Are you safer with Firefox?

[Aaron]

I could care less what browser or OS you use. What ticks
me off is the holier than thou people who think their choice is
somehow 'more secure' than someone else's and proceed to flame them
because they made a choice different than theirs.

Fair enough. But the truth sometimes hurts. Internet Explorer is less
secure that is a fact.

The fact is that
there are vulnerabilties in every browser and OS and you can do
everything in your power to make it secure and still get hooped
because of a new vulnerability.

This is exactly the type of fuzzy logic that needs to be corrected.
There are vulnerabilities in every browser and OS does not support the
conclusion that every browser and OS is equally secure.

Some exploits are far more serious than others , so called remote
execution of arbitary code exploits are far more serious than phishing
exploits for example.

What happens is that people harp on the rarer and less critical firefox
exploits to justify their logic that firefox is not safer.

PS something to ponder....how do you determine 'more secure'? Is it
the number and type of vulnerabilities, the likelihood of them
occuring, the potential for damage, etc.

This is a good question. And the answer to this is exactly why people are
sure that while firefox,Opera etc are not perfect they are more secure
than IE.

It is the "all browsers are equally unsecure/secure" camp that does not
care about the answer to this question, or wouldnt be able to answer this
question even if they wanted to .

People in this camp, love to link to any minor exploit without even
borthering to access the severity of the bug.

Why borther figuring out if the exploit is easily exploitable and/or
causes serious damage? After all, all they want is to be able to state
that browser X has exploits too not just IE.

 

[Glenn]

@b.c> wrote in message news:[email protected]...

Then you have my sincere apology. It DOES happen. For instance, a few
weeks
ago, a CNET reporter wrote a scathing article against Firefox, claiming
that with the coming advent of IE 7, "this little gnat will soon be
squashed" and IE will once more be on top.

Your mention of IE 7 caught my eye. I have a bug in my IE 6 that when I ask
about it in the M$ forums, it goes unanswered because no one seems to know
the answer.

I have loaded Mozilla and have it setup fairly well to my liking but I can't
find ways of deleting some entries that are duplicated in "Local Folders" or
add and subtract from the toolbars so I am eagerly awaiting IE 7.

Is there forums for Mozilla where such questions can be asked and not
ignored? Thanks.

Glenn

 

[Steven Burn]

Some exploits are far more serious than others , so called remote
execution of arbitary code exploits are far more serious than phishing
exploits for example.

</snip>

Your joking of course?..... I'd much rather have to replace a system than have to replace the £100K** that the phisher can get out of an account.......

** EXAMPLE!!!!

What happens is that people harp on the rarer and less critical firefox
exploits to justify their logic that firefox is not safer.

</snip>

Don't be silly......... FF is only more "secure" because of the fact that not as many maliciously minded persons are targeting it!!.... this _WILL_ change in time.

This is a good question. And the answer to this is exactly why people are
sure that while firefox,Opera etc are not perfect they are more secure
than IE.

It is the "all browsers are equally unsecure/secure" camp that does not
care about the answer to this question, or wouldnt be able to answer this
question even if they wanted to .

</snip>

Now come on, your joking........ right?. I'm in this so-called "camp" of yours and can answer this quite easily..... (the answer being none of the options given but instead, the likelihood of the systems users allowing them to happen (you could have the "most secure browser" in the world, but the fact is, if a user screws up so much as once, this isn't gonna make a blind bit of difference........ regardless)).

People in this camp, love to link to any minor exploit without even
borthering to access the severity of the bug.

Why borther figuring out if the exploit is easily exploitable and/or
causes serious damage? After all, all they want is to be able to state
that browser X has exploits too not just IE.

Yes, I do say that X has exploits, just as shocdw.dll (NOT IE .... IE is just a shell!!). The fact it is harder to do on X than it is on Y is neither here nor there....... it's the point that it COULD happen that concerns me!!!.

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Steven Burn]

Your mention of IE 7 caught my eye. I have a bug in my IE 6 that when I ask
about it in the M$ forums, it goes unanswered because no one seems to know
the answer.

Which NG did you post it to?......

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Glenn]

One was Microsoft.public.windows.inetexplorer.ie6.browser. They seem to
think my problem can't exist or I'm a nut. Neither is true. I go back to
the old Tandy radio shack mod 1 so I may not have the answer but I do know
when there is a bug and not a virus.

Think I could live with Mozilla if I can get configured like I'm used to
in
IE.

Glenn

Your mention of IE 7 caught my eye. I have a bug in my IE 6 that when I
ask
about it in the M$ forums, it goes unanswered because no one seems to know
the answer.

Which NG did you post it to?......

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

 

[Aaron]

</snip>

Your joking of course?..... I'd much rather have to replace a system
than have to replace the £100K** that the phisher can get out of an
account.......

** EXAMPLE!!!!

Remember, even if a browser is vulernable to phishing, unless you are
fooled (and there are many ways to not be fooled eg typing urls directly,
not clicking on suspicious links etc), it can do no damage.

A exploit that allows a website to automatically execute code on your
computer can and will hit you with anything from keyloggers to rootkits.
, which has exactly the same effect at the very least of losing *ONE*
passowrd. But if your machine is "owned" , everything is compromised not
just merely transatcion with one site.

Don't be fooled, very nasty things can be installed on your computer via
such exploits, not merely adware type programs that advertise their
presence so that any fools know that he needs to format.

More importantly, you have no chance at all against such exploits,
whether you are a hacker of the first class or a newbie unless you
already know about it.

Seriously, if you really think a phishing exploit is more serious than
one that allows automatic download and excutation of code...... .

</snip>

Don't be silly......... FF is only more "secure" because of the fact
that not as many maliciously minded persons are targeting it!!....
this _WILL_ change in time.

This is a seperate argument and not pertaining to the point I'm
discussing here.

In any case, your argument is a very handy one to have, because there is
no way to disprove it until firefox becomes more popular.

But I think if you have to resort to such arguments , I think you are
actually conceding the point that alternative browsers are safer Now.

</snip>

Now come on, your joking........ right?.

Partly. My problem really with people attacking alternative browsers is
not that they lack technical knowledge, but rather the logic they use.

I'm in this so-called "camp"

of yours and can answer this quite easily..... (the answer being none
of the options given but instead, the likelihood of the systems users
allowing them to happen (you could have the "most secure browser" in
the world, but the fact is, if a user screws up so much as once, this
isn't gonna make a blind bit of difference........ regardless)).

Why do you like to bring up the "if the user screws up...." bit to
justify that all browsers are equally unsafe/safe?

I agree that in the hands of a unwise user, ALL browsers are unsafe. I
doubt anyone disagrees. But the question here is different.

In the hands of a reasonably competent user, are there still unsafe
browsers?

Yes, I do say that X has exploits, just as shocdw.dll (NOT IE .... IE
is just a shell!!). The fact it is harder to do on X than it is on Y
is neither here nor there....... it's the point that it COULD happen
that concerns me!!!.

The fact that it's harder and hence less likely to happen is "neither
here nor there" ??

You could step out of the house and a meteor could come down crashing on
you and kill you. Sure it's unlikely. But that could happen!!! Personally
I would be concerned about more likely threats

 

[elaich]

</snip>

Don't be silly......... FF is only more "secure" because of the fact
that not as many maliciously minded persons are targeting it!!....
this _WILL_ change in time.

Ahhh.... the old, shallow Microsoft argument that "our products get
exploited because so many crackers are busy trying to find the holes." If
you are really who you say you are in your sig, I'd expect better than this
of you.

Firefox IS more secure for various reasons:

1. No ActiveX by default.

2. No Java by default.

3. An active, involved community who is constantly working to make the
product better.

4. The entire approach toward development of Firefox is toward security.

Are you sure you aren't drawing a check from Microsoft? I can't imagine
another reason that anyone who doesn't have a vested interest would be so
threatened or respond in such an aggressive manner.

I'll tell you what.... if I'm looking for holes, I'll choose the Swiss
cheese every time. Microsoft products are exploited BECAUSE it's so easy to
do. Are you actually naive enough to believe that there are no crackers
trying to find exploits in Linux? They consider finding an exploit in Linux
a challenge and a badge of honor. The real hard core guys are trying to
crack Linux and Firefox. The Microsoft exploits all seem to be found by 14
year old script kiddies.

 

[elaich]

I have loaded Mozilla and have it setup fairly well to my liking but I
can't find ways of deleting some entries that are duplicated in "Local
Folders" or add and subtract from the toolbars so I am eagerly
awaiting IE 7.

I'm not sure I understand what behavior you are trying to duplicate in
Mozilla. First off, I'd recommend Firefox over Mozilla, because there are
many more extensions available for it.

Toolbars are eminently customizable in Mozilla/Firefox. There is a Firefox
extension (can't remember the name right now) that opens up a window and
allows you to choose any number of behaviors that can be accessed by a
button on the toolbar. Images on/off, Javascript on/off, etc.

Is there forums for Mozilla where such questions can be asked and not
ignored? Thanks.

Try here:

http://forums.mozillazine.org/viewforum.php?f=6

However, search the forum first to make sure it's not a question that's
asked every day. The people there are no different than anywhere else -
they'll ignore such questions.

 

[Mel]

Remember, even if a browser is vulernable to phishing, unless you are
fooled (and there are many ways to not be fooled eg typing urls directly,
not clicking on suspicious links etc), it can do no damage.

And what if you finger check?

Try these links:

http://www.sysmantec.com

vs

http://www.symantec.com

 

[Mel]

Ahhh.... the old, shallow Microsoft argument that "our products get
exploited because so many crackers are busy trying to find the holes." If
you are really who you say you are in your sig, I'd expect better than this
of you.

Firefox IS more secure for various reasons:

1. No ActiveX by default.

2. No Java by default.

3. An active, involved community who is constantly working to make the
product better.

4. The entire approach toward development of Firefox is toward security.

Are you sure you aren't drawing a check from Microsoft? I can't imagine
another reason that anyone who doesn't have a vested interest would be so
threatened or respond in such an aggressive manner.

I'll tell you what.... if I'm looking for holes, I'll choose the Swiss
cheese every time. Microsoft products are exploited BECAUSE it's so easy to
do. Are you actually naive enough to believe that there are no crackers
trying to find exploits in Linux? They consider finding an exploit in Linux
a challenge and a badge of honor. The real hard core guys are trying to
crack Linux and Firefox. The Microsoft exploits all seem to be found by 14
year old script kiddies.

Whatever man can make - man can break...

Man invented the Safe - Safe Crackers evolved

Man invented Software - Software Crackers evolved

 

[Fuzzy Logic]

Then you have my sincere apology. It DOES happen. For instance, a few
weeks ago, a CNET reporter wrote a scathing article against Firefox,
claiming that with the coming advent of IE 7, "this little gnat will
soon be squashed" and IE will once more be on top. Then, people would
make posts similar to yours in the groups, the express purpose being to
advertise the article, get people to read it, and create a furor. Here's
my question:

Why does a reporter for CNET write such a provocative article? What was
the purpose? Why is this person so threatened by a freeware browser that
they have to use CNET to spew their vitriol, unless they are on the
Microsoft payroll?

People are entitled to their opinions. We don't have to agree with them. I
cannot answer why that article was written. If you have a beef with the
author take it up with them.

They conveniently forgot to mention that, like IE 6 SP2, IE 7 will only
be available to users of WinXP SP2.

So here's the very issue that myself and many other users of other
browsers see, and detest about Microsoft - once again, a badly needed
update of Internet Explorer seems to be mainly about trying to force
people to upgrade their OS, rather than about user security.

That's YOUR perception. Nobody but Microsoft knows what's going to happen.
In addition Microsoft originally stated the IE7 was coming out with
Longhorn. They have now announced it as being available prior to Longhorn.
Their stance on XP only may change as well.

Nobody should be flamed because they don't use one product over another.
They should be encouraged to try an alternative. However, consider this:

The entire Internet slowed to a crawl a few years ago. Why? A massive
attack by an email worm, which infected tens of thousands of machines in
a matter of hours. How was the worm propagated? Users of Outlook
Express, primarily, a notoriously insecure Microsoft product that most
people use because they don't know any better. The worm propagated
because of Microsoft's typical lax attitude towards user security - the
client actually previewed image attachments in the message without the
user's say so or knowledge. They didn't even have to open the email or
the attachment to become infected.

Things like this cause people to become angry at Microsoft and also a
certain amount of anger against the clueless people who won't even take
the trouble to read a an article that would have told them how to turn
off the preview feature and protect themselves. Because of such people,
the entire worldwide web took a major hit.

Have you ever gone to any of the XP newsgroups and seen the high handed
behavior of the smug SOBs there who think XP is the best OS on the face
of the planet? Then you really would see people being flamed for
choosing a different option.

I regularily visit the XP newsgroups and many other newsgroups and have
found the zealot ratio not much different than what happens in PS2 vs XBox
or Apple vs Microsoft.

The potential for damage. There's an IE vulnerability now in which
malware will be installed even if the user pushes the "no" button in the
dialog box. This vulnerability does not exist in Gecko based browsers,
because they do not use ActiveX or Java by default. If someone installs
these features, then he has brought any such exploit upon himself.

And what if you have ActiveX disabled in IE? It's amazing how many
security threats no longer exists with the changing of one simple setting.
I would also say that likelhood is a more important then potential. Many
security vulnerabilites can be quite serious but the circumstances
involved or the chance of visiting a site that will use the vulnerability
are practically non existant.

I wasn't that concerned about the IDN spoofing issue in Firefox, because
it isn't anything that I would ever run into. BTW, within 12 hours of
the exploit being published, a way to prevent it by using an expression
in Adblock was published. This is what I meant about an active community
and a work in progress.

That requires the user to install a 3rd party extension that may introduce
it's own vulnerabilities.

Another concern I just read about is there seem to be an issue with the
code reviewers for Firefox (only 6!). Again I am not picking on Firefox.
It's all part of the moving target that is security:

http://www.eweek.com/article2/0,1759,1774118,00.asp

A lot of the published vulnerabilities in all the browsers are something
that the casual user would never encounter. What gets my attention are
links that look like www.paypal.com but are really www.pa?pal.com, and
dialog boxes that install software even if I say "no." That's real life
stuff that could affect me personally.

It won't stop and we can't rely on our web browser to protect us. We need
to be vigilant and to a certain degree lucky.

 

[Fuzzy Logic]

Fair enough. But the truth sometimes hurts. Internet Explorer is less
secure that is a fact.

I have to disagree. I am not saying IE is more secure only that there are
way too many variables to make a clear case for that. For example which
version of IE vs which version of Firefox, are we talking default
configurations or a properly locked down version, do we factor in 3rd
party extensions, etc. Feel free to provide any facts to the contrary.
Some web site that simply says it's so doesn't count;-)

This is exactly the type of fuzzy logic that needs to be corrected.
There are vulnerabilities in every browser and OS does not support the
conclusion that every browser and OS is equally secure.

You missed my point. What's supposedly totally secure today could be a an
easy target tomorrow when some critical vulnerabilty is discovered.
Software security is a moving target as new vulnerabilities are
continually appearing and then getting patched. So to say that browser A
is more secure than browser B may be true at that particular instant but
the tables could turn in a heartbeat when some critical vulnerability is
found in browser A.

Some exploits are far more serious than others , so called remote
execution of arbitary code exploits are far more serious than phishing
exploits for example.

What happens is that people harp on the rarer and less critical firefox
exploits to justify their logic that firefox is not safer.


This is a good question. And the answer to this is exactly why people are
sure that while firefox,Opera etc are not perfect they are more secure
than IE.

I am still looking for the definition of 'more secure'. If we were to
quantify it would a browser with a security rating of 93.8 be a bad choice
if another browser has a security rating of 94.1? If I use IE and have
never had a security incident and you use Firefox and have never had a
security incident which is 'more secure'?

It is the "all browsers are equally unsecure/secure" camp that does not
care about the answer to this question, or wouldnt be able to answer this
question even if they wanted to .

People in this camp, love to link to any minor exploit without even
borthering to access the severity of the bug.

While severity is certainly important you cannot leave out likelihood. If
I have to some convoluted series of steps to get the action to occur (and
it's something you would normally never do) then the criticality is not as
signifcant.

Why borther figuring out if the exploit is easily exploitable and/or
causes serious damage? After all, all they want is to be able to state
that browser X has exploits too not just IE.

Again my point was that no browser is secure. The most important factors
in choosing a browser were mentioned in the link I posted earlier:

http://msmvps.com/donna/articles/19946.aspx

 

[Fuzzy Logic]

Ahhh.... the old, shallow Microsoft argument that "our products get
exploited because so many crackers are busy trying to find the holes."
If you are really who you say you are in your sig, I'd expect better
than this of you.

Firefox IS more secure for various reasons:

1. No ActiveX by default.

2. No Java by default.

OK so I have those disabled. Is FF still more secure?

3. An active, involved community who is constantly working to make the
product better.

Except they appear to be on hiatus:

Mike Connor, a core Firefox developer, writes in his blog, "In nearly three
years, we haven't built up a community of hackers around Firefox, for a
myriad of reasons, and now I think we're in trouble. Of the six people who
can actually review in Firefox, four are AWOL, and one doesn't do a lot of
reviews. And I'm on the verge of just walking away indefinitely, since it
feels like I'm the only person who cares enough to make it an issue."

4. The entire approach toward development of Firefox is toward security.

Good intentions dont necessarily equate to a more secure product.

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Again my point was that no browser is secure.

And again, it doesn't follow that all browsers are equally secure or
that users should not consider relative security when choosing a
browser. The (separate) arguments you've made to support the idea that
users should not consider relative security, I won't bother rebutting;
if people find them compelling, so be it.

The most important factors in choosing a browser were mentioned in
the link I posted earlier

Well, those and security.

 

[John Hood]

I have to disagree. I am not saying IE is more secure only that there are
way too many variables to make a clear case for that. For example which
version of IE vs which version of Firefox, are we talking default
configurations or a properly locked down version, do we factor in 3rd
party extensions, etc. Feel free to provide any facts to the contrary.
Some web site that simply says it's so doesn't count;-)




You missed my point. What's supposedly totally secure today could be a an
easy target tomorrow when some critical vulnerabilty is discovered.
Software security is a moving target as new vulnerabilities are
continually appearing and then getting patched. So to say that browser A
is more secure than browser B may be true at that particular instant but
the tables could turn in a heartbeat when some critical vulnerability is
found in browser A.




I am still looking for the definition of 'more secure'. If we were to
quantify it would a browser with a security rating of 93.8 be a bad choice
if another browser has a security rating of 94.1? If I use IE and have
never had a security incident and you use Firefox and have never had a
security incident which is 'more secure'?




While severity is certainly important you cannot leave out likelihood. If
I have to some convoluted series of steps to get the action to occur (and
it's something you would normally never do) then the criticality is not as
signifcant.




Again my point was that no browser is secure. The most important factors
in choosing a browser were mentioned in the link I posted earlier:

http://msmvps.com/donna/articles/19946.aspx

FL - I agree . No browser is secure. But there are browsers that are
easier to secure and those that aren't. I find Firefox much easier to
secure than IE. I support IE at work. I use Firefox at home. Securing
IE is a matter of wading through the security settings for each zone,
then adding sites to each zone manually. Who thought that up?
Firefox's settings are quick and easy. It runs very little by default.
The security learning curve is smaller. Firefox is easier to secure,
IMO therefore more secure - at this time.

John H.

aka "Wonk the Sane"

 

[Colibri]

@b.c> wrote in message news:[email protected]...

Your mention of IE 7 caught my eye. I have a bug in my IE 6 that when I ask
about it in the M$ forums, it goes unanswered because no one seems to know
the answer.

I have loaded Mozilla and have it setup fairly well to my liking but I can't
find ways of deleting some entries that are duplicated in "Local Folders" or

What is the purpose of "Local Folders"; and how do I get rid of it?
http://ilias.ca/netscape/mailnewsfaq/#localfolders

add and subtract from the toolbars so I am eagerly awaiting IE 7.

Mozilla's toolbars aren't nearly as customizable as Firefox's

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

What is the purpose of "Local Folders"; and how do I get rid of
it? http://ilias.ca/netscape/mailnewsfaq/#localfolders

Those are Chris Ilias' instructions for Netscape 7, but I believe they
are essentially the same as his instructions for Mozilla.

<http://ilias.ca/mozilla/mailnewsfaq/#localfolders>

IIRC, John Corliss hated the local folders and followed instructions
like those to get rid of them. And IIRC, he noted here that after an
installing a new version of Mozilla (or Thunderbird?) he had to do it
again. So, Glenn, you might want to bookmark that page in case you
need it again.

http://ilias.ca/netscape/forums/

Again, that's for Netscape.

<http://ilias.ca/mozilla/forums/>
<http://mozillachampions.ufaq.org/newshelp.html>

Ilias' main page is worth a look, too. <http://ilias.ca/>

 

[Mel]

And what if you have ActiveX disabled in IE? It's amazing how many
security threats no longer exists with the changing of one simple setting.

Unfortunately, there's also an amazing number of site that won't work
with ActiveX disabled (eg Gmail needs XMLHTTP, and many sites
use flash), although you can at least configure IE6, even in Windows
98, to only allow the activex components you actually need, to run
within it.

I would also say that likelihood is a more important then potential. Many
security vulnerabilities can be quite serious but the circumstances
involved or the chance of visiting a site that will use the vulnerability
are practically non existent.

I would think that the current trend for hackers to infect vulnerable
webservers and especially ad-servers with code to serve up such
exploits to anyone who visits one of the sites they host or provide
ads for, makes the chances of visiting a site that attempts to exploit
vulnerabilities moderately high.

eg http://www.theregister.co.uk/2004/11/22/apache_hijack_serves_iframe_exploit/

 

[Glenn]

FL - I agree . No browser is secure. But there are browsers that are
easier to secure and those that aren't. I find Firefox much easier to
secure than IE. I support IE at work. I use Firefox at home. Securing
IE is a matter of wading through the security settings for each zone, then
adding sites to each zone manually. Who thought that up? Firefox's
settings are quick and easy. It runs very little by default. The
security learning curve is smaller. Firefox is easier to secure, IMO
therefore more secure - at this time.
John H.

OK. You guys are so glowing about Firefox,I think I will try it. I have
Mozilla now (not default, OE & IE still are). Do I need to dump anything or
just download it into Mozilla. Or are they 2 completely different programs?

Glenn

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

Unfortunately, there's also an amazing number of site that won't
work with ActiveX disabled (eg Gmail needs XMLHTTP, and many sites
use flash), although you can at least configure IE6, even in
Windows 98, to only allow the activex components you actually
need, to run within it.

You are talking only about IE. (I know you know that; I'm just trying
to make sure the record is clear.) The Flash plugin for other browsers
does not require ActiveX as it does in IE, and GMail works fine in
other browsers as well.