that.

As much as many would like it to be, security simply isn't a black/white issue. Just the same, the Microsoft vs. open-source argument isn't a black/white issue. It's the battle of making software a business vs. making software that most people tend to forget when griping about some shortcoming of one side or another.

I would like to point out here that though XP SP2 may not represent the best all-encompassing security update, it is still a big step in the right direction for users and represents the risks Microsoft is willing to take to make people "happier" with their products' security.

Why do peaple keep on assuming that the only platform that matters is Windows? I am using Camino on Mac OS X and I also used Firefox before on the same platform and most of the issues with insecurity don't apply to platforms other than Windows. Why isn't there more time devoted to checking for security and stability on other platforms where developing a secure browser is at least possible.

> But Firefox is definitely a "browser you can
> trust" because all the source code is open and
> it is designed to be secure from the bottom
> and they don't hide information about the bugs."

Openness: Yes, advantage.

"it is designed to be secure": Wrong (IMO). Ben Goodger appearantly has no concern of security, otherwise he would e.g. treat downloaded EXEs very differently.

"they don't hide information about the bugs": Factually wrong. Security bugs are hidden (I tried to prevent it, but failed).

> Most holes are not found by looking at code

Actually a number of serious, recent security bugs have been found by third-party people inspecting the source.

> Netscape used to do security reviews
> (even inviting non-Netscapers),
> perhaps we need to get something
> like this going again.

We already have it. The Bug Bounty is meant to do that. (I don't know, if Netscape did anything else apart from its Bug Bounty to "invite non-Netscapers".)

> http://secunia.com/product/11/
> http://secunia.com/product/3256/
> I'll let for you to decide, what is more secure.

Apart from the fact that you shouldn't give anythign about statistics like these, because they don't consider the severity properly (I don't care about the tab/alert "exploit" they "found", but I do care a lot about arbitary code execution), 2 bugs/month as noted would actually be awfully bad for Firefox.

> Mozilla is probably more secure and possibly
> designed to be more secure,
> but there is no proof.

You can provide good evidence for that, by showing that the exploits that MSIE has cannot happen in Mozilla, because it made more secure decisions early on and/or has safety nets. I mean not just "it happens to make this check in this case", but it's been made sure in the design that this whole *class* of bugs cannot occur. Of course, Mozilla must not add classes of bugs on its own (chrome comes to mind).

Or the other way around, you can show that the MSIE bug was unnecessary, because they could have easily prevented that by certain software or organizational measures, and Mozilla has them in place.

I think that Mozilla is coded much more security-conciously than MSIE. (Firefox frontend is not.) It could do better (and I try to in my browsers). There may be organizational measures that could further improve security, e.g. if a bug is found, check carefully that there isn't a similar one elsewhere in the code, but it's a resource problem.

An interesting read, this thread! Whilst I am not anything more than a casual computer user, I am interested in my PCs security and general wellbeing. I prefer Firefox for the same reasons as have been listed above - the tabbed browsing, the small system load, the fact that if it crashes, the whole of Windows doesn't crash etc.

I'm also pleased to note the honesty and openness of the contributors to the code - Security holes kept secret, for example - You don't see MS crowing about any lacklustre programming, they just get on, fix it and release the update patch quietly (albeit eventually!).

As a "common-or-garden user" of PCs, I'm aware that the internet is unsafe - and any browser that you use to view it is potentially unsafe as well. There is the slightly Luddite-ish view that the best firewall invented yet is a couple of inches of air between the plug and the socket; the most secure use of your credit card is to go there in person (and it's probably better to use cash anyway!!!!); etc.. However, this is increasingly unworkable as a solution - as are claims of various software makers (antivirus and firewall developers as much as internet browser developers) that their solution is "the most secure". I'm sure this doesn't need to be pointed out here, but they're only secure FOR NOW, and that seems to me to be generally a week or two, until someone finds a new hole to get in.

In an ideal world our sensitive data would be behind bars (whether real or virtual) whilst we wandered around on the net. However, until the general public are educated effectively about secure practice (decent passwords - instead of D.O.B. - would be a good starter!), keeping their data safe, etc. AND the software/hardware manufacturers make it easier to maintain secure practice (after all, we're all lazy!) we'll continue to see security issues being wailed about... it's up to you to lock your house & car before you leave it - otherwise you might as well leave a sign in the window saying "come and take my stuff - I don't really need it anyway!".

I've possibly gone off this forum's subject area... I apologise, but I hope that Firefox continues to grow and mature because I find it to be the most 'confortable' browser!!!

By Doron:
> As for how to make Mozilla more secure - Netscape used to do security reviews (even inviting non-Netscapers), perhaps we need to get something like this going again.

Yes, please! Please! Please! It is such an important thing to do, and, it is necessary for success. Even though it is being overhyped, something as simple as this (which would have been so easy to catch if anyone had thought to test this way) is I think a big set back for encouraging adoption of Mozilla/Firefox, not to mention being a serious problem from an engineering standpoint. It will take more resources, but as they taught me in scientific computing, if the code doesn't work, it doesn't matter how well it performs.

By the way, some of the responses here by the devs have been great. At least you guys aren't trying to hide the problem. I hope you can institute some change. It would also be great if the general public heard comments like this more often, so that they (and I have to plead guilty too) don't develop misperceptions about the security of Mozilla. I don't know how you would accomplish that, but it would be good. Not as good as just fixing the problem, but still :)

I almost read All of the posts but was too tired to. So I'll say my 2 cents worth. Just before I downloaded F.F. I read on its Homepage that they said that FireFox Is Secure and then I go into the Tools > Options and then Advanced and then it says SSL etc and TLS - now that to me when I downloaded Opera(I tried it before FF) was to me a Secure brower when I surfed the Net. But I had a rude awakening!!! I discovered it was NOT secure and all the checking of the boxes was USELESS because I was surfing the Net UnProtected!!! So WHY put all those SSL and TSL's under Advanced when It Doesn't mean ANYTHING and then when the person checks them, they get a Very False Sense of security??
When I downloaded FF I thought it was Secure about Surfing and then I discovered it Wasn't(just like Opera) and that I had to go get my own proxy to put in the browser. HTTPS proxies are Difficult to obtain!!
Now if you concentrated on just getting our surfing secure with Good Encryption, then it would be Very Secure except those bugs you still have to work on, for vulnerabilities!! But at least the other web sites we surf to wouldn't know our IP and other Personal info and then we could Really set the cookies, etc. to be Safe too! If I knew How to do it; I would set it all up myself.
So in conclusion, we need the Url encrypted on its journey!!

Pardon me for jumping in late to this thread.

I can't speak to the issue of Mozilla's security, but here is a summary of some criticisms of Microsoft's security position. To it's credit, I believe that Microsoft really is taking security more seriously than it had in the past, but these are still issues:

1. IE is in bed with the OS.

As pointed out by others, IE runs in superuser mode - inherently less safe.

2. Microsoft has traditionally emphasized ease of use over security.

A great many of the security holes in Windows software have emanated from a mentality in which a user, more often than not one with little understanding of computer security issues, clicks something to run a program. The worst case to my mind has been clicking on an email attachment, but there have been many similar problems with IE, ranging from Activex controls to "browser helper" applications which, if malicious, can do untold harm, and can be installed virtually invisibly into the system.

3. Lack of support for older OS versions.

Many people still run Windows 95, 98 or even older OS versions. MS is abandoning these users by writing software that is not fully backward compatible. To a user who can't afford to upgrade his computer to one capable of running XP, fixing security holes can be an insurmountable problem. This harks back to point 1. If IE is part of the OS, it becomes very difficult to back port it to a really different OS.

4. Closed source.

In the short run, closed source confers security benefits because it hides some holes. But in the long run it is less secure.

In my view, the real reason that closed source is less secure is that it enables bad programming practices to be hidden from view. A programmer working on an open source project knows that his dirty laundry will be visible to some very expert people - people whom he respects and who he would like to respect him. He is more likely to clean his underwear (if I can extend the dirty laundry metaphor) and keep it clean.

The closed source programmer has a different environment to work in. Pressured by commercial concerns to get his code out the door, and knowing that quick and dirty solutions aren't always reviewed by management and are never reviewed by his peers around the world, he may be much more tempted to take the low road.

I don't mean to imply that Microsoft programmers are unprofessional in their attitude to code quality, or that MS management is unconcerned with code quality, but the checks and balances of visible, open source aren't there. It's a different programming world.

From much time working in technical support, I think I might understand what Cindy is saying.

Cindy, security has to work both ways. Selecting those checkboxes means you are allowing Firefox to encrypt your connection with them. That is all they mean. For a completely encrypted connection between servers, the owner of the website must enable security.

If the address bar turns a yellow color, that means you are on a secure page. Mozilla, nor any other group, can force encryption.

Think of it like this -- encryption is a foreign language. You can scream in German to an English speaker all day long, and they just won't get it. Both have to speak German for a conversation to work. This is my half-baked web security analogy. Firefox is always ready to speak German -- it is always ready to be secure. But if the other end of the connection is not ready, then nothing will happen.

Also, just because a connection is encrpyted doesn't mean it is secure. Security also means that the person you are talking to is who you really think they are. This is called phishing, where (for example) a fake eBay page is created that asks you for your username and password. All the encryption in the world doesn't make it truly secure.

>We already have it. The Bug Bounty is meant to do >that. (I don't know, if Netscape did anything else >apart from its Bug Bounty to "invite >non-Netscapers".)

No. We had security reviews of code and invitied relevant outside contributors over the phone to participate in them.

>>Actually a number of serious, recent security >>bugs have been found by third-party people >>inspecting the source.

Any examples? All the ones I have seen reported where found without looking at the source code.