How can you be sure other browsers do not have similar security problems?
Although IE is likely to attract more crackers, isn't it also likely to have more people trying to spot & fix security vulnerabilities?
Anyone out there have a convincing argument for moving to another browser?
Kim Kommando's newsletter is now recommending people find an alternative in Opera or Firefox. She claims to have a lot of listeners to her show and subscribers to her newsletter.
It's a lot harder for people to study Internet Explorer, the source code for which is not available, than it is for them to study Mozilla or one of the other free software browsers. If most technical security people are going to report security problems to the browsers maintainer (rather than releasing malware), this will have a positive rather than a negative effect on security.
This logic doesn't hold for free software products which don't see widespread use, but I think it clearly works for products such as Apache, Mozilla, Linux, etc.
I switched to firefox at work and at home, and other than very few sites, everything looks exactly the same in firefox as it did in IE. I have tabbed browsing, and some of the plugins are great (especially the webdeveloper one!)
I had tried to switch to Opera, but for whatever reason, I just couldn't...I kept going back to IE.
Estimated browser security faults since 1997:
Opera -v7.5 : 12
Netscape -v4 : 40
Mozilla : 25
IE : 200 known, (some estimate that it is really over 1000 effective holes)
Lets be honest: ie has been swiss cheese, while NN/Moz/Opera have been relatively secure.
IE takes weeks -- if not months to years -- to fix problems, while the Team Mozilla, and Operasoftware often fix problems and release patches before they are even publically reported.
|How can you be sure other browsers do not have similar security problems? |
They will as soon as they become mainstream. All of this focus on IE at the moment is only natural as they dominate more than 90% of the browser market share. If any of the other browsers had any respectable part of that market share, they too would be under the same attacks with probably the same number of security holes to deal with.
Does the fact that Mozilla Firefox, et al are open source make it easier to find security holes in them? And if that is true, wouldn't that lead to the conclusion that more of the possible holes in Mozilla Firefox have already been found and patched?
>>Lets be honest: ie has been swiss cheese, while NN/Moz/Opera have been relativly secure.
Have to agree with page1. No need to really crack opera right now. They are only secure until MS is knocked down. If you don't like IE go use another application. Don't think that it is more secure though because noone is hacking it.
[edited by: korkus2000 at 2:16 pm (utc) on July 12, 2004]
Brett, where did you get your data from? Might add a bit more weight to know the source.
Mozilla and Opera are currently under intense scrutiny by the bug-hunting community precisely because their use is increasing - Opera has gone through serveral security-related bug-fix versions recently (7.51 and 7.52 and several of the 7.1 and 7.2 series), and Mozilla was patched only this week.
However, IEs special status comes from it's complexity and it's integration with the operating system. That means that a bug in IE has consequences with the whole system - if you crash IE, you crash Windows (remember
<input type crash>?). If you crack IE, you crack Windows too.
There are undoubtedly bugs still remaining in Opera and Mozilla, but due to their stand-alone and cross-platform nature the bugs are less serious and less damaging. The latest Mozilla bug is a case in point - platform-specific (Windows XP only) and easy to fix (changing parameters in Mozilla has no consequence on the underlying OS as the code is not used elsewhere).
It is right to say that security by obscurity is a bad idea, but Mozilla and Opera are inherently more secure by design.
I think the reason for IE being "slow" at recovering vulnerabilities and holes is simple: they have no reason to be dedicated.
Because if you look at Opera, it gets money with the people who want those ads to be removed -- so it indeed is a dedicated browser-only company and must have a team who work on discovering/fixing bugs, vulnerabilities, whatever.
If you look at Mozilla, being open source is an advantage for them -- they have their own community where they actually discuss in public, their own bugs and eventually someone comes with a fix for it.
1) It's not open-source
2) It's not shareware
So which indeed gives them a valid reason for not being "at-it" as fast as the others.
[edited by: sidyadav at 2:37 pm (utc) on July 12, 2004]
Okay, here is the scenario...
"A secret society of hackers has been commissioned to detect and exploit security holes in the IE browser. No one knows who these hackers are or what their agenda is."
"It has been rumored that a group of anti-MS personnel have been funding this secret society of hackers for the main purpose of bringing down the manufacturer of the browser."
Now, what happens when the "next browser" fills that slot? Maybe the MS team will bring together its own secret society of hackers and do the same thing that was done to them. It's only natural to do unto others as they have done unto you.
Nothing is secure. History has proven time and time again that anything can be comprimised if enough talent and attention is given to it. As soon as one of those "other browsers" start to gain public momentum, the security holes will surface. Mark my words! ;)
|They will as soon as they become mainstream. All of this focus on IE at the moment is only natural as they dominate more than 90% of the browser market share. If any of the other browsers had any respectable part of that market share, they too would be under the same attacks with probably the same number of security holes to deal with. |
Lets have a look. Mozilla's latest security flaw (which was more like a work-around for a MS Windows flaw) was fixed in what, 36 hours? Microsoft still haven't properly fixed IE's latest Active X problems.
Even if the rate of security holes were the same between Mozilla and IE, Mozilla have a far better record of fixing them promptly. That is what is important.
>but due to their stand-alone and cross-platform nature the bugs are less serious and less damaging.
I think this is a huge part of why people SHOULD change. While I don't like the idea of a hacker having control of my browser...I like that idea better than them having access to my whole PC.
I wonder if these escalating issues are making MS think about heavily integrating a browser into Longhorn.
|As soon as one of those "other browsers" start to gain public momentum, the security holes will surface. |
Absolutely right - but they forcibly will be more limited and the fixes will come quicker. Microsoft has to test IE patches intensively on over 400 test installations, and even then they can't be sure things aren't going to break outside of IE because there is no separation of roles or code between the browser and the OS.
|MySQL: Six Times Less Bugs than Proprietary Code |
If you seached for something like :open source reasoning
you might find the paper on the study.
I think some of the people here might be on to something. I bet as soon as the open source Apache webserver gets any market share, poeple will realize that it is filled with holes just like the proprietary web servers.
So I guess that the "organized attack" on iis was because it has the largest market share in web servers not because it is easier to hack.
But wait iis doesn't have the biggest market share. Well maybe they targeted iis because it was easier to hack into then. Oh, but that would mean they took the easy route, now that does NOT sound like a criminal to me. They would never try to get ahead the easy way.
>>But wait iis doesn't have the biggest market share
It is not market share of IIS. People hate MS because of the client OS market share. Anything MS is going to be attacked because of MS's enemies. When another software gets enough enemies by being mainstream then you will see the attacks on their products.
> They will as soon as they become mainstream
This is where the nonsense flies. That's Microsoft water you are carrying.
If Mozilla or Opera had 95% of the browser market, I think we could go a thousand years, and never find more than a handful of errors.
When we talk Moz or Opera security problems, we are talking about a few coding or logical mistakes.
When we talk about IE's hundreds -- if not thousands -- of security problems, we are talking about a fundamental design flaws. eg: the product is defective and should be recalled.
People in this thread said that as soon as someone else had "any respectable part of that market share" they would soon be in the same situation as IE.
And also many people think this was "organized crime groups", and we all know that organized crime hates microsoft...or likes money, one of the two.
>They will as soon as they become mainstream
It wont matter. With Moz or Opera, you're whole system isnt exposed.
You can shut a company down for hours with IE. Whats the worst damage one can do to you if you're using Moz or Opera?
|Whats the worst damage one can do to you if you're using Moz or Opera? |
I'm far from being a security expert but, what would stop a hacker from utilizing exploits where they can gain control of your system through your browser?
>what would stop a hacker from utilizing exploits where they can gain control of your system through your browser?
Thats the question, POR. How much control of the OS can one gain through Moz or Opera? If you can bring down an OS like one can with IE, then I agree, its just an issue of time and market saturation. So how much damage can one do with Moz or Opera?
Brett I am not carrying propaganda. I have just worked for some really large companies in many fields and have seen how the smaller competitors thrive off the subset of users who are frustrated with a product.
Water is wet the sky is blue and a lot of people hate MS. I use to absolutely hate MS when I was an apple only person. What I had to realize was that just because I felt macs were far superior to windows, that didn't mean people were going to change. I ended up insulting the people I wanted to convert by acting like they were not as intellegent using windows.
I agree that integrating IE with windows is not the best idea architecturally speaking, but I will not agree that MS is full of crappy programmers and only their products have problems. To agree with that is just anti-microsoft propaganda.
We all know that when a company, and I mean any company, that gets big starts to look more at the bottom line then their user base. If you are accusing MS of this, then I don't think anyone will disagree.
So lets go back to the original topic and quote:
Small businesses should be seriously looking at alternatives because they are less likely to be able to maintain very good security around the browser with vulnerability management.
I think this says it all. Many of the exploits for windows and IE get updates, just users don't update them.
I could care less what browser people use as long as it is not crazy with code from where we have been and present standards. Making blue = red or making a strong tag really mean itallic. I also hope I don't have to pay for the darn thing.
Title should read:
2004: Internet Explorer's year of Extinction [webmasterworld.com]
Survival of the fittest implies that, but another popular thread
We forced the entire company to go to Firefox this month. They're not happy but we are.
The thing that hasn't been emphasized in this thread is that IE has major taproots right into the Windows operating system. That's the fatal design flaw, IMO. It was more of a marketing decision to do that than a well considered technical decision. IE Mac does not expose Macntosh users.
You don't get that OS integration problem with other browsers. So, yes, the "monoculture" argument (going after the biggest target) has "some" truth to it, but just a little bit.
Browsers that are not integrated into the Windows OS naturally expose many fewer opportunities for exploits.
If you designed a building the same way, you'd just have one huge front door that opened directly onto every single room in the building. Even if you put a great big shiny lock on the front door and locks on all the doors between the rooms, all someone would need to do to get into any particular room is get past the lock on the main door.
If, instead, you design your building so that the front door just goes into the lobby and all the doors off the lobby and between the rooms are locked, your intruder will still have a lot of work to do once he gets through the front door.
Ack! What if Mr Gates had gotten into the contracting business instead: "We think it would be good if you could access the toilet from every room in the house without even having to get up..."
lol. lost my beer on that one, bedlam.
|Does the fact that Mozilla Firefox, et al are open source make it easier to find security holes in them? And if that is true, wouldn't that lead to the conclusion that more of the possible holes in Mozilla Firefox have already been found and patched? |
While I have nothing definitive to add to the quoted post or to this thread, I DO have a statement (not that anyone needs to give a rat's ass....)
The one thing that's always bothered me about "open source" stuff is that you generally have NO CLUE who's providing "fixes", "extensions", "upgrades", etc. This is one of the reasons I gave up on *nix a few years back (aside from the fact that "user-friendly" was decidedly NOT EVER in its vocabulary!) - the salient fact that no matter which *nix platform you implement, eventually you will wind up with an "upgrade" which trashes everything you already have in place.... and when you address this fact with the provider of said upgrade, you will receive a polite (or not!) disclaimer that since all open source software is "use at own risk", they're very sorry you lost 100 mb of priceless information, but didn't you have backups?
Been there done exactly that. I DID have backups. But that's NOT THE POINT. The point is that in most cases MS has MORE COMPUNCTION as regards idiot users (myself included which is why I take leave to use that terminology!) than does anything "open source", nearly 100% of which is pointed toward and promulgated by programmers and their near kin.
I still say that open source OSs have some major potential.... BUT.... ONLY A PROGRAMMER COULD LOVE THEM at this point in time.
I have an EXTREMELY large correspondence on the web - approximately a thousand people worldwide on a weekly basis. Only ONE of those people uses a *nix platform - AND HE'S A PROGRAMMER! I LIKE the idea of "free to the people". But it's probably DECADES from reality.
So in the meantime, instead of everyone (naming no names, but we all know who you are, don't we?) trolling for nastiness in re MS etc, how about if we all try to figure out how to minimize the damage for the REAL world?
| This 44 message thread spans 2 pages: 44 (  2 ) > > |