Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla: The Good And The Bad

Posted by timothy on from the 10-dollar-fine-if-you-said-ugly dept.

Rui del-Negro writes "According to this article at The Register, six security flaws in Mozilla were posted to BugTraq last weekend. They have not been added to the official Mozilla vulnerability list yet. But details can be found here, here, here and here (phew!). Finally, two other bugs were found, relating to loading GIF files (in several Linux browsers) and Mozilla's (JavaScript) implementation of onUnload ( ). Are they trying to prove they can beat Microsoft at their own game..? Or is someone just trying to win a prize?" On a brighter note, Zerbey writes "From Neil's Place here is 101 Things Mozilla can do which IE cannot. Very interesting reading and an excellent resource for convincing stubborn Internet Explorer users why they should switch. This article was also reported at Mozillazine. I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer."

34 of 541 comments (clear)

  1. Bug reporting? by SexyKellyOsbourne · · Score: 1, Insightful

    Mozilla may have more bugs than a rainforest, but at least they're open about it, whereas Microsoft quietly releases patches over windowsupdate.

    1. Re:Bug reporting? by Iamthefallen · · Score: 5, Insightful

      Yeah, imagine that, the Evil MS notifies customers that an update is avaliable, but the wonderful Mozilla organisation has people visiting the site looking for an updated version or patch. I know that my family at least finds that much easier because they have a deep interest in what web browser they use to browse the interweb...

      If you're gonna complain about MS, at least use a valid argument, god knows there's a lot of them, but the kneejerk whining about MS being evil doesn't really do any good for anyone.

      --
      Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
    2. Re:Bug reporting? by BigBir3d · · Score: 2, Insightful
      takes ether a complete re download to fix it, a download of a source patch then a recompile, or possibly even fixing the source yourself


      How very odd. I just used Redhat's up2date and received/installed the latest version of Mozilla that Redhat uses, and it is just as easy Windows Update. No compiling by me, it does it all for me. By the time my soup was warm (mmmm lunch...) I had a newer, safer version up and running.

      The soup only took 5 minutes...
    3. Re:Bug reporting? by cybermace5 · · Score: 4, Insightful

      Look.

      Microsoft notifes us *when a patch is available*.

      The Mozilla community notifies us *when a security flaw is found*.

      Do you want to know about a problem when it is discovered, or after someone has already engineered a fix?

      If your car was discovered to be prone to stopping dead on the highway and blowing up, you'd want to know before the manufacturer figured out how to make it stop doing that. You'd want to have the option of choosing to risk it, or parking the car and driving something else for a little while.

      Now you know what activies are prone to security dangers, and can either avoid those activities or use another browser for a while.

      --
      ...
    4. Re:Bug reporting? by Iamthefallen · · Score: 3, Insightful

      If I can't do crap about fixing it, what should I do, stop using the www? What other browser is secure to use as a replacement? Lynx?

      Yeah sure it's great to find out there's a bug, but, I'm gonna bet that 95% of users on the internet couldn't care less about what software they use as long as it gets the job done.

      Geeks care about what software they use, geeks also make sure they have the latest version by visiting the sites now and then and by reading tech news, then it doesn't matter if they use IE, Opera, Mozilla, Netscape, Lynx, Mosaic or if they hold the ethernet cable to their tongue to read webpages, geeks will make sure to have the latest version and all relevant patches.

      An insecure browser is an insecure browser, whether it's made by MS or not is irrelevant.

      --
      Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
    5. Re:Bug reporting? by Khazunga · · Score: 3, Insightful
      If I can't do crap about fixing it, what should I do, stop using the www?
      YES!!! Let me repeat that if you didn't get it:
      If the software you are using has a security flaw with grave enough consequences, you should stop using the software.

      Now, who can better evaluate whether a security breach is serious enough to stop me from using the software? Microsoft, or my organization??? Isn't this obvious?

      And I don't come whining with the "users don't care" crapshit. I care. That's enough reason for Microsoft to release advisories when the flaws are found, not when they're patched.

      --
      If at first you don't succeed, skydiving is not for you
  2. Most are already fixed by afidel · · Score: 5, Insightful

    As of 1.2beta almost all of these are fixed. In general opensource is not a whole lot more secure than closed source (both are programmed by humans), they just are more open with information and quicker with fixes.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    1. Re:Most are already fixed by electroniceric · · Score: 3, Insightful

      Almost every distribution is running Mozilla 1.0.1 or 1.1 by now. I know I'm running 1.1 on my box, and Ximian GNOME is using 1.0.1.


      The problem is, and will continue to be older distros. At least something like WindowsUpdate pushes the updates to your desktop more or less transparently. How do you update RedHat 6.2 transparently, or Mandrake 7? I have yet to see this kind of transparent updating under Linux, and I don't see that rosy a future for desktop Linux without it. I know RH7+ has RedHat network, but IMO it still doesn't work quite as slickly.
    2. Re:Most are already fixed by kalidasa · · Score: 4, Insightful

      Does /. often post stories "previous version of Internet Explorer had 6 security bugs" when the current patch has already fixed them? Seems to me that Mozilla's response was pretty quick...

  3. Why users "should" switch by 1984 · · Score: 5, Insightful

    "...resource for convincing stubborn Internet Explorer users why they should switch..."

    Should be:

    1. Provides a better subjective browsing experience
    If that's not true, you'll never win.
    1. Re:Why users "should" switch by bunratty · · Score: 5, Insightful
      If that's not true, you'll never win.
      Win what? Is there some competition to get more people using Mozilla than IE? That's a battle that will never be won as long as IE is shipped with nearly all new desktop computers and Mozilla is shipped with nearly none.

      To me the interesting battle is to get enough users to use standards compliant browsers and not use old browsers such as Netscape 4 and IE 4 that web developers can finally just write according to web standards and know their websites can work for more than 99% of users.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:Why users "should" switch by shepd · · Score: 2, Insightful

      >Why do you need to remove IE to use another browser?

      Oh... that one isn't so hard.

      If you don't have 256 MB of RAM, but you like to have your favourite browser loaded into memory 24x7 so it pops up as fast as IE, you'd need IE removed to free the (many) megabytes of RAM it wastes.

      --
      If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
  4. 101 Reasons to switch to Mozilla by Anonymous Coward · · Score: 1, Insightful

    I am a stubborn IE user. I read through that list, and I haven't found a reason to switch. Seems whoever wrote it doesn't use IE that much either. No hotkey to change font sizes? I guess CTRL+Mousewheel doesn't count as a hotkey.

  5. 10 Things... by yamcha666 · · Score: 5, Insightful

    Now, is there a 10 Things IE Can Do That Mozilla Can Not such as run ActiveX properly if at all so one can go to most msn.com sponsored sites such as MSN Chat? Or how about properly running the Java plugin so Yahoo! Chat doesn't crash after a few minutes. I'm not making this up. This happens everytime.

    Believe me, like the rest of you, I love Mozilla, and I live by the tabbed browsing. But unfortunetly, there are a lot of things I do on the Internet that still force me to crawl back to IE.

    1. Re:10 Things... by Anonvmous+Coward · · Score: 5, Insightful

      "Believe me, like the rest of you, I love Mozilla, and I live by the tabbed browsing. But unfortunetly, there are a lot of things I do on the Internet that still force me to crawl back to IE."

      Frankly, I didn't think the '101 things you can do with Mozilla' was that interesting. Most of the stuff there I'd only care about if I were doing web development today. In that case, yes it'd be really cool. But they're trying to oversell features that most people don't use. I just wanna browse the web, I don't care about color coded source viewing. I do care about the browser opening fast without hogging all the RAM. (Fortunately I'm an Opera user.)

    2. Re:10 Things... by Pheersome · · Score: 2, Insightful

      ... aaaand there's your problem: an excess of suck in your daily browsing habits. MSN Chat and Yahoo Chat? They're symptoms of that blight on the Web that is the proliferation of non-Web applications being served over HTTP. There's just no excuse. IRC clients exist for a reason. (Mozilla has one of those, too.) And have you forgotten about that whole "standards" thing that Mozilla (nominally) supports, and IE notably does not?

      --
      Better to light a candle than to curse the darkness.
    3. Re:10 Things... by Chanc_Gorkon · · Score: 3, Insightful

      And I agree with you there! But just ask those who commonly use sites like http://www.nascar.com and others that uses these java chat thingies to try and find a irc client. Most will say a what? IRC?? Wazzat? These folks don't even know that they are using a irc server. The other reason even those of us in the know that use those is because we don't know the address of the server they are on. Most may even run their own so they can have tight control. This is why we must be asked to use these....things.

      --

      Gorkman

  6. Bug Confirmation by kha0z · · Score: 3, Insightful

    Being a developer myself, I have a huge number of bugs that are reported to my team and I on a daily basis. While security is always a key concern, there is an entire process of validating a bug prior to adding it to an official bug list. An open source project, such as Mozilla, has to rely on the input of who know who for possible bugs, then also has to rely on a large number of volunteer developers to help validate the bug. Sometimes these processes take time.

    Take the time to compare Mozilla's submitted bug report and their official bug list versus Microsoft's (that is if you can find a copy of it).

    --
    kha0z
    Master of ImportChaos.com
  7. It's about the browser by c13v3rm0nk3y · · Score: 5, Insightful

    How my favourite bug was turned into a feature is the best example I have of how easy it is to get off the track with big projects like this.

    The bug got lost in several threads, flames and arguments about what IE does or does not do, until it was finally marked WONTFIX by a Mozilla demi-god. IMHO, they missed the point. There is a constant refrain in Bugzilla about whether something is "standard" or not.

    From my experience, the argument about web standards is used to either fix or not fix something, depending on how someone feels about a problem.

    Don't think it's a problem? don't fix it and say "it's not standard, so we won;t" or "it's not standard, but we break the standard everywhere where it makes sense". Some behaviour need changing? The same arguments apply.

    I may be just whining here, but sometime I think the fact that Mozilla is a web browser is lost in the arguments. I still love Moz, but the fact that the right-margin jumps around on my otherwise fine HTML 4.x and CSS pages will always bother me.

    --
    -- clvrmnky
    1. Re:It's about the browser by Anonymous Coward · · Score: 1, Insightful

      Sorry you did not convince me. The bug you linked was quite correctly resolved as not a valid bug to fix. I fully agree that if your page can't cope with scrollbars being on or off, it's just bad web design. Other bugs that cover the issue of having more _control_ over scrollbars are valid; your bug bluntly says "...should always have..." and is therefore obviously invalid. You won't be able to convince _all_ of Mozilla users that vertical scrollbar must be permanent, no matter how you try. I for one was much relieved to see the more sensible scrollbar behavior of Mozilla when I switched to it from IE.

  8. Re:Read the entire article.... by wandernotlost · · Score: 5, Insightful

    There will always be bugs, whether your software is open source, free, or otherwise. What matters is how you deal with them.

  9. Re:A Word on Mozilla by 93+Escort+Wagon · · Score: 2, Insightful

    Why are people so hung up on the initial load time for IE versus Mozilla? Other than for that single metric, Mozilla runs circles around IE. Mozilla renders pages significantly faster, it provides fine -grained control for people who want it (per-site image blocking, per-site popup blocking, tabbed windows), and it generally doesn't allow people to get root/admin access to a box even when exploits are discovered.

    I have convinced many people to try Mozilla, and from what I've seen none of them have switched back to IE.

    --
    #DeleteChrome
  10. Re:Yes, I've run into some of these by Dr+Caleb · · Score: 3, Insightful
    errors as allowing javascripted emails to both access files on the HD and automatically send out new messages

    Or you could go to "Edit" -> "Preferences" -> "Advanced" -> "Scripts and Plugins" -> and uncheck "Enable JavaScript for...Mail and Newsgroups".

    Does IE let you do that? Why do you need JavaScript in Mail anyway? I won't even accept HTML email.

    Text is fine. I get the content without all the cookies and graphics.

    --
    "History doesn't repeat itself, but it does rhyme." Mark Twain
  11. Re:NTLM auth by twoflower · · Score: 5, Insightful
    Want to have NTLM support? Vote for it!
    No, write the damn code. That's what software freedom is about. You've missed the entire point.
    --


    --
    Twoflower
  12. Re:The one thing it doesn't do by Loki_1929 · · Score: 5, Insightful

    How sad. You don't 'talk' to a support technician with Mozilla, but you can usually get in contact with the person who actually wrote the code that's giving you trouble. Personally, I find this preferable to sitting on hold, paying through the nose for phone support, and talking to someone who hardly has the technical knowledge to use a computer, let alone code a browser. Mozilla's problems and bugs are well-documented; IE's are well-hidden. Mozilla has an excellent secuity track record; IE's security track record can be seen by the seemingly endless stream of advirories and patchs.

    It's a shame that these Fortune 500 companies choose inferior products with inferior support on the basis that they're able to hear a human voice when there's some sort of problem; regardless of whether or not that human voice has the slightest understanding of the problem, the solution, or even the product.

    --
    -- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
  13. Some questions or suggestions.... by Anthony+Boyd · · Score: 3, Insightful

    I think Mozilla is in a position to really get innovation going again. Being a Web developer who started back in 1994, I remember first using Mosaic and Netscape back when features came so fast and furious that you really like progress was an everyday thing. I haven't felt that way lately (at least about Internet Explorer). So without further ado, here are some ways to innovate at a fundamental level, changing some things that should have been obvious.

    First, making navigation buttons out of the link tags is great. But does Mozilla pre-fetch the "next" link, so that if I actually decide to go to the next page (likely), it comes up fast? WebTV has this feature. Makes the Web feel faster.

    Second, why am I entering HTML tags into a plain text field? Where is the HTML text field? You know, a form object that comes with B, I, and U buttons, and allows me to visually format the text before sending (and which is delievered as standard, XHTML 1.0 compliant markup)? I've seen that Microsoft's new Web-based Outlook tools have this, but they use over 100k of JavaScript files to accomplish it. Shouldn't we just have something like this: <htmlarea></htmlarea>???

    Finally, one of the things I've been waiting for is the ability to set images or other objects on angles. For example, if I wanted to have the slashdot logo appear as if it were on an incline, I might use CSS to specify the image display at -15 degrees. And if this were exposed to JavaScript, I could make some interesting animations. But I haven't seen this in CSS yet.

    In short, I remember fondly when Netscape pushed the envelope -- I remember Andreesen adding the img tag, I remember Netscape implementing the file upload tag. I think some working demos of this stuff might help it gain acceptance, and give people a reference model to work from. Not to mention make Mozilla seem much more useful than Explorer.

    --
    My Greasemonkey scripts for Digg &
  14. Re:The one thing it doesn't do by erikdotla · · Score: 5, Insightful

    I've found that the Bugzilla for Mozilla, Newsgroup usefulness, and general web resources are better, or at least equal to, that of Microsoft. Microsoft has an edge with phone support but, I run 10 servers and 50 workstations, all running Microsoft with SQL, Exchange, NT, 2000, and more - and I've never had to call them. I won't.

    I dread calling them. It costs money, immense amounts of time, and I would sit on hold just knowing I'd end up with a moron who would suggest that I try rebooting.

    This notion that a software company must be responsible for it's software, so that someone can be held liable and can be counted on to help, is really just dependency and lack of personal responsiblity, and ultimately a crutch. MCSE means Must Consult Someone Else.

    Perhaps Fortune 500 companies ARE Fortune 500 companies because they pass the task of software support and maintanence off to the companies that make the software, and focus on their core business.

    But they're also the ones spending obscene amounts of money and time trying to understand Microsofts insane licensing policies.

    They're spending time and money evaluating Microsoft's DRM moves, preparing to deal with the inevitable (some would say immediate) consequences of Microsoft's negative, condescending attitude toward it's customers.

    They're the ones who woke up one day and realized they were renting software, not buying it, and that they have an evil landlord and can't do anything about it. They're just happy their investors also like Microsoft so that they percieve this dependency as a "strategic relationship". They're the ones subject to the whip hand.

    I've never walked into a Fortune 500 company and seen Mozilla. I've also never let the public see me having sex. Neither of those means that it doesn't happen.

    --
    # Erik
  15. Re:Time to smell the roses by xtinct · · Score: 3, Insightful

    the desire for standards compliance is so web designers can write their sites once and have it work everywhere, without having to worry about what browser the client is using...

    however, your statement for using IE as a base for a standard is not only silly, it's stupid:

    we've written an in-house webapp that only works on IE5.5+ (5.0 does NOT work, something in the DOM or javascript), and testing on IE6 i found using the javascript "prompt" command doesn't work and throws javascript errors -- but everything else seems to work okay.

    so, for our in-house webapp, we require IE5.5SP2, because we can ( sidenote: i wanted to target mozilla). having a website on the internet cannot, for the most part, require any specific version of a browser. because they are all incompatible with each other... should we use IE3, IE4, IE5, IE5.5, or IE6???

    so, which version of IE should we all use as the standard? and if you come up with a particular version, the penetration % is not nearly as high...

    i'm rambling and responding to a troll... oh boy

  16. news flash: people don't like automatic updates by DunbarTheInept · · Score: 3, Insightful

    Like the subject says. Automatic updates are not a feature that will make people love MS over Linux. Even people who like MS would typically still prefer to decide for THEMSELVES when it's a good time to upgrade instead of having no choice over the matter.

    --

    Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.

  17. Why do you want Mozilla to have NTLM support? by germinatoras · · Score: 2, Insightful

    Isn't NTLM an proprietary authentication protocol? There are plenty of existing, secure, standard HTTP authentication methods that are already implemented in Mozilla. If we implement every proprietary extension that various vendors create, we're shooting ourselves in the foot, to say the least. If the Mozilla coders create NTLM authentication, it's like saying, "Go ahead and deploy Windows with IIS and proprietary authentication instead of Apache and OpenSSL, we support you!".

  18. Re:NTLM auth by Lendrick · · Score: 3, Insightful

    No, write the damn code. That's what software freedom is about. You've missed the entire point.

    Sadly, this is easier said that done. Simply getting into the Mozilla project is difficult at best--I myself have tried and failed, and no longer subscribe to the notion of "writing the damn code yourself."

    Can we blame them for being ineffective at responding to new coders? Probably not. Mozilla is a massive project, and the people who keep tabs on that sort of thing most likely have more urgent things to do than respond to every newbie who offers to help out. On the other hand, the "write the code yourself" argument is arrogant and lazy, because it's not really an option for most people, even if they are willing to help and experienced coders. A better response would be that there are other things with higher priority which need doing first.

    Additionally, as has been pointed out before, complete feature patches written by people who managed to get in to fix their "pet bug" often go unapplied for months. PNG alpha support under Windows (or was it Linux? I don't recall specifically) was an example for this--the patch was there for months, and the feature was continually ignored as it accumulated votes, until someone finally decided to put it in.

    In the future, you may want to consider being a little bit less snide about people posting feature requests. Feature requests give a project direction, by allowing the coders to get a feel for what people would like the product to be like. Scoffing at them is intentionally ignoring the requests of your audience.

  19. Re:This shows they did the right thing by c13v3rm0nk3y · · Score: 3, Insightful
    Hello? HTML 101. The page width, and any other physical attributes of the output device, are unknown and unknowable. That's the entire point to the abstraction involved in HTML, as opposed to .pdf or something.

    You don't have to shout, I can hear you just fine.

    Seriously, you are making my exact point. This is why designers will use relative widths to ensure their content can be rendered nicely in a variety of interfaces.

    My assertion is simple: the existence or non-existence of a height scrollbar should not change the relative width of the viewframe. The scrollbars belong to the application, and not the content. I don't know any designer or user who expects a scrollbar to cause a reflow of the contents, shortening or lengthening all responsibly stated relative widths by X pixels.

    You are right: designers should expect the width and height to change. This why we have used percentiles to describe relative widths to make sure things flow nicely, regardless of the interface. Having a situation where the width changes on arbitrary changes to height is, IMHO, plain stupid.

    Anyway, if the history of that bug, and the conversation threads here say anything, it's that this is not one of those cases where anyone is concretely "right" or "wrong". This is a usability issue, and I would challenge the Moz team (or anyone else) to submit this behaviour to a battery of real usability tests. If it was determined that the majority of users and designers don't mind how a good number of existing pages render, then I'd reconsider.

    Until then, I'm not convinced.

    --
    -- clvrmnky
  20. Re:You can't control the user agent. by c13v3rm0nk3y · · Score: 3, Insightful

    I don't know how you are getting that from me. I'm the last to say I want an absolute width, and have made that clear several times. I am using percentiles to describe CSS objects which are floated left. This is pretty generic. I am not flaunting anything. I have no problem with the width changing if the container the text is in, or near, changes.

    I can't put it any plainer: I object to the scrollbar, which is an application widget, counting as any width in the viewable contents of a page. If it was anything else, I'd be agreeing with you, but it is a scrollbar. I do not consider the scrollbar a CSS object around which I must flow my content. If you do, fine. This is what the bug is essentially about. Some agree, some don't.

    It's pretty common to build a site with a common navbar across the top. If some of those pages happen to have a maximum height above the viewport, and some that do not, navigating between the pages does two major things:

    1. Causes the right margin to jump by however many pixels the scrollbar is set to

    2. Causes the hyperlink that the mouse pointer is currently under to move away from the pointer

    This last is especially insidious. UIs where gestures cause controls to move away from the the pointer are just bad.

    From a usability standpoint, I cannot agree that this is not a problem. Scrollbars are part of the chrome, and not the content. Gestures shouldn't move the UI around in unexpected ways. An interface that encourages this behaviour is flawed.

    The first item just makes Moz look unpolished unfinished. It's a graphical browser, for crying out loud! It should look good.

    It should be easy for designers to develop simple pages that do not violate good usability. It should be easy for Mozilla to render standards-compliant pages in a friendly manner.

    Mozilla is the only browser that does this, AFAIK. This is not a user agent issue. It is an application issue squarely in the domain of the Mozilla presentation code. Just because we can access the application chrome with a URL doesn't mean we should, in this case.

    Just to make it clear, I am not trying to establish an abolute size. I am not trying to enforce a particular width. I am objecting to 60% + 20% in a simple CSS property that is changing because of an application control, and not content. I have no problem with reflows being forced due to content changes. Scrollbars are not content. If you must disagree with me on this, so be it. Please do not conflate my issues with usability with any type of fixed or absolute positioning.

    --
    -- clvrmnky
  21. Re:NTLM auth by Hadean · · Score: 3, Insightful

    Yes, I'll just wave my little magic pixie stick (and quit my day job) so that I'll learn how to write software. You do realize that not everyone knows the inside and outs of programming! This whole "write it yourself" philosophy is such crud ... people like you must try to remember that there's more then one kind of computer user.