Slashdot Mirror
Pros and Cons of Firefox Critically Evaluated?
A Dafa Disciple writes "Fred Langa of Information Week has written an article claiming to discuss the 'Pros and Cons of Firefox'. At first I was excited because I thought I was going to get to finally read an enlightening, in-depth article that critically examined the browser. I should have known better. Aside from the usual criticism of open source software, it contains a reference to a Symantec Internet Security Report which claims that more security vulnerabilities in the last six months of 2004 were found in Firefox than IE. I'll leave it to you to analyze Mr. Langa's opinion and scrutinize Symantec's study and reputation as a security software developer."
Is all the plugins, extensions, chrome, files, and settings that have to be configured after you have the Firefox browser up and running. It would be really nifty to be able to bundle all the things that I do when I install firefox into one mega "extension bundle" or some such that I could install with one click.
http://www.frontmotion.com/Firefox/
Have you tried this by chance?
I haven't personally, but I keep hearing good things about it.
Karma: Chameleon (mostly due to the fact that you come and go).
Maybe Firefox is a more stable, more secure browser than IE, but everything is gonna have its flaws. And the more people use it, the more it's gonna get targeted. This sounds kinda selfish, but I almost wish the geek crowd would have "hoarded" Firefox and kept it as their own. It's nice to give Microsoft the shaft, sure, but the more Firefox creeps into the mainstream, the more it's gonna inherently open itself up to exploits.
"I hate quotations. Tell me what you know." - Ralph Waldo Emerson
Since the article concentrated on security, but didn't mention this:
If you leave autocomplete on, Firefox will save your credit card numbers in plaintext on your hard disk.
This bug has been known about for years. They won't fix it.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Let me put forward a little statistic of my own, gathered from what I've seen over the last few years as a network admin.
Number of computers compromised as a result of IE usage: 8 this year. Number of computers compromised as a result of Firefox usage: 0 (ever)
We see a large number of nitpick vulerabilities for open source because everyone can look at the source code and try to break it every which way. OTOH, finding exploits in IE is done by testers and hackers.
Regarding dupes, visiting Secunia shows many vulnerabilies for linux distros, but you see the same ones over and over again for each distrobution.
So while I agree that no software is perfect, and Firefox does have problems that arise from time to time, as does any software, I'll still be using the fox for my net browsing.
As for those testimonies in the article from people who can't get Firefox or Thunderbird working properly, wow. I've switched people's grandparents with no computer literacy with no problem. All I can say is that their system must be jacked up.
Before everyone starts flaming me, I'll state that Firefox has become indispensable to me now. Mostly because the RSS bookmarks, tabbed browsing, and best of all, the extensions. Dictionary search, ad-block and the spell checker have all become indispensable to me now. However explorer remains the superior browser with regard to resources and stability. If I want a fast and simple stable browser, explorer is the way I go. While Firefox is loaded with useful options, I find it interesting that I stayed not because it was technically superior to ie, but provided better and actually useful features.
You missed the point of the poster. He wasn't unhappy about the article being critical, but being very BIASED and critical. You know, it'd be like saying that Democrats/Liberals should listen to Bill O'Riley... as if he listens to the other side.
What I hate the worst is not those who are biased, but those who claim to be things like "Fair and Balanced" when it's clear they're not.
Take for example this nice strawman argument that Mr. Langa puts forth:
Which he then cuts down systematically, as if his misposed argument had any value:I can tell when people use Conversational Terrorism, and I know then that they're highly partial and unreasonable to argue with.Make sure everyone's vote counts: Verified Voting
A lot of other security/AV companies get definitions out MUCH faster than Symantec. I remember occasionally using Sophos's and other AV sites to solve virus issues becuase we didn't have the info.
Don't take life so seriously. No one makes it out alive.
Security by obscurity is no security.
No, security by obscurity provides a fairly good amount of security assuming you can keep your code secure. The benefit of open source is that you [hopefully] write better code and/or have better testing that eliminates that major security problems before it goes into production. There's been a bunch of escalation of priviledge flaws discovered in Linux in the past few months that use obscure race conditions and the like. Those would have been extremely unlikely to have been found without the source code. Read the detailed changelogs of the kernel updates - there's tons of little security flaws fixed all the time.
It's a tossup - Open source finds and fixes the little tiny bugs but you have to stay on top of the patches.
i used to favor symantec over mcafee, royally...
now i've seen reason to doubt their products. the main one i've seen come up many times is a trojan. i don't know the name off-hand. and it's with even the latest versions and definitions. you can update it today and i will almost guarantee it won't find it.
also, my other issue with their home product is that by default, it's set to try to clean the infected file. today's viruses can't be cleaned because the file is the virus. so if it can't clean it, it takes no action. that's the most absurd setting i've ever seen. they should have it set to try to clean adn then quarantine if unsuccessful. i dread looking at computers that have norton installed, you know they're infected the minute they come in.
please me, have no regrets.
Just to point out though, for the most part when any site that reads the http_user_agent header and rejects me, I just change my user agent using the user agent switcher extension, and most of those sites look quite fine.
;)
Even www.quicktaxweb.ca rejected my firefox on Linux install, but accepted firefox on Windows. Just change the user agent to appear like FF on Win and it was almost perfect.
What pisses me off most about FF is that there still appears to be a memory leak if you leave it running for a while. I frequently leave my PC on overnight, and when I get it in the morning it takes a ltime for FF to maximize in XP. Both work and home PC's show the same symptoms. That doesn't occur on my Linux boxen though.
And no, I didn't RTFA
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Easy.
1. Dont do autocomplete (or make this a default off option) on ssl forms.
2. Credit card #'s are 16 digits with known prefixes. Detecting them isnt a difficult problem. Same with social security numbers.
He makes the argument that people who think Firefox is better believe so because of the smaller installed user base. IEusers = stupid, FFusers = smart. Therefore, of course Firefox comes off better. If Firefox had as many stupid users as IE, it would be considered as bad as IE.
I call bullshit. His own argument doesn't make sense, because then he argues that IE might have the same percentage of problems as Firefox. He's begging the question of whether the percentage of problem users is the same with each browser. What do you want to bet that someone is going to quote this article saying that "5% of Firefox users have problems! That's the same percentage of IE users that have problems!" Those are made-up numbers. He's using them as an example. He hasn't proven that they're equivalent
He also digresses, severely, into "Linux isn't really more secure." Well, actually, it is. To my mind, the worst vulnerability out there is one that allows an attacker to remotely execute arbitrary code without user intervention and without personal intervention by the attacker, either. Getting someone to type in a password is a cross-platform vulnerability. Spending a few hours individually targetting that Linux server with old updates happens (just ask me about my friend's goddam mail server). Reading email in an email client with IE-HTML-rendering -- a proven way to do this -- is pretty specific to IE.
After all, it's Windows that has spawned the Sargasso Sea of worms, viruses, Trojans, etc. etc. etc. ad infitum ad nauseum. There is a self-sustaining ecosystem of malicious code that infects and reinfects Windows. UNIX doesn't have that. Of course, UNIX is such a newcomer to the Internet that it hasn't had time to develop that ecosystem -- sorry, what did you say? I'm sure UNIX must be brand new, that's why there are so few automatic exploits, right?
Third, he thinks the raw numbers for vulnerabilities mean anything. They mean nothing, especially when you compare the different philosophies of Microsoft vs. most Linux distributions. Microsoft = admit a problem only if we have to, and then only before it's patched, and if you don't give us 6 months to patch it you're an irresponsible extortionist creep. Linux = full disclosure of every nitpicky bug anyone can think up, like the one where someone with physical access to your box can open the case and copy the hard drive! Claiming that CERT is a wonderful impartial catalogue of vulnerabilities -- when they roll over for vendors, and without mentioning their recommendation to avoid IE -- is disingenuous at best.
The real question for these security vulnerabilities is: do they matter? You can tell by identifying the following: Are they remote? How much user intervention is needed? What can happen if the vulnerability is exploited? DoS is sad but not, frankly, that big a deal. Arbitrary code execution is bad. Priviledge escalation is bad. Sniffing passwords is bad. Does the attacker need to sit there and think about your computer or can he just turn loose an automatic exploit? It might even be that IE is better than FireFox on that at the moment -- I doubt it, but it's possible. However, Langa doesn't examine the real question. It's easier to count beans than to identify them, or know how to make use of them.
His argument seems to be that since Firefox isn't perfectly secure, it's as insecure as Internet Explorer. This is a fallacy. I can't remember which one. The stupid one, I guess.
Ok, now I feel better.
Poster bias: I loathe and despise Microsoft. I think Symantic is a parasite. I like Open Software but "free as in beer" means nothing to me because I also loathe and despise beer. I think Firefox is fine on Windows but it is lousy on Macintosh. My personal favorite browser is Safari.
What I say does not represent the views of my employers, my friends, my cats, or myself.
A fully patched Internet Explorer were known to be unsafe for 98 percent of the time during 2004, while Firefox -- were "unsafe" only 15 percent of last year according to ScanIT:
S 2004&page=3/
http://bcheck.scanit.be/bcheck/page.php?name=STAT
Fred Langa, a former Chief Editor of Byte and Windows Magazine, has been covering computers since the days when 640K was more RAM than anyone could possibly need.
Wow, a chief editor for two Windows magazines. Go figure where the bias would lie.
I guess if I wrote for Linux Weekly, and published an article why Windows sucked ass, everybody should take me with great consideration because I would inherently be unbiased.
Bah.
The price is always right if someone else is paying.
"It should be no surprise that alternate browsers--or alternate operating systems, for that matter--contain flaws."
This is right after the line that says, "Six vulnerabilities were reported in Opera and none in Safari." So it basically says, "The default OS X browser didn't have flaws, but anything that isn't M$ or IE has flaws." I just don't follow this train of thought.
I also noticed that if you add an 'i' to fred, you get "fired". I hope his bosses notice the connection.
We consider IE's problem with "autodownloaders, backdoor spyware" and such, but Microsoft considers these 'bugs' as features.
If you design an application to autodownload, autoconfigure and autorun... no matter how annoying it is to everyone, it's a feature, not a bug. So, by the facts, according to Microsoft, these arn't security holes. Right?
-Oy Vey
If you want visitors to not block your ads you have to come up with a way to cripple the site if the ads are not displayed. Unfortunatly ad blocks are client side and can't always be detected by the server.
Ads indirectly cover costs (large sites get paid because they can claim X amount of people see the ads per month, not per click or per sale) and images are a very big bandwidth hog. So if a visitor doesn't want to look at ads then Yahoo saves some money by not showing images either. And as a possible bonus the web-site looks so terrible that the user stops blocking their ads just so the images load.
I havn't needed to implement it on my site yet but checking whether or not Javascript is enabled on the client side is quite trivial.
Server Side Javascript Check
Once the server knows if Javascript is disabled on the client side the possibilities are pretty endless. Most ads (like AdSense) rely on Javscript so knowing javascript is enabled is important.
Work Safe Porn
Actually IE6 has now been out for 4 years. And a person should hope that a 4 year old product that is used by millions of people everday should have the bugs worked out if it by now.
Now as far as how to compare them check out this article. It compares security on a very sound premise: If you keep up-to-date with updates how long are you vulnerable. The answer: IE: 51 weeks during 2004, Firefox: 8 Weeks during 2004.
Lets rephrase that; using firefox I was safe from known exploits 10 months last year. If I was an idiot and used IE, I was only safe from known exploits 1 lousy week during the whole year.
Which are you going to choose? Get FireFox!
Looking for a job?
Want your resume written professionally?
DON'T USE TUNAREZ!!!
the difference in usage is the Gecko engine that is loaded by Firefox.
The IE engine is loaded as a system resource, hence doesn't take time to swap in and out (the kernel can keep it from being paged out). This also keeps the memory from being reported in Task Manager.
Right now, I have the same 3 pages open in FF and IE, and FF is reporting 76MB, and IE is reporting 44MB. I have quite a bit more of browsing history in this FF session, which could account for some of the difference. I also don't have ANY plugins installed for IE, as I never actually use it.
I'm guessing that the special items in FF cause higher memory usage. Try turning off smooth scrolling (they may use a large off-screen buffer to render more page than needed)... and other non-essentials if you don't want all of the memory used.