Slashdot Mirror
Firefox Lead Engineer On Origins, Security, And More
An anonymous reader writes "ZDNet has an interesting interview with Ben Goodger, the lead engineer for Firefox. When asked to comment on critics' claim that Firefox has a better security reputation than IE because it doesn't have enough market share to attract trouble, Goodger responded with a one-two punch. "Firefox is better designed in a number of ways -- we have no "mode" that allows untrusted content to be executed automatically, for example -- no "safe zone. Another reason -- market share does not predict security. Apache has more market share than has Microsoft IIS, which has more holes than Apache." On Longhorn, he believes it will be a tough sell for Microsoft because of backward compatibility issues."
I just had a customer tell me he deleted Firefox because the latest version of Nortons told him it was a security risk, so he's back to IE, and blamed ME for compromising his system
I wonder whether this also has to do with Firefox's more varied use. I have used it on FreeBSD, OpenBSD, Many Linuces, as well as Linux. It seems that regardless of the browser used, any of those systems other than Windows would have a better security situation anyway. While it is still better on Windows, overall, I would say, that a large amount of its relatively low rate is the non-windowsness.
sick of waiting ... cant get the boss to allow an install till its in final form!. dumb guy still uses IE6.
The Mozilla Firefox team was able to look at all the wrongdoings of Microsoft and avoid them from the ground up. Firefox is a great app and I use it everyday. I cringe when I have to use IE at school.
Microsoft could always ditch IE and use firefox code to develop their "new and secure" browser, but they've been pissing OSS for too long to take that route.
The browser wars are starting back up again. IE hasn't changed in years because it hasn't had to. Now everyone is screaming to use firefox over IE. This hurts Microsoft because they need to keep the image that they're the best of everything.
I hope firefox kills them in the browser wars. They have a better product. It was designed with usability and security in mind.
Both W3Schools.com and CNET News.com report that Firefox users make up 18% of their audience. Techie-oriented sites, I know, so doesn't speak much for mainstream, but Google was a techie-oriented engine at some point as well.
Boy I wish I had mod points. Clueless people going on about things they don't know anything about.
ActiveX is native code, essentially, specially modified DLL's that run unsandboxed with the same permissions as the parent process. This opens up all kinds of fun things you can do to someones system. On top of this interesting feature there are IE zones, which give different default execution permissions. For instance, the Internet zone causes a prompt to be shown when an unsafe ActiveX control is trying to execute. Unfortunately it is relatively easy to trick IE into thinking an ActiveX control is coming from a trusted zone, which doesn't prompt before executing an unsafe ActiveX control. And another problem is that many ActiveX controls are marked safe, but are in actuallity, unsafe.
So how is the above similar to XPI? You always get a prompt from XPI files. Even if an XPI is signed you get a prompt. What's similar?
Sorry my bullshit sensor overloaded.
Those are the type of people that made me want to commit suicide when I did tech support. :(
Joseph?
I understand what you're saying but I would wager that well over 50% of the firefox installations are on Windows machines. Remember - MS Windows has over a 90% share of the entire OS market. I know that a large portion of that market are extremely stupid people who wouldnt know a browser from their own ass, but there are a lot of smart people who do use windows you. I know, hard to believe :P
Joseph?
While, yes, always prompting is essential, as soon as FireFox gains market share into the general base of 'standard pc literacy', people are way too careless to click 'ok' to anything, and hence install/wipe/ruin their computing experience. Having a prompt is a definate edge, but I hope from your implication above that XPI doesn't let runaway extensions on Mozilla to wreak as much damage.
Whenever someone tries to claim that OSS (or Macintosh) has fewer security holes because it is less popular, we always trot out the Apache vs IIS example. But is that it? Are they any other examples we can use?
A single example is just too easy to dismiss ("Apache has uncommonly good quality control" or "well, IIS is a particularly poor example from MS, but all their other stuff is great"). Or, more flippantly, "the exception that proves the rule."
Bundling did play a factor yes. And bundling is what has kept them in the lead for so long.
But the parent is totally right in saying that Netscape 4 - 4.5 sucked donkey balls. It was slow, bloated, and incredibly hard to develop HTML for because of its goofy layers system. Even if MS had never bundled anything, I am quite convinced that Internet Explorer 4 (and later 5) would have gotten the majority market.
After that it becomes more grey. If IE had never been bundled, IE6 vs. Netscape 6-7-Mozilla is much more difficult to call.
Less Talk, More Beer.
To access this site, the minimum recommended browsers include Microsoft Internet Explorer version 5 or higher, Mozilla Firefox, or Netscape version 7 or higher.
:-)
this is the message on my companies employee website!
hey how about that -feature that allows you to show ones saved passwords if they dont have a master password set? (oh btw the master passwd being asked for every 3 seconds is frustrating) yeah i know there were other ways to do this, but theres no good reason to a user interface in firefox for it. this -feature- affects firefox1.0PR it is listed under bug 259996
Netscape made a fatal development decision. THEY CEASED DEVELOPMENT FOR THREE YEARS. Let me say that again: some PHB acquiesced to the developers' request (or decided on his own---who knows?) to allow them to start over. Oh a medium to large project, you never, ever, ever start over when market share is on the line, lest you wish to become number two or lower. And they did.
Yeah, right.
Maybe Firefox should ship with XPInstall disabled, and pop a warning explaining that it is disabled (if it is disabled) whenever an XPI is clicked. The current behavior with it disabled is to do nothing. I have only seen one site attempt to install an XPI "for me" like so many ActiveX controls that get offered to you in IE, and that will likely ramp up if Firefox becomes more common.
XPI has pretty much the same power as a runaway ActiveX control, theoretically limited to the OS permissions of the process's user. Let us not forget the numerous ways that ActiveX can exploit Windows and escalate its privilege, though.
But what makes the entire ActiveX fiasco truly horrendous is that a malicious ActiveX wont give you a prompt. If there is a prompt at least there is a good chance to avoid it. It is very difficult to build a fool proof mechanism because fools are so ingenious. There will be users who bypass safety mechanisms no matter what you do.
Sorry my bullshit sensor overloaded.
The crappy ZDNet.au site and its CSS that render text invisible.
Got Pike?
First modbombing and then bullshit. Sieg Heil Mozilla!
ActiveX is native code, essentially, specially modified DLL's that run unsandboxed with the same permissions as the parent process. This opens up all kinds of fun things you can do to someones system.
Same with Mozilla XPI. Or do you really ignorant enough to think that there is any "sandbox"?
Unfortunately it is relatively easy to trick IE into thinking an ActiveX control is coming from a trusted zone
And what if you could "trick" Mozilla in a simlar fashion? XPI then becomes the same kind of liability as ActiveX. The plain fact is that if Mozilla was really designed for "security", it wouldn't have IE-ish features like auto-installing ANY remote code. So quit the fanboy insults and bullshit, read the post, and use your puny heads.
Whenever I hear the word 'Innovation', I reach for my pistol.
Ah, low end Slashdotter; Uses insults instead of their brain.
XPI's are not "Auto-installing", they prompt you. You have to download them explicitly. ActiveX controls are embedded in the page and download automatically. Mozilla has no concept of zones so you can't trick it into thinking the code comes from a privileged zone. There is a difference between a possible bug in Mozilla vs. an intentional feature built into IE. You speculate that one day there may be a bug that allows XPI's to be installed without a prompt vs. Microsoft designing that "feature" into the system. The design of IE is fundamentally flawed where your talking about a possible bug that would be, relatively, easy to resolve. XPI's are limited to what functionality is exposed to them in the browser, another words sandboxed, where ActiveX can call ANY API function call. You can do some damage with an XPI but nothing like an ActiveX control. By the way, IE has nothing equivalent to XPI's, they are not controls, they're not tool bars, etc.
I'm a fan of Firefox because I have seen first hand the damage that can be caused by IE. I have many clients that I have had to clean up the mess that IE caused for them. I used to run IE and Opera and way back in the day Mosaic. I remember running the first beta of Netscape Navigator. In short, I have a lot of experience running web browsers. I'm not a fan boy. I know what works, I know a good design when I see one. For now, Firefox is the browser I recommend to my clients. That could change if something comes along that's better.
Spewing bile and insults won't make your argument any better.
Sorry my bullshit sensor overloaded.
This is actually a very nice illustration of the difference between XPI and ActiveX. Notice that you have to explicitly click on a link to download an XPI. This is not the case with ActiveX. Typically, ActiveX controls are embedded into the page and are automatically downloaded. Since the control is automatically downloaded, all you have to do is trick the browser into thinking that the control is coming from a trusted site. This has been done and will continue to be done because of the concept of a trusted zone. There is no such thing as a trusted zone in Mozilla so you can't elevate an XPI's priviledges that way. You actually have to find a bug, verses exploiting an existing feature.
Sorry my bullshit sensor overloaded.
Uses insults instead of their brain
:)
Right, you are a condesending ignoramous with his facts wrong. And you started it
ActiveX controls are embedded in the page and download automatically.
This is just factually incorrect. (Unless you mess with the settings, but this is also true of FireFox.)
Whenever I hear the word 'Innovation', I reach for my pistol.
Since you are so all knowing. Tell us exactly how ActiveX works and then tell us exactly how XPI works and then contrast them for us.
If I have my facts wrong tell us which facts? I have IE set to default and I view a page with an ActiveX control embedded in it, what happens? Tell us how you embed an XPI in a page? Where am I wrong? Saying your wrong and I'm right doesn't make it so. Lets see some specifics.
Sorry my bullshit sensor overloaded.
In my default settings for both Windows 2000 and XP, even before the recent SP3 and SP4 for 2000 and SP1 and SP2 for XP, Internet Explorer has always prompted me if I would like to install the ActiveX control. Always - and it has always been on default settings as well.
Check your settings, because there's something wrong there, or you accidentally hit the spacebar or Enter or hit Yes without reading the dialog box that pop ups.
That's the fact the parent was talking about.
There is a difference between installing and downloading. If you check your cache the control will be there. And just because you happened to be prompted in some cases doesn't mean you're prompted in all cases. For instance, if the control is downloaded from a site listed in your trusted zone then you won't get a prompt for the installation. The problem comes with the fact that it is relatively easy to trick IE into thinking the control came from a trusted site. This is how a lot of spyware gets installed. The individual will visit the wrong site and an ActiveX will be silently installed.
Sorry my bullshit sensor overloaded.
As I said, ActiveX and XPI are very similar, as XPI is a clone of ActiveX functionality. The difference mainly lies in the policy mechanisms, and even there they are very similar.
You make a point elsewhere that a user has to "click a link" to install XPI, so I suspect that's what you mean by "embedding". Well, a few months ago (before the whitelist appeared), there were pages that attempted to install malicious XPIs that were "embedded" (when the page loaded). I didn't View Source and see how they worked, but someone figured out how to do it.
(I suspect they used the installTrigger() javascript function in such a way to bypass normal preventions.)
Even so, getting the user to click a link isn't a huge challenge. The whitelist is a much bigger barrier.
Whenever I hear the word 'Innovation', I reach for my pistol.
Embed as in the embed tag or the object tag. That is how ActiveX objects are typically loaded in Webpages. The equivalent can be done in Javascript as well. Even if the control is not installed, the code is still downloaded.
What makes all the difference is the point that you keep glossing over. The security zones. Microsoft has built in a feature that would be considered a bug in the other browsers. The function to be able to bypass all security restrictions. This would even be a problem if ActiveX ran in a sandbox. In other browsers, a bug could (has), happened that allowed the bypass of security but Microsoft has built this feature in to the browser and since Microsoft uses the browser component in all its products, it not only breaks the security of IE but all of its products. Microsoft can't simply turn this feature off as if it were a bug. It would require a complete redesign. Notice that the other browsers don't implement this feature. There is a reason for this. This is the number one reason that makes XPI not like ActiveX.
You sound less angry in this post.
Sorry my bullshit sensor overloaded.
XPI also has no sandbox at all and can bind to all local components, "safe for scripting" or not. Once again you commit falsehoods by pointing out a problem in IE and implying that it does not exist with XPI. Good day.
Whenever I hear the word 'Innovation', I reach for my pistol.
XPI is sandboxed by the API. If the API doesn't allow it, it can't do it. ActiveX has full access to the Win32 API. There's a big difference here. I also never related "Safe for scripting" and XPI. "Safe for Scripting" is another ActiveX idiom and has nothing to do with XPI. You keep calling me a lier, among other things, but when I ask you for a specific instance all I get is "YOUR WRONG, expletive". Your simply a waste of electrons.
...?!?
Summary of conversation so far:
Nutscrape: YOUR WRONG, YOUR WRONG, YOUR WRONG, YOUR WRONG. Expletive.
Stormcoder: How am I wrong?
Nutscrape:
Nutscrape: YOUR WRONG, YOUR WRONG, YOUR WRONG, YOUR WRONG. Expletive.
How lame.
Sorry my bullshit sensor overloaded.
XPI downloads can call Win32. YOUR (sic) WRONG. Expletive!
Solution: stop being wrong all the time. (And I agree, attempting to talk to you is lame.)
Whenever I hear the word 'Innovation', I reach for my pistol.