?
=?ISO-8859-1?Q?=BBQ=AB?=
Two separate programs. Firefox should be installed in a different
directory than Mozilla, and it will use a different directory for its
profiles.
Two separate programs. Firefox should be installed in a different
directory than Mozilla, and it will use a different directory for its
profiles.
R
Roger Spencelayh
But it can be turned on in FireFox and off i IE. How many times have you
seen the message "You need ActiveX enabled to view this site properly..."
Followed by instructions of how to turn it on. Many un-informed users will
simply turn it on.
As above.
And you're suggesting MS isn't? So IE7 is just a waste of everybody's
time.
Based on the stick they get from the world in general, I would imagine
security is high on MS's list, hence the development of IE7. Also, look
how they've crippled Outlook in successive versions. By default, Outlook
2003 will not let me open an Access database that I added to an email I
sent to someone else.
In the end it comes down to the user. An uninformed or stupid user can
leave themselves open to attack in any browser. Basic advice - don't click
on anything unless you know what will happen.
Where do I stand regarding my allegiance to any particular software? Well
I write applications around and customise MS Office for clients. Why MS
Office? Because I've only found 2 businesses in my area using anything
else (and for the record they were using an MS OS and Lotus SmartSuite).
A
Aaron
fingerslip you mean?
Easy, use your bookmarks. But even then a malware program altering your
bookmarks , alter your local hosts file, or DNS posioning.
But at least in those cases, it has nothing to do with the browser
directly.
A
Aaron
Turn on ActiveX on firefox? You need to download a seperate program, and
I think it's kind of complicated, I doubt many people will borther to do
that, or could pull it off if they wanted to.
How many times have
See above for ActiveX and FF. But why talk about ActiveX in FF? There's a
similar technology in firefox, installing extensions via XPI. Anything
that ActiveX can do, firefox extensions can do too, as both do not have
any restrictions place on what files they can access.
A
Aaron
I remember that at one point in time the firefox camp was trying to promote
the idea that firefox was more secure than IE, because the former didn't
have trusted zones where "everything goes". The idea (which appears to be
backed up by history of IE) is that if you build in the functionality that
allows dangerous actions, even though it works only if it is whitelisted,
you have to be very sure, there isn't a way to bypass the safeguards. In
the past exploits basicly found ways to run as trusted sites, Local machine
zones or whatever.
Not that I agree with this reasoning since firefox does have the very
dangerous function of allowing installing of extensions, and guess what ?
It works only if you are a site on a whitelist
A
Aaron
My problem with antifirefox/Opera/whatever arguments is that they are all
basicly based on guesses about the future and not facts.
Even if some super advanced Alien civilisation came and gave us the
ultimate browser, you could still say, "Of course it looks safe now it's
not targeted as much as IE, wait until the hackers get their hands on it" .
Or "If you were careless you could still get hacked" (True but irrelevant).
Add these 2 arguments to the strange reasoning that as long as a browser is
not 100% secure, you might as well use anything, no wonder, people have
convinced themselves that *in principle* there can be nothing better than
IE.
For example
The point is, the fact is that you feel you need to bring in 3rd party
extensions into this, would seem to me that you are clearly admitting that
IE is lacking.
No I didnt. You are using the same flawed logic of saying because we cant
be 100% sure of anything (anything we know today might be invalidated
tomorrow) it doesnt matter what we do.
I doubt if it would be possible to quantify this. Any such scheme would be
purely arbitary. I suppose you could carry out experiments among users of
different skill levels, surfing habits (eg whether they visit unsafe
sites), and factor in the amount of other protection they have .
From what I have seen, up to a moderate skill level, IE is certainly less
secure in the sense that the likehood of getting hit is much higher if you
use IE.
Of course, many of the people posting in this thread are more competent
then that and/or run a lot of protection, so the gap between IE and other
browsers is narrowed.
I believe that with a lot of hard work (eg your job is monitoring security
based mailing lists and taking counter-measures), tight security settings,
low risk behaviour, some decent protection, you might be able to make the
gap effectively zero, but that's way too much work for most people.
Again, it's a matter of odds. If we say that IE is less secure than another
browser, we obviously mean that we believe that using IE is more likely to
get you into trouble all things being equal, but it's not a certainity.
Besides, who's to say that you wont run into problems later ?
IE supporters are not the only one who can see into the future when they
*know* for sure that firefox will become as bug ridden as IE in the future
I did mention that
Again my point is, there is no sure bet in a gamble, but you want to go
with the odds dont you?
J
James Picardat
Roger said:
While no software can 100% protect a user from themself, you have to
EXPLICITLY turn this on - the novice user is at least afforded the
opportunity to be aware that something is going on. Who knows, some may
even ask questions before blindly pushing Yes. A default MS OS
installation - which 100% of computer purchasers get when they buy their
PC's with MS OSes on them is ON BY DEFAULT - along with a whole host of
unneeded services, networking protocols, etc. In the case of Microsoft
- unsuspecting users will have no clue that it is on (and in the case of
many that it even exists) until they run into a major problem with an
applet compromising their system.
There are very few applications on home computers that require Java - so
why have it on by default? The people who do use these Java
applications will know they need to enable Java.
As long as Microsoft has IE so recklessly hooked into the core of the
operating system - yes, it will be a waste of everybody's time.
Microsoft is extremely slow at providing fixes or workarounds to
existing compromises in its browser and I don't forsee that changing.
IE7 is only being released to try to counteract its diminishing market
share in the browser field - to Firefox, Opera, etc. not because of some
morally grand vision to make everybody's internet experience any more
secure.
As I stated above, securtity is not high on Microsoft's list - if their
track record of slow fixes, shoddy initial OS releases which required
immediate service packs, etc. are any indication. If they truly were
high in the security conscious department they would have built IE INTO
the operating system with Windows 2000 and not hooked it in like a
shadetree mechanic. With the releases of Windows 2003 and XP they still
did not address this issue properly (wolves in sheep's clothing). So we
still have the same foundation for all these compromises in place 6
years and 2 additional OS releases later. Lets see if they address this
issue with the upcoming Longhorn release - I seriously doubt it.
With this I'm in agreement - sort of.
I won't go so far as calling users stupid as I would complacent. Then
again we dont ask automobile owners to be expected to adjust their
emmissions, tweak their air/fuel mixtures, and be able to decipher ODB
II diagnostic codes to SAFELY operate their vehicle - which like
computers are luxuries which have turned into necessities. Why should
we REQUIRE this level of behavior to SAFELY operate a computer? At
least the alternatives to IE are separating themselves from the highest
risk areas of the Microsoft Operating system when they design their
browsers and leaving the option to the user to OPT IN to those riskier
technologies if they so choose; which is more than can be said for the
company that propogated these security issues in the first place.
Perhaps Microsoft would be smart and go to a modular design in their
next OS release instead of building an OS with a "one size fits all"
approach - with all the extras being pretty much outdated by the time
the OS is released anyway. Now that would be a novel approach.
M
Margrave of Brandenburg
Why all the fuss?
I tried Firefox, found it annoying, went back to IE6 ... and still no
problems.
All you need do in IE is set a sufficiently high security setting for the
"Internet" zone.
I tried Firefox, found it annoying, went back to IE6 ... and still no
problems.
All you need do in IE is set a sufficiently high security setting for the
"Internet" zone.
B
bassbag
Agree with you.Im not an IE shill but have used it or ie based browsers
for 5 years with no problems at all.I like the fact that i can use active
x if i choose.Also probably against the grain...my myie2 092768 is faster
than opera or firefox rendering pages.I know because ive tried them.Maybe
they are faster on others pcs ..but not on mine.Whatever works better on
individuals pcs would be the choice.Security is much more than a browser.
me
?
=?ISO-8859-1?Q?=BBQ=AB?=
Yeah, it's similar to privilege-escalation vulnerabilities. Making
the local/trusted zone settings as tight as the internet zone can
help, but you have to be careful not to disable so much that
Microsoft's own site will no longer work.
Not that I agree with this reasoning since firefox does have the
very dangerous function of allowing installing of extensions, and
guess what ? It works only if you are a site on a whitelist
I do think they should add a "trust this site only this one time"
option, so that sites don't just stay on the whitelist. (While you
can clear the whitelist if you like, there's no way to automagically
have it cleared.)
There is a significant difference in the way Fx handles whitelisted
sites though -- if a site which is whitelisted wants to install
something, the browser will still prompt the user before allowing the
install, and AFAIK no way to bypass the prompt has yet been found. In
IE, it's possible to let all domains in a given zone run whatever they
want without prompting the user.
?
=?ISO-8859-1?Q?=BBQ=AB?=
It can't be simply "turned on" in Firefox. The user will not be
prompted with a "you need a plugin for this" dialog. Instructions for
installing and configuring the third-party Mozilla ActiveX plugin are
tricky, and the plugin is not meant for general use. Its website gives
the caveat "This plug-in is designed for /custom/, /legacy/ and
/intranet/ solutions and nothing else."
<http://www.iol.ie/~locka/mozilla/plugin.htm>
M
Mel
»Q« said:
Yes, I was just trying to point out the practical issues of using IE with all
ActiveX support disabled. I have a few useful components enabled
in IE to allow Flash, XML and windows 98 update among others to
work; IE exploits that attempt to use one of the many other remotely
scriptable objects that are installed on my pc are therefore blocked.
R
Roger Spencelayh
I was referring to Web sites, not applications. Too many require Javascript
on without catering for users who don't have it enabled. Not exactly MS's
fault.
E
elaich
Java and Javascript are two entirely different things. Javascript is
enabled by default in Firefox. Java must be installed.
Java is a security risk. Javascript isn't.
?
=?ISO-8859-1?Q?=BBQ=AB?=
The point was about Java, not JavaScript.
Largely the fault of Microsoft, IMO. Netscape bears some blame, too.
Their refusal to adopt and promote standards, particularly CSS, is the
main factor in driving web designers to scripting, Flash, etc., in
order to deliver pages the the way they want to.
J
James Picardat
elaich said:
You might want to reconsider this. Do a Google with "Javascript
Vulnerability" and tell me how many references you come up with.
A
Aaron
You might want to reconsider this. Do a Google with "Javascript
Vulnerability" and tell me how many references you come up with.
Nearly all of them?
That said the nice thing about firefox is that you can turn off some of the
more dangerous javascript functions while retaining the main useful ones.
F
fathom
With Firefox and IE, the answer should be quite clear. There is
a large list of IE vulnerabilities (ActiveX) that cannot happen
with Firefox. IE has deep ties into the OS, a security
nightmare for any app, but insanity for a web browser. IE has a
long history of security problems, some costing users billions
of dollars. Firefox has a history of patching holes quickly.
IE is old code that has been patched and repatched, Foxfire is
an effort to streamline code and offer a basic, secure,
extendable browser. IE uses proprietary code, yet there's no
lack of exploits - Foxfire's code is there for all to see - and
exploit, if they can - yet it has fewer problems and less severe
problems than IE. MS is offering improvements and patches ONLY
for users who run the latest Windows OS, Foxfire's cross-
platform architecture lets them deploy improvements and patches
to everyone on a dozen OSes.
It's really no contest which browser is more secure, and it will
be extremely difficult for MSFT to get the upper hand, given the
flawed nature of IE and the company's historic contempt for
users.
F
Fuzzy Logic
My point was that you should find a well supported reasonably secure
browser that YOU like learn it's security features and make sure you keep
it patched and practice safe surfing skills and you are likely as secure
as anyone else.
That's a bit of a leap. Firefox lacks much of the functionality of other
browser and those features can be added with 3rd party plugins. In doing
so you are only as secure as the browser and the 3rd party extensions. I
don't see how that implies IE is somehow more insecure.
Of course it matters! I will repeat find a well supported reasonably
secure browser that YOU like learn it's security features and make sure
you keep it patched and practice safe surfing skills and you are likely as
secure as anyone else.
I doubt if it would be possible to quantify this. Any such scheme would
be purely arbitary. I suppose you could carry out experiments among
users of different skill levels, surfing habits (eg whether they visit
unsafe sites), and factor in the amount of other protection they have .
From what I have seen, up to a moderate skill level, IE is certainly
less secure in the sense that the likehood of getting hit is much higher
if you use IE.
Of course, many of the people posting in this thread are more competent
then that and/or run a lot of protection, so the gap between IE and
other browsers is narrowed.
I believe that with a lot of hard work (eg your job is monitoring
security based mailing lists and taking counter-measures), tight
security settings, low risk behaviour, some decent protection, you might
be able to make the gap effectively zero, but that's way too much work
for most people.
Again, it's a matter of odds. If we say that IE is less secure than
another browser, we obviously mean that we believe that using IE is more
likely to get you into trouble all things being equal, but it's not a
certainity.
Besides, who's to say that you wont run into problems later ?
IE supporters are not the only one who can see into the future when they
*know* for sure that firefox will become as bug ridden as IE in the
future
I did mention that
Again my point is, there is no sure bet in a gamble, but you want to go
with the odds dont you?
My odds may be 1000 to 1 and your 978 to 1. Who wins? Maybe I'm willing to
sacrifice a few points to functionality. By the way I use Avant that sits
somewhere between IE and Firefox in the security/features spectrum.
F
Fuzzy Logic
fathom said:
The above has been stated over and over. I will try to address some of your
points.
Properly configuring ActiveX or disabling it in IE can readily remove much
of the risk.
Of course IE has a long history of security holes. It's been around much
longer than Firefox. Now that Firefox is gaining some popularity holes are
becoming more common.
As for quick patches for security holes in Firefox it appears that may be
changing. <http://www.eweek.com/article2/0,1759,1774118,00.asp>
As for patches to IE my Windows 98 recently got 2 from WindowsUpdate.
Firefox MAY be more secure than IE but my point is that the margins are
smaller than you are led to believe. In addition the margins are continually
changing as new vulnerabilities are found. Again I don't see anything wrong
with the advice posted on this site:
http://msmvps.com/donna/articles/19946.aspx
Or to sum up. Find a well supported browser YOU like, learn it's security
features and use them, keep it patched and practice safe surfing skills and
you are about as secure as you are going to get.