|Firefox not more secure?|
Moz Developper Doron Rosenberg makes an interesting statement.
|How can you say its built with more security in mind? There is no proof, and we've had holes in pretty much every component. |
-Posted by: Doron at October 19, 2004 09:18 AM
A very, VERY interesting thread with comments from some of the Moz developers stepping in to "dispel" some of the security myths.
This suggests IE6 is more secure as it's less easy to crash using bad markup!
The difference is that moz holes are fixed in 24 hours. Many IE holes go 24 months.
The biggest difference I can see is something I do not believe is reparable in IE, ActiveX simply has far too much access to the OS, almost all the major security fixes of the last year have been dealing with that issue, the last security patch broke an older patch, exposing Active X once again.
What this means is that the IE engine, the IE direct connection to the OS, is a ball of spagetti code, in about as bad shape as Windows 9x before MS finally had to dump the whole tangled mess. The IE kernel is still largely based on the IE 4 kernel as far as I know, this stuff can't and won't be resolved until MS does a full browser engine rewrite, and even then it's going to be suspect since MS simply cannot seem to grasp that integrating components on a deep level exposes that deep level to attack.
Thinking any piece of software is 'secure' is fooling yourself, the moz guy is right to point this out, but standalone applications that don't use active x or any similar technology have a built in limiting mechanism for such insecurities. So it's good to point out that you are not suddenly entering into a secure kingdom when you use firefox, it's just that the amount of damage that can be done can be expected to be much less.
I've spent the last month working in a big organization part time doing networking, most of my time is spent on the following:
-installing Windows/Office service packs manually because the autoupdate engine doesn't work correctly without admin priviliges, SMS server coming but not here yet.
-removing active x installed trojans, malware, and viruses. Cleaning out some of the better pieces of malware and trojans takes me upto 3-6 hours per box. Firefox would have eliminated at least 95% of the malware installed. Text only Email would have eliminated probably 95+% of viruses and trojans.
So far Firefox is more secure simply because its too small of a fish to target - thats right, ignoring all code argument for a moment, lets just face statistical evidence - fewer people use Firefox and its just plain easier to target IE. Its safety in numbers - just reversed.
|So far Firefox is more secure simply because its too small of a fish to target |
That may be true today, and it may be true tomorrow.
(Though it may not be -- compare the safety record of market-leader Apache with that of runner-up IIS).
But if the day comes when it is no longer true, Firefox will still be more secure where it matters.
As stated in previous messages in this thread, Firefox problems are fixed usually in one day -- that's at least 30 times faster than a typical MS fix.
And if someone does break into Firefox, there is no access to the important internal components of Windows.
It's like, if you can break Firefox, you get into the lobby of a building with zero further access possible. Break IE though, and you get into a fully operating express elevator to all floors, and a master key to all doors.
The point is that people often seem to target Microsoft because they may have a grudge against them. I'm sure hackers delight in trying to take them down. Whereas Firefox is "kewl" and open source. Of course it is still a target for hackers, but probably those just seeing how far they can get.
The most serious recent IE / IIS exploits were not script kiddies playing, they were run by the Russian Mafia, and exploited active x holes in order to install backdoors that installed keystroke loggers to retrieve and collect user passwords. This would not have been possible on firefox, since firefox doesn't support active x.
It's the same pattern emerging, the latest viruses are being created in tandem with spamming networks, these depend on Outlook/outlook express vulnerabilities to install themselves, outlook products of course using the IE rendering engine, with its holes.
Then those spammers are using botnets created by similar methods to use as smtp servers, almost all these exploits depend on the structural weaknesses and insecurities of windows and IE to propagate themselves. If those weaknesses were not there, there would be nothing to exploit, but they are.
There's money in this game now too, hackers have to make a living too, just like the rest of us ;-)
Even if Firefox had the same market share as IE has now, it would still be more secure. IEs biggest downfall is due to its integration with the operating system. Crash Firefox, and you just restart the program. Crash IE and the whole operating system goes down with it. IEs integration makes fixing things much more difficult due to the interdependencies.
The recent story about a script which can regularly produce markup which can crash every browser other than IE is interesting but not a case for favoring IE (which can crash on valid HTML). That's not to say that Mozilla/Firefox, Opera or Safari/Konqueror are invulnerable or that such problems shouldn't be dealt with, just that the research (done by a researcher who has consistently favored Microsoft products in all his work, and who recommends IIS as being more secure than Apache) is incomplete, marginal and one-sided.
Alternative browsers have to take seriously any crash or buffer-overrun situation, and they will have to raise their game to build even higher-quality code. Also, if you think that running an alternative browser or even an alternative OS (Linux, MacOSX) will make you somehow immune to viruses, hackers and the like, then you're seriously mistaken.
However, it has been shown month after month, vulnerability after vulnerability, that IE is plagued by security problems, and that alternative browsers, even though less than perfect, are a better choice.
There also might be a few more issues involved with the moz developpers being more open about security flaws.
First: They don't want to take a "burried head in sand" approach. MS has a bad rep for ignoring security issues, even well publicised ones, until they absolutely have no choice but to deal with it. Some vulnerabilities in IE have been known and discussed for over a year before MS got around to patching. Moz can't afford to take that sort of complacent approach. They're the little guy, and could be crushed quickly if they're seen as complacent.
Second: It's an old truism that the surest way to get hacked is to claim loudly and publicly that you're unhackable. Putting a damper on such claims, from the development team itself, might help mitigate the "attraction" to try and hack FF and other Moz products.
Third: Good marketing. Relying on the "FF is more secure..." line as your main marketing point has its limits (if you've never been hit by a serious security problem in IE, then why would you care?) and creates a vulnerability in that when a security flaw IS exposed, there goes your whole marketing campaign and image like a collapsing house of cards. I think the developpers are (justly) proud of FF as a simply better, more agile browser, with better features and usability. In the long run, this will most likely win over more converts than security alone.
Sometimes it's good to take a closer look, especially when popular myths start getting repeated as if they were fact [from theregister.com today [theregister.co.uk], worth quoting at length]:
|Myth: There's Safety In Small Numbers |
Perhaps the most oft-repeated myth regarding Windows vs. Linux security is the claim that Windows has more incidents of viruses, worms, Trojans and other problems because malicious hackers tend to confine their activities to breaking into the software with the largest installed base.....
This reasoning backfires when one considers that Apache is by far the most popular web server software on the Internet. According to the September 2004 Netcraft web site survey,  68% of web sites run the Apache web server. Only 21% of web sites run Microsoft IIS. If security problems boil down to the simple fact that malicious hackers target the largest installed base, it follows that we should see more worms, viruses, and other malware targeting Apache and the underlying operating systems for Apache than for Windows and IIS. Furthermore, we should see more successful attacks against Apache than against IIS, since the implication of the myth is that the problem is one of numbers, not vulnerabilities.....
Perhaps this is why, according to Netcraft, 47 of the top 50 web sites with the longest running uptime (times between reboots) run Apache.  None of the top 50 web sites runs Windows or Microsoft IIS. So if it is true that malicious hackers attack the most numerous software platforms, that raises the question as to why hackers are so successful at breaking into the most popular desktop software and operating system, infect 300,000 IIS servers, but are unable to do similar damage to the most popular web server and its operating systems...
and so on. Myths are fun, but not as fun as facts. This is why I only use Apache running on freeBSD for all my websites [except one legacy one, on Windows IIS, that is the source of ALL my current webhosting problems], that helps me dump that whole set of problems and deal with more interesting ones.
If you install a decent Linux distro you will soon realize that installing stuff on that is simply much harder, and requires more conscious action, than on a standard windows box. Not immune, just harder.
isn't this just a form of security through obscurity - in this case - low marketshare.
Let's be blunt. All a web browser really has to do is display information from the server, perform scripting instructions and send data back.
If you limit the access of the script engine, it is entirely possible to create a browser that is 100% secure.
I don't know how secure Firefox is, but the architecture is fundamentally more secure than IE.
<<<< isn't this just a form of security through obscurity
If the first link I posted is too technical, here's a synopsis of the above article [theregister.com]
Generally, the argument 'security through obscurity' is applied to closed, proprietary software and os's, not open source OS's and apps. You also have to look at how these systems actually work. The first link I posted to will give you a decent idea of that.
IE is fundamentally linked to the OS, at a deep level. This is the problem. It's not how much market share it has, or doesn't have. It's a structural design problem. It's unlikely MS will ever abandon its current roadmap, so your current best option is to abandon MS as far as practical, Linux is still pretty focused on power users, which is a good thing I think, there's still a pretty significant learning curve.
So what you're saying, isitreal, is that it's a good thing that *nix has a steep lc, which should (one hopes and assumes) keep idiots out of the mix?
Hard to say, it's hard to go back in time and remember just how much work I put into learning windows, it was a lot, so a lot of it seems pretty basic to me, but not to my non tech friends who call me for help, and it didn't seem basic when I was learning it. But all you learn when you learn windows stuff is how to click a button or open a menu, it's dead end knowledge, it gets you nowhere. The only reason I know basic stuff like disk partitioning is because I was curious, if I'd stuck to windows defaults I'd know nothing about how a pc works at all, or how the web works, really the only thing I'd know anything about would be windows.
When you see unix type os'es in the hands of expert users, it's pretty wild, it's a different thing altogether, built around servers, powerusers, network admins, it's got a lot of very impressive tools, mostly command line when used right. And now it has some reasonably user friendly apps to go ontop of it, but it's not windows by any means, you're never more than a step away from the command line.
I've been using Linux more, there's a lot of rough edges on the gui stuff, less the closer you get to the command line, that part works pretty well. KDE 3.3 is really good, looks way better to me than XP, not as homogenous, things that are easy on windows can be pretty hard on linux, but then again things that are pretty easy on linux can be pretty hard on windows, just depends I think what you want, windows is focusing too much on maximum 'user friendliness', you pay a price for that, it's security.
And the monolithic OS model, I don't like that, but it works really well for standard users who really just want a toaster type thing to send emails and surf and do some wordprocessing or make websites, whatever, windows is fine for that as long as you don't really care that you basically have no control and no say over your primary tool.
The apache model is more interesting, compare apache and IIS, apache is amazingly configurable and extensible, but it's also a lot harder to learn initially, that's where the power and flexibility come from, I've worked with IIS too, and it's a nightmare to secure, you have almost no control over it, that's why it's such a huge hacker target, same for IE, windows.
Small example: I just thought to myself, oh, it would be nice to get Links browser, opened my command line, typed in apt-get install links, a few seconds later there it is, another browser. Try that on windows.