Slashdot Mirror
Mozilla: The Good And The Bad
Rui del-Negro writes "According to this article at The Register, six security flaws in Mozilla were posted to BugTraq last weekend. They have not been added to the official Mozilla vulnerability list yet. But details can be found here, here, here and here (phew!).
Finally, two other bugs were found, relating to loading GIF files (in several Linux browsers) and Mozilla's (JavaScript) implementation of onUnload ( ).
Are they trying to prove they can beat Microsoft at their own game..? Or is someone just trying to win a prize?" On a brighter note, Zerbey writes "From Neil's Place here is 101 Things Mozilla can do which IE cannot. Very interesting reading and an excellent resource for convincing stubborn Internet Explorer users why they should switch. This article was also reported at Mozillazine. I'm still waiting for NTLM auth to be implemented so we can switch over at my workplace, the only reason we still have to use Internet Explorer."
I tried countless times to send them patches for such egregious errors as allowing javascripted emails to both access files on the HD and automatically send out new messages but they said it was a feature people used. Yeah, used to crack machines. Idiots. I'll stick with IE if you don't mind.
Even if it is true you aren't likely to win. IE is firmly now a component of the Windows operating system. Removing it will cause the seas to boil and the rivers to run red with blood. Anyone notice that Excite is not allowing Mozilla users? I get this Error message.
BSD
Thalasar
the only way this will ever happen is if mozilla begins supporting 'enhancements' to the surfing experience that IE does not; creating their own standards if you will. this, of course, is exactly what MS has done with IE and what so many people gripe about -- compliance with their own jackass standards.
One way would be to use the browser ID to add a little 'info' strip to the top of pages, specifically for IE users. It could be just a small one-line table at the top of pages -- maybe with a contrasting background to be noticeable, and say something like:
"Internet Explorer has several vulnerabilities that may allow others to take over your machine. You may want to apply fixes or try alternatives.
I can't find the link to the 'master list' of unpatched IE flaws, I had it bookmarked somewhere.. But I would imagine using the browser ID string the client sends to apache, this could be done in PHP or something similar. Yeah, it'd probably be a performance hit, but for anything but the biggest sites, it might work.
I've also noticed that some IE browsers appear to be sending the actual patch revision! Example:
217.81.215.xxx - - [06/Nov/2002:00:00:19 -0600] "GET / HTTP/1.1" 200 34629 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; QXW0339a; Q312461; .NET CLR 1.0.3705)"
Q312461 leads us to a MS Knowledgebase
article. I've no idea what the QXW0339a is, though.
Interesting. So one could go so far as to take the patch version off the browser ID string, check it against a database of strings, and return a comment that mentions the serious vulnerabilities affecting that version. I'd be happy to just run something that added a small tagline to the top of pages for all IE browsers, though. The more sites that did something like this, the more the word would get out. I think it'd be productive. :)
Someone you trust is one of us.
But, looking over the list of 101 things Mozilla does that IE doesn't, there are plenty of things that IE does, and has done for years. (It may not do them on Windows -- I have no idea.)
I can view cookies, block individual cookies, disable tooltips and a bunch of other things listed. I'd also argue that IE can be trivially installed and uninstalled and has a more complete, and certainly much more usable bookmark manager.
What I'm listening to now on Pandora...
I've been using Mozilla for over a year now and for the life of me, I still can't access anything via. https. So, I have to open IE to do anything secure forms. I've read that I must do a complete install in order for this to work which I do, but still no dice.
Anyone have this problem?
"If you don't have 256 MB of RAM, but you like to have your favourite browser loaded into memory 24x7 so it pops up as fast as IE, you'd need IE removed to free the (many) megabytes of RAM it wastes."
I'm not running at 256 megs of ram. I'm running at 128. Frankly, I don't think 2-3 megs are going to significantly improve my browsing experience. It would, however, severely impact my file operations in Windows. It'd also cause Outlook to bloat up a bit so it could interpret it's own HTML.
Sorry, not sold. IE's not my primary browser, but I have plenty of interest in not removing it.
On a funny sidenode, while trying to use the link above:
"Sorry, links to Bugzilla from Slashdot are disabled."
1. You can do this by writing a 12 line VB app that embeds the MSHTML COM control on separate tab controls. Some projects already do this. (Yawn)
5. uh, hit ctrl-H in IE6
7,8. Hold control, scroll mouse-wheel
17. IE does this
22. This can be set in IE
31. IE can do this
46. Is this a joke ?
77. I don't buy this. IE is a ship-component of Windows XP, and thus exists in 25 distinct locales.
97. This is just fanboyism. There is no substance here.
101. Got me there, champ.
These are just the things I know are crap off the top of my _head_. Why does fanboy shit like this make it to slashdot on such a consistant basis ?
My opinions are my own, and do not necessarily represent those of my employer.
In particular, if I wish to have Spanish-language dialogues in Mozilla, I (as of a month ago) can not upgrade to Mozilla 1.0.1 because none of the volunteer Spanish translation teams [1] has updated their 1.0.0 translations to version 1.0.1; instead they chose to direct their translation efforts towards 1.1 and 1.2.
Compare this to AbiWord, which has a translation structure such that, if a given translation team decides that meeting girls at dance clubs is far more fun than spending Saturday night translating dialogues, the translations still work for new versions of the program. If any new dialogues appear, those dialogues will be in English until someone steps up to bat to translate them, but any unchanged dialogues remain translated.
IE has an edge here, since their translation teams are paid; guaranteeing that any formal release of IE will be translated in to all officially supported languages. The disadvantage to this is, if a given language is deemed by Bill Gates to not be worthy of translation, you have to use the application in English (or one of the other official languages).
This structure causes Mozilla 1.0.1 to have translations available in languages like Estonian (a beautiful language [2] which has about, as I recall, 2 million speakers) but not in Spanish (which has more native speakers than English--about 325 million).
OK, thinking out loud, it should not be too hard to set up a perl script which unzips a translation for a given version of Mozilla, compares the labels against the English version for a given later version of Mozilla, and then translates all of the labels it can; leaving the untranslated labels in English. This would be far more productive than posting to Slashdot; perhaps a Mozilla guru can tell me if a tool like this already exists.
- Sam
[1] There are three Spanish trnaslation teams: One for Latin American spanish, one for Argentinian Spanish, and one in Spain. The Argentian is the most active group right now.
[2] One of my linguist teachers is a native Estonian speaker; she once talked to us in Estonian to demonstrate a language learning technique.
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
...but what if the bug is "fixed" by microsoft saying, "you need to upgrade to IE6"?
I'm sure there are security bugs in Mozilla that haven't been made public yet. That was the problem with the onUnload(). It was known about for a long time, but not until it became public did it get fixed.
The main reasoning seems to be that vendors should be able to protect their customers.
But what happened with the privacy leak recently found in Mozilla? Granted, it was a minor glitch, but it is nevertheless useful in studying how policy affects security.
Did it help end users that it was marked sensitive? Well, Netscape knew about the glitch when they shipped their browser, yet, they shipped it. On the other hand, the leak was patched shortly after the story broke, so the answer should be a clear "No!"
This is an example that it is not sufficient to have the sources open, you have to get some light onto the problems too.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
mozilla's largest strength, like any other GNU/GPL/MPL/OpenSource application is in it's flexability and it's speed to market. every day you can download a new version of mozilla, possibly with new an exciting features.
its strength lies in its application features, not rendering differences. tabbed browsing.... it's been said too much, but it's wonderfull. bookmarking all the tabs at once and re-opening them up is also an added feature to the surfing experience. it's debatable weather the "no pop-up" feature is good or bad, but i'll leave my pop-ups turned off.
mozilla has found a way to enahnce the user surfing experience without extending the web standards, something other browsers will envy. konqueror has a hard time keeping up with mozilla since it's released as part of the kde desktop (which seems to be about twice a year or so).
At least we know about them, and are able to fix them unlike with IE.