Are you safer with Firefox?

[Aaron]

My point was that you should find a well supported reasonably secure
browser that YOU like learn it's security features and make sure you
keep it patched and practice safe surfing skills and you are likely as
secure as anyone else.

Good now that we established that one browser can be more secure than
another, now I say IE is not "reasonably secure".

Your response no doubt based on earlier posts would be to cite Secunia,
which shows firefox is not perfect and hence it cannot be better. You
just made the same flawed argument again that something that is imperfect
cannot be better.

Alternatively, you will state that we never know what exploits tomorrow
will bring and hence we cannot be sure that firefox is not more secure.


And we go around in circles again.

That's a bit of a leap. Firefox lacks much of the functionality of
other browser and those features can be added with 3rd party plugins.
In doing so you are only as secure as the browser and the 3rd party
extensions. I don't see how that implies IE is somehow more insecure.

I interpreted your words to mean 3rd party security apps. If you need to
run proxomitron, spywareblaster and whatnot to remain secure ,than forget
it.

Of course it matters!

Yes, so let's stick with the browser we know that is more secure today.


I will repeat find a well supported reasonably

secure browser that YOU like learn it's security features

You can repeat all you want, but if IE is not reasonably secure, than
your advise is useless.

I'm trying to show you that your arguments that IE is reasonably secure
compared to other browsers is argued on very unsound grounds.It involves
either saying we dont know for sure that firefox is better because we
can't know the future OR firefox is not superior because it is not
perfect.

My odds may be 1000 to 1 and your 978 to 1. Who wins? Maybe I'm
willing to sacrifice a few points to functionality.

Don't you mean the reverse?

As long as you concede that it is conceivable for a browser to be more
secure than another, my job is done. How big the gap is , and how much
you are willing to tolerate is another matter ,but the way you argued
before, it looked like it was impossible even in theory for another
browser to be more secure than IE.

Say using IE even with all security settings tightened is still 5% more
risky than firefox, would you take the risk? Some would, some wouldnt.
You can take the risk , but it's a totally different matter from saying,
all browsers are equally safe.

By the way I use
Avant that sits somewhere between IE and Firefox in the
security/features spectrum.

I know some IE shells claim to add security features, but most of them
are merely tweaks to the interface allowing easier access to security
options . Maxthon I believe has done some work, but still I don't think
it's anyway near "inbetween" firefox and IE in terms of security.

 

[elaich]

And we go around in circles again.

So why not just drop it and stop feeding this troll? He's a Microsoft shill
and all you are doing is enabling him.

They have been hitting the Mozillazine boards with exactly the same kind of
specious arguments and inability to see logic if it's forced down their
throats.

 

[Fuzzy Logic]

Good now that we established that one browser can be more secure than
another, now I say IE is not "reasonably secure".

And I say it is. I support over 600 IE users and we haven't had a single
security incident related to the web browser. I would rather use real
world data than speculation. Many vulnerabilities are so obscure (dragging
things from the browser window to the desktop for example) that it's very
unlikely that the exploit will happen in real life.

Your response no doubt based on earlier posts would be to cite Secunia,
which shows firefox is not perfect and hence it cannot be better. You
just made the same flawed argument again that something that is
imperfect cannot be better.

I have NEVER said anything to that effect.

Alternatively, you will state that we never know what exploits tomorrow
will bring and hence we cannot be sure that firefox is not more secure.

Again I didn't say that. I said that browser security is a moving target
and what appears to be secure today can be totally insecure the next due
to new vulnerabilities being discovered.

And we go around in circles again.


I interpreted your words to mean 3rd party security apps. If you need to
run proxomitron, spywareblaster and whatnot to remain secure ,than
forget it.

I meant 3rd party browser plugins. If you install the ActiveX plugin for
Firefox that obviously makes you susceptible to ActiveX exploits. In
addition this plugins add additional vectors for attack. So by adding
functionality that IE already has to Firefox amazingly it becomes
susceptible to the same attacks. Conversely disabling ActiveX in IE makes
it a whole lot safer.

Yes, so let's stick with the browser we know that is more secure today.

I will repeat find a well supported reasonably

You can repeat all you want, but if IE is not reasonably secure, than
your advise is useless.

I'm trying to show you that your arguments that IE is reasonably secure
compared to other browsers is argued on very unsound grounds.It involves
either saying we dont know for sure that firefox is better because we
can't know the future OR firefox is not superior because it is not
perfect.


Don't you mean the reverse?

As long as you concede that it is conceivable for a browser to be more
secure than another, my job is done. How big the gap is , and how much
you are willing to tolerate is another matter ,but the way you argued
before, it looked like it was impossible even in theory for another
browser to be more secure than IE.

Apparently you misinterpreted my arguments as I just stated above that one
browser can be more secure than another BUT that is continually moving
target and I don't agree that a properly secured version of IE is
significantly more insecure than Firefox under most circumstance. If you
spend a lot of time cruising hacker, porn or warez sites you are just
asking for trouble.

Say using IE even with all security settings tightened is still 5% more
risky than firefox, would you take the risk? Some would, some wouldnt.
You can take the risk , but it's a totally different matter from saying,
all browsers are equally safe.

Again I have never said that they are equally safe. I will say that IE can
be more secure than Firefox and vice versa depending on the current
unpatched vulnerabilities.

I know some IE shells claim to add security features, but most of them
are merely tweaks to the interface allowing easier access to security
options . Maxthon I believe has done some work, but still I don't think
it's anyway near "inbetween" firefox and IE in terms of security.

Maxthon and Avant are very similar products. Again their security is
evolving as new versions are released.

 

[Toad]

Fuzzy Logic has brought this to us :

The above has been stated over and over. I will try to address some of your
points.

Properly configuring ActiveX or disabling it in IE can readily remove much
of the risk.

Of course IE has a long history of security holes. It's been around much
longer than Firefox. Now that Firefox is gaining some popularity holes are
becoming more common.

As for quick patches for security holes in Firefox it appears that may be
changing. <http://www.eweek.com/article2/0,1759,1774118,00.asp>

As for patches to IE my Windows 98 recently got 2 from WindowsUpdate.

Firefox MAY be more secure than IE but my point is that the margins are
smaller than you are led to believe. In addition the margins are continually
changing as new vulnerabilities are found. Again I don't see anything wrong
with the advice posted on this site:

http://msmvps.com/donna/articles/19946.aspx

Or to sum up. Find a well supported browser YOU like, learn it's security
features and use them, keep it patched and practice safe surfing skills and
you are about as secure as you are going to get.

Plus there are a few IE replacement front-ends that more easily let you
disable the downloading of any ActiveX controls but still let you run
the ones you already have installed or disable running ActiveX
altogether.

Toad

 

[fathom]

http://www.theinquirer.net/?article=22024

 

[Aaron]

And I say it is. I support over 600 IE users and we haven't had a
single security incident related to the web browser. I would rather
use real world data than speculation. Many vulnerabilities are so
obscure (dragging things from the browser window to the desktop for
example) that it's very unlikely that the exploit will happen in real
life.

True some exploits are unlikely, and these are of the nature of almost
all firefox exploits. IE exploits on the other hand, histroically have
being far more exploitable, download.ject being one such exploit last
year. Unless you surf without javascript, you are vulnerable.

I have NEVER said anything to that effect.

Sure you did.

Again I didn't say that. I said that browser security is a moving
target and what appears to be secure today can be totally insecure the
next due to new vulnerabilities being discovered.

I seriously fail to see why you are dissenting. I wrote "we will never
know what exploits tomorrow will bring", you say not totally secure "due
to new vulnmerabilities being discovered".

Seems to me you are just arguing the uncertainty of the future.

Apparently you misinterpreted my arguments as I just stated above that
one browser can be more secure than another BUT that is continually
moving target and I don't agree that a properly secured version of IE
is significantly more insecure than Firefox under most circumstance.
If you spend a lot of time cruising hacker, porn or warez sites you
are just asking for trouble.


Again I have never said that they are equally safe. I will say that IE
can be more secure than Firefox and vice versa depending on the
current unpatched vulnerabilities.

So if I ask you pointblank which browser is more secure now (given
tightening of settings etc), could you give me an answer?

Or would you mumble about "security being a moving target", so you
couldnt answer?

LOL.

Maxthon and Avant are very similar products. Again their security is
evolving as new versions are released.

They used to be and are still look very similar in terms of basic
functionality because they of common origins. But this concern for
security is a much newer concern, and this is where the IE shells have
began to differ.

 

[Aaron]

The above has been stated over and over. I will try to address some of
your points.

Properly configuring ActiveX or disabling it in IE can readily remove
much of the risk.

Yes, sadly many IE exploits in the past bypast these settings even if IE is
correctly configured.

 

[Lordy]

And I say it is. I support over 600 IE users and we haven't had a
single security incident related to the web browser. I would rather
use real world data than speculation. Many vulnerabilities are so
obscure (dragging things from the browser window to the desktop for
example) that it's very unlikely that the exploit will happen in real
life.

Are these home users that have out of the box XP running and connected
directly to the net ?

 

[Fuzzy Logic]

Yes, sadly many IE exploits in the past bypast these settings even if IE
is correctly configured.

And Windows ME was a crappy OS. I'm talking about now.

 

[Fuzzy Logic]

Are these home users that have out of the box XP running and connected
directly to the net ?

Some are and some aren't. You're point?

 

[Fuzzy Logic]

http://www.theinquirer.net/?article=22024

Excerpt:

The reports suggest that surfers using Mozilla’s Firefox browser enjoyed the
shortest "exposure period", where a patch for known vulnerabilities in the
browser was unavailable.

------------------

This is pretty iffy. The real test is the actual number of incidents as a
result of said exposure. Nowhere is that mentioned.

Here is an another study for you:

Between July 1, 2004, and Dec. 31, 2004, the number of documented
vulnerabilities affecting the Mozilla browser and the Mozilla Foundation's
Firefox browser was higher than the number of vulnerabilities affecting
Microsoft's Internet Explorer, according to the latest Internet Security
Threat Report from Symantec released Monday.

The report, which provides an update of Internet threat activity worldwide
every six months, noted 13 vulnerabilities affecting IE. That compared with
21 vulnerabilities affecting the Mozilla and Mozilla Firefox browsers during
the survey period.

IE, however, still had a higher proportion of serious vulnerabilities, with
9 of the 13 flaws rated as highly severe. By comparison, 11 of the 21
Mozilla browser flaws were deemed highly severe, and just 7 of the Firefox
flaws were seen as highly severe. The IE flaws also took longer to fix--an
average of 43 days, compared with 26 days for Mozilla browsers.

Source http://www.pcworld.com/news/article/0,aid,120128,00.asp

 

[Fuzzy Logic]

True some exploits are unlikely, and these are of the nature of almost
all firefox exploits. IE exploits on the other hand, histroically have
being far more exploitable, download.ject being one such exploit last
year. Unless you surf without javascript, you are vulnerable.

Let's talk about the present not the past. I won't deny that IE was a
sieve in previous incarnations.

Sure you did.

You're welcome to search Google and find where I said anything to that
effect.

I seriously fail to see why you are dissenting. I wrote "we will never
know what exploits tomorrow will bring", you say not totally secure "due
to new vulnmerabilities being discovered".

No browser is 'totally secure'. It's pretty safe to say the browser you
and I use both have vulnerabilities that are yet to be discovered. That's
all I am trying to say.

So if I ask you pointblank which browser is more secure now (given
tightening of settings etc), could you give me an answer?

Or would you mumble about "security being a moving target", so you
couldnt answer?

I will answer your question if tell me what YOU mean by 'more secure' and
the parameters to determine it?

For example if we were to use this information:

Between July 1, 2004, and Dec. 31, 2004, the number of documented
vulnerabilities affecting the Mozilla browser and the Mozilla Foundation's
Firefox browser was higher than the number of vulnerabilities affecting
Microsoft's Internet Explorer, according to the latest Internet Security
Threat Report from Symantec released Monday.

The report, which provides an update of Internet threat activity worldwide
every six months, noted 13 vulnerabilities affecting IE. That compared
with 21 vulnerabilities affecting the Mozilla and Mozilla Firefox browsers
during the survey period.

IE, however, still had a higher proportion of serious vulnerabilities,
with 9 of the 13 flaws rated as highly severe. By comparison, 11 of the 21
Mozilla browser flaws were deemed highly severe, and just 7 of the Firefox
flaws were seen as highly severe. The IE flaws also took longer to fix--an
average of 43 days, compared with 26 days for Mozilla browsers.

Source <http://www.pcworld.com/news/article/0,aid,120128,00.asp>

If you said number of vulnerabilties than IE is more secure. If you said
severity than Firefox wins. If you say time to patch than Firefox wins.

Other factors are not even mentioned including likelihood, configuration,
actual breaches etc.

The whole point of this post is what is 'more secure' and how is it
determined? Most of the popular press and news group postings apparently
have no idea about security metrics and are quite content to state browser
A is better or worse than browser B simply based on number of unpatched
vulnerabilities or their severity. It's just not that simple.

 

[Colibri]

And Windows ME was a crappy OS. I'm talking about now.

Of course you are.

"At this very moment one browser MAY be 'more secure' than another but in a
blink of an eye a new vulnerability will be discovered and the tables
turned."

 

[Glenn]

Some are and some aren't. You're point?

I think I'm completely misunderstanding this whole string. This takes the
place of OE??? ONLY?? I am having trouble with IE. My OE is fine.

I do have Mozilla loaded but only for the mail and NG's. ????

Glenn

 

[Mel]

"At this very moment one browser MAY be 'more secure' than another but in a
blink of an eye a new vulnerability will be discovered and the tables
turned."

But then again, you may already be infected, you just don't know it yet.

 

[Fuzzy Logic]

But then again, you may already be infected, you just don't know it yet.

I regularily run AV and spyware scans and both return 0 results. I just
ran the latest browser security test and had 0 vulnerabilities. In
addition I ran the rootkit detector and that came up clean as well.

Browser Security Check

<http://webtest.scanit.be/bcheck/index.php>

RootkitRevealer

<http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml>

Of course none of these guarantee there isn't something lurking on my
machine but I'm fairly confident that isn't the case.

 

[Lordy]

Some are and some aren't. You're point?

Approx how many of those 600 IE users are home users running out of the box
XP connected directly to the net ?

My point of course being that I suspect that 600 figure includes a lot of
corporate uses that have external administrators to help tighten things up.

A lot of home users I know get hit with CoolWebSearch and the like.

 

[elaich]

"At this very moment one browser MAY be 'more secure' than another but
in a blink of an eye a new vulnerability will be discovered and the
tables turned."

Amd Mozilla/Firefox will fix it while Microsoft waffles.

 

[John Hood]

Approx how many of those 600 IE users are home users running out of the box
XP connected directly to the net ?

My point of course being that I suspect that 600 figure includes a lot of
corporate uses that have external administrators to help tighten things up.

A lot of home users I know get hit with CoolWebSearch and the like.

A lot of corp users too. I support 200 IE users and a day doesn't go by
that I have to run to someone's desktop because they loaded some spyware
and now their system is crawling.

I wonder what the "600" guy is doing differently than we are.

John H.

 

[Fuzzy Logic]

Approx how many of those 600 IE users are home users running out of the
box XP connected directly to the net ?

My point of course being that I suspect that 600 figure includes a lot
of corporate uses that have external administrators to help tighten
things up.

A lot of home users I know get hit with CoolWebSearch and the like.

While most are corporate users we still get to deal with their home
machines. In general we have to deal with spyware on those machines. This is
invariably installed by the user and not related to any vulnerability in
their browser.