Are you safer with Firefox?

[Fuzzy Logic]

http://www.pcmag.com/article2/0,1759,1775806,00.asp

Here is a another site that pretty much sums up my attitude to web browsers:

http://msmvps.com/donna/articles/19946.aspx

 

[JD]

http://www.pcmag.com/article2/0,1759,1775806,00.asp

Here is a another site that pretty much sums up my attitude to web browsers:

http://msmvps.com/donna/articles/19946.aspx

Absolutely.

 

[elaich]

Here is a another site that pretty much sums up my attitude to web
browsers:

http://msmvps.com/donna/articles/19946.aspx

Of course, you expect us not to know that msmvps stands for "Microsoft
MVPs."

What a site to trust for an unbiased opinion, right?

 

[Harry Balz]

http://www.pcmag.com/article2/0,1759,1775806,00.asp

Here is a another site that pretty much sums up my attitude to
web browsers:

http://msmvps.com/donna/articles/19946.aspx

Abstinence is the only truly safe way.

Harry Balz

 

[dkg_ctc]

Of course, you expect us not to know that msmvps stands for
"Microsoft MVPs."

What a site to trust for an unbiased opinion, right?

Yeah...I mean, how much more biased can you be than this:

"# Verify that you are installing a browser that is created for your
system.
# Try the browser if you like its' features and functions. Not all
browser has the same features or functions.
# Visit the vendors' site to find out if the browser is being updated
frequently to solve the bugs or security issue.
# Visit the sites that you frequently visit to find out if the browser
that you are using will show the site properly"

My god, I can smell the overpowering, choking stench of bias already.
"Try the browsere if you like its' features and functions"?! How much
more transparent can those no good Microsoft shills be?!

*yawn*

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

http://www.pcmag.com/article2/0,1759,1775806,00.asp

"(Mozilla didn't actually fix this problem, which is less a bug in
the program than a problem with the whole approach to IDNs; instead
version 1.0.1 just disables IDN support by default.)"

The author should check facts. IDN support is not disabled in
1.0.1; IDNs are displayed in punycode in the location bar, so that
using unicode to spoof won't work.

"And there are security problems in version 1.0.1 already, even if
there are no advisories for them yet. For instance, on a multiuser
machine, such as a Linux system, if one user running as root starts
Firefox, and another non-root user starts Firefox, that non-root
user's instance of Firefox gains root privileges."

It's pretty silly to use this one in an article whose premise is
that Fx might not be as safe as IE. Privilege escalation is not a
good thing, but even newbies know not to run GUI browsers as root,
and admins of multiuser systems aren't newbies.

"anti-spyware companies Webroot and Sunbelt Software have
said that they expect Firefox-specific spyware to start showing up
this year, and if the browser's market share continues to increase
it's easy to see why it would."

Ah, the dreaded and often-used "it's bound to get worse for Firefox"
argument, which ignores the fact that mozilla.org developers have
had security in mind since they started work in 1998, unlike the
folks who built the IE codebase. I guess we'll see if Fx turns out
to be full of holes, but at this point, claiming that it probably
will amounts to spreading FUD.

Here is a another site that pretty much sums up my attitude to web
browsers:

http://msmvps.com/donna/articles/19946.aspx

Heh. Looks like Microsoft's decision to move the MVP program from its
development wing into its marketing wing is paying off.

Another of her recent "security flashes" ran with the headline
"Prediction of "Experts" coming true. Spyware for Firefox!", and she
didn't bother noting that the user would have to willingly and
actively download and install the stuff.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

"# Verify that you are installing a browser that is created for
your system.
# Try the browser if you like its' features and functions. Not
all browser has the same features or functions.
# Visit the vendors' site to find out if the browser is being
updated frequently to solve the bugs or security issue.
# Visit the sites that you frequently visit to find out if the
browser that you are using will show the site properly"

My god, I can smell the overpowering, choking stench of bias
already. "Try the browsere if you like its' features and
functions"?! How much more transparent can those no good
Microsoft shills be?!

It does smell pretty bad. It's the simplistic "Most browsers or
software in general has its' own security hole" that's the kicker.
Sure, as far as security goes, browsers are all pretty much the
same.

*yawn*

Yeah, I also doubt many people will be taken in.

 

[elaich]

Ah, the dreaded and often-used "it's bound to get worse for Firefox"
argument, which ignores the fact that mozilla.org developers have
had security in mind since they started work in 1998, unlike the
folks who built the IE codebase. I guess we'll see if Fx turns out
to be full of holes, but at this point, claiming that it probably
will amounts to spreading FUD.

The big difference between Firefox and IE? Yes, exploits will be discovered
in Firefox - and they will be fixed almost immediately. Let's see the IE
shills claim that.

The OP was obviously trolling, making a sort of "uneducated" statement like
"is Firefox REALLY safer? Then look at this...." It only took a few of us
to look at "that" to punch it full of holes.

Firefox is gaining popularity by leaps and bounds, and it will only get
better. It's a work in progress, and most of the work is done by
volunteers. Does that scare Microsoft? You better believe it scares them.
It's all too much like that other annoying little gnat that won't go away
and can't be bought out - Linux.

 

[Doc]

The OP was obviously trolling

Looked in the mirror lately ??

 

[Mark Carter]

Firefox is gaining popularity by leaps and bounds, and it will only get
better.

Looking at the web logs for my site, I see that MSIE 6 is generating 42%
of my hits, whilst Mozilla/5 is generating 34%. I have noticed an
increasing use of Firefox/Mozilla - although I undoubtedly garner a
disproportionately higher mix of Firefox hits than most sites.

So maybe one day, soon, I will see that Mozilla is the most popular web
browser; for my site at least.

 

[SkeeBall]

"(Mozilla didn't actually fix this problem, which is less a bug in the
program than a problem with the whole approach to IDNs; instead version
1.0.1 just disables IDN support by default.)"

The author should check facts. IDN support is not disabled in 1.0.1;
IDNs are displayed in punycode in the location bar, so that using
unicode to spoof won't work.

"And there are security problems in version 1.0.1 already, even if there
are no advisories for them yet. For instance, on a multiuser machine,
such as a Linux system, if one user running as root starts Firefox, and
another non-root user starts Firefox, that non-root user's instance of
Firefox gains root privileges."

It's pretty silly to use this one in an article whose premise is that Fx
might not be as safe as IE. Privilege escalation is not a good thing,
but even newbies know not to run GUI browsers as root, and admins of
multiuser systems aren't newbies.

I'm curious about this one - does this mean if the root user and the
normal user are logged on at the same time using FF? Or, do they mean if
FF is ran as root and then the root user logs out and a normal user logs
in their instance of FF will have root privs? I'm just curious, I don't
see any reason to run FF as root anyway but want to be clear on what
exactly they're trying to say.

"anti-spyware companies Webroot and Sunbelt Software have said that they
expect Firefox-specific spyware to start showing up this year, and if
the browser's market share continues to increase it's easy to see why it
would."

Ah, the dreaded and often-used "it's bound to get worse for Firefox"
argument, which ignores the fact that mozilla.org developers have had
security in mind since they started work in 1998, unlike the folks who
built the IE codebase. I guess we'll see if Fx turns out to be full of
holes, but at this point, claiming that it probably will amounts to
spreading FUD.

Similar to the cop out that Linux/*BSD has fewer viruses because it's not
as widely targeted. There may be a small amount of truth to this but with
as many eyes as there are looking at the code and trying to find security
issues there tend to be far fewer gaping holes IMO.

 

[prixat]

and she didn't bother noting that the user would have to willingly and
actively download and install the stuff.

Thats so true, but I was going to say there no way to stop some people
pushing the OK button!
They genuinely think its the same as the close button.

I've seen them drill down into some obscure settings in XP to check a value
then go all the way back up clicking OK each time, instead of cancel. What
can you do about it?
-pk-

 

[Ed]

Absolutely.

Safer? Yes. But not immune.

Ed

 

[elaich]

Looked in the mirror lately ??

What a brilliant comeback. Kind of like "I know you are, but what am I?"

100 days time out for you.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

I'm curious about this one - does this mean if the root user and
the normal user are logged on at the same time using FF? Or, do
they mean if FF is ran as root and then the root user logs out and
a normal user logs in their instance of FF will have root privs?
I'm just curious, I don't see any reason to run FF as root anyway
but want to be clear on what exactly they're trying to say.

Other users' instances of Firefox only get root privileges if root is
running Firefox at the time those users start their Firefoxes. Once
the root Firefox process is terminated, the danger goes away, at least
for subsequent starts of Firefox.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Safer? Yes. But not immune.

Sure. But the point of the articles cited was, essentially: Since
nothing is immune, users should not consider any browser safer than
any other. Particularly, the MSMVP went out of her way to make a
point of excluding security concerns from criteria a user should
consider when choosing a browser.

 

[Fuzzy Logic]

The big difference between Firefox and IE? Yes, exploits will be
discovered in Firefox - and they will be fixed almost immediately. Let's
see the IE shills claim that.

The OP was obviously trolling, making a sort of "uneducated" statement
like "is Firefox REALLY safer? Then look at this...." It only took a few
of us to look at "that" to punch it full of holes.

Firefox is gaining popularity by leaps and bounds, and it will only get
better. It's a work in progress, and most of the work is done by
volunteers. Does that scare Microsoft? You better believe it scares
them. It's all too much like that other annoying little gnat that won't
go away and can't be bought out - Linux.

As the original poster I can honestly say that I was NOT trolling. I am sick
and tired of people claiming software A is more secure then software B. I
could care less what browser or OS you use. What ticks me off is the holier
than thou people who think their choice is somehow 'more secure' than
someone else's and proceed to flame them because they made a choice
different than theirs. The fact is that there are vulnerabilties in every
browser and OS and you can do everything in your power to make it secure and
still get hooped because of a new vulnerability. Neither of the articles I
posted said one browser was better/more secure than the other.

Feel free to review them:

http://msmvps.com/donna/articles/19946.aspx
http://www.pcmag.com/article2/0,1759,1775806,00.asp

At this very moment one browser MAY be 'more secure' than another but in a
blink of an eye a new vulnerability will be discovered and the tables
turned. Security is a process not a piece of software or hardware. It's more
important to concentrate on the process than to rely on the software to
protect you. I thought the first link documented the process for picking and
securing a browser fairly well.

Having said all that my experience has been that the biggest risk is not the
software but the people using it. You can lock down your OS and browser and
just let someone use it who starts visiting warez or porn sites or
downloading and installing software or saying yes to dialog boxes they don't
understand and you can kiss your 'secure' system goodbye.

PS something to ponder....how do you determine 'more secure'? Is it the
number and type of vulnerabilities, the likelihood of them occuring, the
potential for damage, etc.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

I am sick and tired of people claiming software A is more secure
then software B.

Maybe software B is improving in the security dept to the point
where you'll stop seeing those claims. The biggest hurdle for software
B's seller is that, unlike software A, it has a track record considered
extremely bad by quite a number of people. I reckon the seller has a
marketing department capable of changing the perception; we'll see.

What ticks me off is the holier than thou people who think their
choice is somehow 'more secure' than someone else's and proceed
toflame them because they made a choice different than theirs.

I don't see much flaming of people based on their choice of browser,
but I guess mileage varies.

PS something to ponder....how do you determine 'more secure'? Is
it the number and type of vulnerabilities, the likelihood of them
occuring, the potential for damage, etc.

Yeah.

 

[SkeeBall]

< --snip--

Other users' instances of Firefox only get root privileges if root is
running Firefox at the time those users start their Firefoxes. Once the
root Firefox process is terminated, the danger goes away, at least for
subsequent starts of Firefox.

That makes sense. What kind of a dipstick would be logged on as root in
multiuser mode and using FF?! Rhetorical, no answers needed. It's like
calling 'rm -rf /' as root a Linux/UNIX/*BSD 'security risk'.

 

[elaich]

As the original poster I can honestly say that I was NOT trolling.

Then you have my sincere apology. It DOES happen. For instance, a few weeks
ago, a CNET reporter wrote a scathing article against Firefox, claiming
that with the coming advent of IE 7, "this little gnat will soon be
squashed" and IE will once more be on top. Then, people would make posts
similar to yours in the groups, the express purpose being to advertise the
article, get people to read it, and create a furor. Here's my question:

Why does a reporter for CNET write such a provocative article? What was the
purpose? Why is this person so threatened by a freeware browser that they
have to use CNET to spew their vitriol, unless they are on the Microsoft
payroll?

They conveniently forgot to mention that, like IE 6 SP2, IE 7 will only be
available to users of WinXP SP2.

So here's the very issue that myself and many other users of other browsers
see, and detest about Microsoft - once again, a badly needed update of
Internet Explorer seems to be mainly about trying to force people to
upgrade their OS, rather than about user security.

I am sick and tired of people claiming software A is more secure then
software B. I could care less what browser or OS you use. What ticks
me off is the holier than thou people who think their choice is
somehow 'more secure' than someone else's and proceed to flame them
because they made a choice different than theirs.

Nobody should be flamed because they don't use one product over another.
They should be encouraged to try an alternative. However, consider this:

The entire Internet slowed to a crawl a few years ago. Why? A massive
attack by an email worm, which infected tens of thousands of machines in a
matter of hours. How was the worm propagated? Users of Outlook Express,
primarily, a notoriously insecure Microsoft product that most people use
because they don't know any better. The worm propagated because of
Microsoft's typical lax attitude towards user security - the client
actually previewed image attachments in the message without the user's say
so or knowledge. They didn't even have to open the email or the attachment
to become infected.

Things like this cause people to become angry at Microsoft and also a
certain amount of anger against the clueless people who won't even take the
trouble to read a an article that would have told them how to turn off the
preview feature and protect themselves. Because of such people, the entire
worldwide web took a major hit.

Have you ever gone to any of the XP newsgroups and seen the high handed
behavior of the smug SOBs there who think XP is the best OS on the face of
the planet? Then you really would see people being flamed for choosing a
different option.

PS something to ponder....how do you determine 'more secure'? Is it
the number and type of vulnerabilities, the likelihood of them
occuring, the potential for damage, etc.

The potential for damage. There's an IE vulnerability now in which malware
will be installed even if the user pushes the "no" button in the dialog
box. This vulnerability does not exist in Gecko based browsers, because
they do not use ActiveX or Java by default. If someone installs these
features, then he has brought any such exploit upon himself.

I wasn't that concerned about the IDN spoofing issue in Firefox, because it
isn't anything that I would ever run into. BTW, within 12 hours of the
exploit being published, a way to prevent it by using an expression
in Adblock was published. This is what I meant about an active community
and a work in progress.

A lot of the published vulnerabilities in all the browsers are something
that the casual user would never encounter. What gets my attention are
links that look like www.paypal.com but are really www.pa?pal.com, and
dialog boxes that install software even if I say "no." That's real life
stuff that could affect me personally.