Slashdot Mirror
There Is No Safe Web Browser
Michael writes "David Sheets has up an interesting article on browser security, and I have to agree with his conclusion: no web browser is safe. The article details the recent Netscape fiasco, and touches on the whole Firefox/Internet Explorer debate. From the article: 'So if it sounds as if we're all at the mercy of hackers just looking for some new challenge, that's partially true. As law enforcement officers will tell you, crime finds you if it wants you bad enough, no matter what preventative measures you take. But the vast majority of criminals have an Achilles' heel: They prefer convenience to challenge. For now, it's more convenient for them to pick on Internet Explorer.'"
As is telnetting to port 80 and interpreting the HTML in your head.
David Sheets meet lynx
Lynx meet David Sheets
Are we friends now?
While I understand the point that Mr. Sheets is making, however, I disagree with his definition of safe.
The implication of this article stems in the absolutes of security: can it ward off intruders or not. This is a flawed approach, and while seemingly a logical one, denounces another reality of this level of breach: the lion's share of these breaches are not of the most malicious sort (read: that stupid data miner which causes popups, search bars from hell, etc). These kind of easily hackable sections of Internet Explorer are less prevalent in Firefox. Market forces of the sheer user base would dictate that if this were not so, more spyware would have been ported to Firefox by now. 25 million downloads, right? That's a sizable chunk for any malware vendor, or aspiring intruder, to infiltrate.
One must acknowledge the reality of security by statistics alongside security by absolutes.
The Crimson Dragon
I'd say this one is fairly safe...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
And IE was last updated when?
MS are sinking for sitting back in the way they have \o/
David Sheets has up an interesting article on browser security, and I have to agree with his conclusion: no web browser is safe
No program that accepts input is safe. Even some programs that don't accept input aren't safe either. It is the nature of how complex software really is and how little of it we understand.
...at least not one you'd want to use. Sorry people, Linux is not "safe." Mac OS/anything is not "safe." There are a very few OSs that are pretty safe, but the only reason Mac and Linux fans can brag right now is that they're ignoring all the patches, hacks, etc that already exist for their OS of choice.
TW
I think you could easily transfer these findings into the OS world. Mac's and Linux are generally safe because they are a much smaller target. It wouldn't make the news as quickly, or as widespread as it does when they hammer Windows with viruses. It is not only more convenient, but more damaging to flood Windows with viruses.
I would be willing to wager a very large bet that if Mac OS X was the industry leader there would be the same difficulties with viruses, and other criminal activities that are currently associated with Microsoft's products.
It also definitely comes down to how adept the user is too, and how knowledgeable they are in internet/computer security (such as not opening email attachments unless you know how sent it, or using up-to-date virus protection).
Lynx is pretty safe...definitely haven't gotten any spyware from it.
Water is wet ...
Short of a static html type browser, nothing will be safe until we all agree upon some standards. Listening Microsoft?
Comment removed based on user account deletion
I think that this author has finally gotten it right. Note the increasing instances of popup ads that are tailored for firefox users etc.
As firefox gains in popularity, expect that the number of exploits aimed towards it will continue to rise.
That being said, the nice thing about firefox (and OSS), is that lots of eyeballs can look at, and fix, the code in a timely manner.
I'd give this article an Obvious -1 simply because it is axiomatic, and everybody should have realized by now that There is no 'safe' web browser. Especially how after it was demonstrated that a Firefox exploit allowed infection of IE when IE itself would have blocked the malware site. Cute!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Perhaps it needed to be said, but it seems to me like this post is a statement of the obvious.
I'm sure I'll be modded down for just posting my blunt thoughts in responst to the post.
so they talk about IE, netscape, and mozilla/firefox. that's 3 browssers. reeeeal thorough article.
ed
Ok... the conclusion is simple then: Monoculture is bad.
Newsflash! There's no such thing as perfect security, who would have thought it? Whether it be through a flaw in the code (which we all try to fix, when they are found), or stupid users running crap they oughtn't.
I for one use Firefox, because it is MUCH more secure than IE. It may not be perfect, but it's by far good enough for regular use.
That's like saying that houses aren't secure, even the new model homes with electronic alarm systems. No crap, but that doesn't mean sell the alarm systems and leave your front door unlocked (like IE).
-Jesse, disliking alarmist poop articles.
Nothing says "unprofessional job" like wrinkles in your duct tape.
Obviously, nothing out there is perfect...not even...LINUX! Yes, I said it, linux isn't perfect you wannabe nerds, but we shouldn't JUST be using web browsers. That's retarded. Preferable, some AV software and something like webroot's spysweeper running in the background would be perfect, I've got both of those, and it keeps me safe.
When a webbrowser is integrated with the OS, this greatly increases the ways a hacker can damage the system. Hence, while no browser is secure, one can is MORE secure simply because it is NOT woven into the OS. Of course, having updates frequently and being in more active development are good things as well.
=-=-=-=-=-=-=-= - The Celtic - =-=-=-=-=-=-=-=
Nothing I didn't know before!
Oh my God, what have we done? Why Lord?
Seriously, is this supposed to be news?
"I think this line is mostly filler"
Don't forget to wear a condom for safe browsing...
Like Netscape's stupidity at basing Netscape 8 on Firefox 1.0.0 when current was 1.0.4 shouldn't be used to disparage Firefox.
I'll bet my browser on OSS anyday of the week. This is personal choice, but for security sake, OSS has the benifit of being open source. It's free and open for all to see, and while that might make it easier to exploit, in my book it also makes it easier to fix. We all know there are no intentional back doors, and no malicious code segments(those of us that still trudge through the code for fun anyway).
It's firefox all the way for me.
Every had a user download a rootkit and mess with the system?
Only a sith lord deals in absolutes. I will do what I must.
Of course there is no 'absolutely safe' browser but there are certainly 'safe' browsers.
Just write a browser to send all data to a cache location before it is displayed, like most browsers do. I suggest /dev/null for linux.
In God we trust, all others require data.
Browsers can be totaly safe, as much as I hate to say it, IE can be pretty safe too. just follow these rules:
1:USE A FIREWALL
2: update your browser
3:disable ActiveX, any site that uses it is a site you should learn to live without.
4: (the one most often broken) DONT CLICK YES ALL THE TIME, warnings are there for a reason.
5: Dont DL and run STUPID executables
Most Browsers do a decent job of protecting you fron the bad stuff, but NOTHING can protect you from yourself, short of cutting the cable, and if you do that, dont run with scisors
Dillo is a safe browser. Then again, Dillo has no CSS (not needed, IMHO), no Javascript (needed for most webmail accounts), spotty SSL support, and broken table layout (which makes designing a web page for every browser including Dillo nay-to-impossible; I just forget about making my web pages usable in Dillo; it's up to Dillo to lay out tables correctly) And, oh, it's the only browser that runs on my 486 SX/25.
-- Thou hast strayed far from the path of the Avatar.
Not on the client!!
The client should just download and draw the pictures and display the text, thats it.
We don't need all this crap like activex or javascript or flash to have a valuable medium of information exchange.
Also, harsher criminal punishments for the people who hack. Does that notion scare you?
This guy seems to think there are no browsers othr than IE, Netscape, or Firefox. I use konqueror almost exclusively, because it has many advantages, the biggest being an excellent integration between the local file system and the web. My case may be anecdotal, but I have never had any problem regarding security.
This article got me thinking right away and I was trying to come up with a snarkish analogy to the car, that there is no 'safe' car (people still die, a lot) but that does not mean that there have not been vast improvements since the conception nor does it mean that a car cannot be safe when used properly under certain conditions.
But then that got me to thinking even more, there really isnt a 'safe' anything is there? So whats the point of pointing such things out?
Firefox can be the mostest secure webbrowser evar tomorrow if it wants. Just include the "su"/"runas" functionality to drop down to a non-privileged user on startup. With, say, read/write permissions to only its own directory. Done. Anyone want to add this feature request to bugzilla, or is it already in there?
This is much harder to achieve with respect to internet explorer, because it's more deeply entrenched in the operating system. Its HTML control (the actual renderer) is used in zillions of places where it shouldn't be, like in outlook (express) to render e-mail.
You need to run internet explorer as an administrator to use (manual) windows update! How lame is that?
SCO employee? Check out the bounty
A "manual" web browser is safe. That is, you print out and manually inspect all the data being transmitted, including all the HTTP headers and the what not. That way, if you see anything fishy, just burn the print out :)
Yeah, it's really hard to animate the flash stuff and streaming media though. Brings a whole new meaning to dropping frames.
'nuff said.
So rise up, all ye lost ones, as one, we'll claw the clouds.
What hackers like, among other things, is the challenge. Crashing or discovering bugs in IE is probably fun, and a lot of people get screwed. But since Firefox is open-source, when you find a security breach, it's probably as fast to fix as using it. And there will be recognition from the programming community. If you find a bug in IE, what can you do? Send an email to bill.gates@hotmail.com?
Lynx or links!
-carl
. We've got computers, we're tapping phone lines, you know that ain't allowed - Talking Heads, "Life During Wartime"
::Sigh:: How do these people get jobs where they're paid a lot more than me for stating the bloody obvious.
There's no safe browser? Wow, the next thing this guy will discover is that secure software doesn't exists and that all software has bugs. Welcome to the world of software development, dude.
AFAIK, Firefox has quite good security track and fixes things fast. That's what matters. Firefox is a "secure" browser by any measurements, and unlike other browsers, they deserve the reputation they have.
And one of the reasons why Firefox has security bugs is because it's a evolving product. Internet explorer however is a 3-years-old code base which has not changed almost nothing. Mozilla and firefox have been being updated for years to support modern standards etc, Internet explorer has done nothing.
(Actually, it's suprising that after so many time people still finds bugs in internet explorer. It shouldn't have so many bugs left - look at sendmail, bind etc, they're crappy software from a security POV, but their code base is _so_ old that it's very hard to find more security problems. Internet explorer must be really buggy to keep such bad security track)
Why not, it's Friday. Let's jump on the far-fetched bandwagon.
You're assuming that there isn't some unforeseen exploit allowing the intruder to directly manipulate the printhead/laser/whatever. If 95% of the browsing audience used your technique, the hunt would be on. Since nobody does use this technique, nobody tries to exploit it.
It's probably a "safe" bet that no such exploit exists, but we're not talking about probability here, we're talking about possiblity.
Actually, it's more secure if you travel to the server where the information is stored, remove the hard drive, and perform forensics on it to determine what the data you are seeking is.
I design user interfaces for a free network management application,
Another bozo who sees security only in absolutes. Saying that there is no "safe web browser" is like saying there's pick-proof lock. Technically true, but should you secure your valuable with a $2 lock? Security is not about absolute guarantees, it's about making life as hard for the bad guys as you can manage. Mozilla-based browser have security holes, but at least their designers attempt to design them with security in mind. Internet Explorer, by contrast, does not have security designed in, and has cruddy QA to boot. Which is reflected in the dozen or so reported security problems in Mozilla, and the hundreds of reported security problems in IE.
It strikes me that the turnaround time for patches to Firefox is significantly quicker than many other options. After these little bugs were found, they had patches out in short order. While it may not be impregnable, at least they are plugging the holes faster.
Why they hell hasnt someone told me! All this time I thought it was safe to click attachments, and enable activex and java script!
If you mean: ``not the easiest target for the bad guys'', then most browsers are safe, most of the time.
I'd say that any browser which consistantly avoids being the lowest-hanging fruit is as close to safe as most of us need. To achieve that, all you need is a development team that emphasises security, even at the expense of convenience, and gets useful patches out, fast.
I can think of one browser with a large market share which fails both those tests, and I suspect there are several with smaller market shares which do fairly well on both those criteria.
See what I've been reading.
somebody calling BS on all the fanboi claims about their favorite products of the day. Nothing is inherently safe and still as diverse and full featured as browsers today. The technologies on which they are built are not fool proof so how could they be? Frankly I'm fed up with all the 'me too' converts telling me time and time again to switch to this or that. Its as naive as a women running naked in the park because 'its never happened to me'. It can, and therefore it will if you put yourself on the radar long enough.
ObResponseToTFA: Every piece of software has bugs, some serious. The key questions are:
Mozilla, Firefox, etc. still come out on top, largely because they are _not_ integrated into the OS. Their developer communities are pretty responsive to bugs (security bugs particularly) and the scope of damage related to exploits is relatively small compared to MSIE.
Surely the argument of convenience has been argued persuasively that it's flawed.
Think Apache. How many servers run that? How many exploits for that?
Now, compare with the MS server and it's variants. Less servers are running it and yet more exploits.
This convenience argument is getting boring!!! Time to move on.
Actually, it's more secure if you travel to the server where the information is stored, remove the hard drive, and perform forensics on it to determine what the data you are seeking is.
PAH! That's patently unsafe. What if you crash on the information super highway and die?
There Is No Safe Web Browser
:P
Your web browser is absolutely safe as long as your computer doesn't have a network connection and you don't load any unsafe software (i.e., Windows). That reminds of the good old days of the Altair.
Whee! Did I win?!
This confirms the position I've always held: Firefox isn't a better browser. Linux isn't a better OS. It's just that there isn't an army of hackers looking for holes in Firefox and Linux.
Yes, but thats a good thing! The more hackers checking our software the marrier. What did he expect? That one can get away with a such a crap like ActiveX in IE??
Cfx
You have 2 nucular Moderator Points! Use 'em or loose 'em!
without loosing functions. Who cares totally safe, ourselves are the most unsafe factors.
There is a spark in every single flame bait point.
I tell my students that the purpose of security is not absolute proteciton -- for that, you can encase your box in cement and drop it in a deep lake. The point of security is to make it so hard for an attacker that (s)he goes hunting for a better target (easier and/or juicer). Currently (as he points out), Firefox makes it harder on most attackers, so it's the better bet for most users.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
I love all the arguments about it being the number of systems. It is rarely about that. It is normally about what is the easiest target. The same applies to Linux vs. Windows. If Longhorn should become more secured than apple and Linux, then as the old Windows disappears, the crackers/viruswritters will aim at a new target; say Linux or Apple.
I prefer the "u" in honour as it seems to be missing these days.
All these "IE vs. Mozilla" or "IE vs. FireFox" or "Netscape vs. IE" or "Opera vs. IE" discussions (pick your poison) are irrelevant.
First off, it amazes me that I have run across paranoid *NIX sys admin friends who are very mindful of what runs as "root" on servers they control but then turn around and operate day to day on Windows desktops as an administrator.
Well, gee dip sh*ts, no wonder you're screwed if rogue code enters your system.
If people used limited accounts and then used impersonation (ever hear of "runas") under Windows, all of these discussions would go the way of the dodo bird.
More to the point they would be TRULY irrelevant. Sure send me to some baddie site, won't do much on my system. Whatever malware sent down the pipe to me can't do anything to change my system (C:\WINDOWS).
This is how I operate, i.e. a limited account desktop. The admin account is just that, for ADMINISTRATION, e.g., setting up new apps.
Amazingly, this approach is "novel" among even tech types since I keep hearig these discussions even on Slashdot.
The principle of least privilege is ANCIENT. Impersonation is part of Windows. Just as it is with other OSes.
The Windows NT kernel has had security since its inception. On the file system, registry as well as synchronization mechanisms such as mutexes, semaphores, etc.
Do you want to know why MS doesn't leverage it? Cost. Plain and simple. If WinAmp (which doesn't work under a limited account) stops working for someone on account of MS automatically setting up limited accounts for people, guess who is likely to start receiving support calls? "But it always worked on Windows 9x!!!"
Yes, it boils down to money. This is NOT a technical problem. MS alongside companies peddling its wares (Dell, Gateway et al) simply do not want to deal with the potential legacy costs of supporting misbehaved apps and/or apps whose designers were myopic and assumed the ability to write to any part of the file system and/or registry.
The great thing is, even with a limited account desktop you can still readily run WinAmp. You just have to know how.
All of this seems like "rocket science" to everyone. And I guess it is, since this discussion keeps rearing its head, namely browser security. The point is, a browser is another app that inherits default credentials from your login. Don't operate as administrator geniuses (sarcasm in case you didn't figure that out).
In the case of WinAmp. I simply defined an admin account that I leverage to run that application on my limited desktop (use the command line "runas" facility or change the properties on the shortcut through the "Advanced" button). I might mention that Shoutcast servers are capable of sending URLs (think JavaScript) that WinAmp will readily execute via IE totally disrespecting your browser choice. So taking another page from what Windows has offered from the start, I changed the ACLs for the IE executable such that my "WinAmp User" has absolutely no rights to the IE executable. Not even the ability to read that file. In this manner I short circuit this potential threat vector. In addition I changed the ACLs on C:\WINDOWS and some other directories so that this "WinAmp User" could only read from these directories.
Here's the moral of the story folks, use a limited account. Plain and simple. End of story. End of this not very worthwhile discussion (among tech people).
Yes I use LINUX, I use Cygwin's X server and readily use LINUX Mozilla complements of the latter. Not just a little, a lot. This IN ADDITION to the fact that I use a limited account for day to day activities.
I have never had spyware or a virus on my system. EVER.
-M
If everybody uses the same browser, then everybody is vulnerable to the same exploit.
So how about not everybody using the same browser? How about having a very diverse browser population? Ignoring design flaws (such as the one in IDN earlier), if all browsers were used in relatively equal proportions, it would make it at least marginally less effective to attack any one single browser.
Sure lynx is safe, but let get serious for a moment. Does anyone think that your average user is going to switch to an all text browser that is no where near user friendly, loose their ability to view pictures, flash, and all the webs multimedia goodness for the sake of being safe? Don't get me wrong I have used lynx quite a bit but you won't find me on lynx when I just want to mindlessly surf and entertain myself. I want graphics, DHTML, JavaScript, CSS, and pretty layouts just as much as the next person. Call me not as hard-core but then, the whole point is trying to get your average users to use a "safer" browser right?
Perhaps the article should have concluded: There is no safe PRACTICAL browser.
0.5 percent of all web browser market share agree!
...
Plus, by turning off all those nasty things and having a non-standard browser, it's a lot harder to become infected - unless you actually click that link and save the file
-- Tigger warning: This post may contain tiggers! --
you mean frequency of vulnerability exploitation is relative to market share?! NO FUCKING WAY!! Oh man, i'm glad someone pointed this out for me. Very insightful, indeed. I mean, it's only been pointed out a few thousand times before on slashdot.
your OS shouldn't give a fat rat's patootie about anything anyone does, ever. protected memory, process management, yadda yadda, that's how you really stay safe.
[B]- slurpee[/B]
- emilio
neurostyle dot net - it's all in your head
Silly Matrix Reference +1
My other car is a slashdot UID.
It's had a hole here and there, sure... but come on... how many hackers out there are trying to hack the Mac?
Even safer... (gulp) IE for Mac.
So.... I guess i should just change my browser identification string to say FireFox 1.04
[Fuck Beta]
o0t!
A large number of browser exploits seemed to be based on buffer overflow issues, which is a result of manual memory allocation in lower-high-level languages such as C/C++. Perhaps if a web browser would be written in a language with automatic memory allocation and management, like Java, Perl, Tcl, and the like, we would see fewer security problems. C/C++ is good for systems programming, like low level graphics and OS libraries, but I dont think it is the ideal choice in many cases for applications.
"Market forces of the sheer user base would dictate that if this were not so, more spyware would have been ported to Firefox by now. 25 million downloads, right? That's a sizable chunk for any malware vendor, or aspiring intruder, to infiltrate."
If 1 hack hits 90% of the market, spending more money to get a hack for the rest may not be worth the effort even if Firefox has as many holes as IE. Simple economics.
Vote for Pedro
I think Netscape 8's case was overblown by the media. I believe NS8's patch could have easily appeared the next day on their website, without any fuss.
It seems to me that other interests are served here; somebody may have orchestrated the "Netscape embarassed" story, replicated it in a few places (e.g. blogs) and let it be blown out of proportion.
Before Firefox was released preceded by a veritable sea of never-ending hype it was going to be "perfect" and if you didn't exchange it for IE then you were most certainly dumb. Check out your brain at the tabs, kthx.
Now that a few million people outside of the geek circles have downloaded and installed Firefox, suddenly "there is no safe browser" and "just be careful" and if you get 0w3nd it's because you were stupid or careles or didn't patch when you were supposed to, not because the Mozilla developers shipped a browser with a vulnerability, much like Microsoft tends to do. My, how times change. Now we actually need to make excuses and hope that millions of clueless users suddenly educate themselves. No silver bullet, here. Apparently.
People who use IE and have never been affected by a vulnerability (like me) and people who use Firefox or whatever and are in the same situation are safe because they know what they're doing and have a fairly good understanding of how this inherently unsafe interface between my computer and the evil outside world works. You can use the most insecure, unpatched crappy browser in the world and still never get nailed. But now there are people using this wonder of a browser who will get nailed because they are ignorant. It doesn't matter what browser or OS they use. This was true before and after FF, and it will continue to be true until the computer truly becomes an appliance.
But my, how times change.
Microsoft says that hackers don't go after Firefox because few people use it.
Microsoft says Firefox will never catch on in any major way.
Logical conclusion: if you use Firefox, you will be safe forever.
Firefox's first major flaws turned up earlier this month. Its Version 1.0.3 exhibited at least two errors that, when manipulated together, enabled hackers access to the user's computer. The flaws prompted a Version 1.0.4, which was issued three days later. Netscape 8.0's developers, it turned out, had used components of Firefox 1.0.3 in their framework. That Firefox sported cracks in its shining veneer seemed inevitable, browser experts warned....
I'm trying to see where the problem is, especially when noting how Microsoft handles inevitable flaws that make their way into every software package.
The Mozilla team discovers flaws and gets out a new package in 3 days.
The Microsoft Internet Explorer team discovers a flaw (or more likely, is told about about a flaw), and it takes, weeks or months for a patch to be released.
Now, what strikes you as the more hazardous situation?
Though the focus of the article seems to be that every browser has problems, he seriously downplays the Mozilla's aggressive stance on solving those problems as opposed to Microsoft.
Seems like FUD to me...
The source code for Firefox and Netscape are available. How much more convenient could it get for the hackers?
Deleted
just plugging a network cable into your computer suddenly makes it "unsafe". But Mac and Linux are significantly safer, which is an important distinction.
I've been managing Macs on the network for almost a decade, and have yet to deal with spyware. Viruses, I think I've had 5 or 6 incidents, and most of those were Word macro viruses, which are relatively benign on the Mac because of the different file system structure.
I disagree due to personal experience with two former roomates of mine. After I married, they stayed on at the bachelor pad downloading Pr0n fileswapping and visiting shady websites in order to get free Pr0n. After rebuilding their Windows XP boxes once every three months, (easier on me and less frustrating that using spyware removal crap), I finally had enough and revoked admin rights to them at their own computers. All that did was expand the 3 month lifespan to 4 months before a trash, re-install was applied.
Finally I had enough. I installed Slackware, set it to boot to X, setup Fluxbox to display a menu with like 5 items on it. Browser, Email, Chat, FTP, PDF Viewer, OpenOffice. I did not give them root on the box. Then I installed Windows XP and set it to dual boot. After a week of hitting them with a figurative stick every time they booted into XP to do anything but play thier games, they got the point. They use Linux for everything they do but play games, they use Windows (all patches, w/ firewall/AV) for playing their games and only playing their games. I haven't heard a complaint from them, nor have either their linux or windows boxes needed my attention to this date...six months later.
I would say that is a marked improvement. I don't know wether it's considered 'safe' or not, but my linux workstations at home running firefox don't have any problems what so ever, and I haven't rebuilt them in so long, I can't remember.
I don't buy into the whole Linux has less marketshare, therefore it has less viruses, malware, spyware argument. While that might be true in the case of a shady ad company hiring a virus writer to hawk their product, I don't think market share weighs heavily on the mind of the case of the virus writer. Not to mention, look at the tools virus writers have under MS Windows, with VB for applications and WHS, MS might as well release Visual Virus Writer Pro, and sell it.
Talent plays a huge part in the viruses, malware and adware that are released into the wild. I'm pretty sure that the distribution of talent capable of writing these nuisances is heavily weighted to the MS side. It's just not as difficult to exploit an MS box as it is to exploit a Unix/Linux/BSD/MacOSX box. That's why Windows is under heavier attack than Unix. Except for the Ad angle, there is nothing else that points to "market share".
Be Safe! Sleep with a Marine. Semper Fi!
It's really rather sad that we've given in to the idea that writing secure large-scale software is essentially impossible. It's not. It's only impossible in the paradigm we use.
Here is how security works on every major OS and in every major programming language today:
Here's how it should work:
This is called Capability-Based Security. Hopefully it is easy to see why the latter would make security much easier to manage. If not, you can read this discussion of the concept.
CBS allows you to execute code without trusting it. In Unix, you'd have to create a new user with no permissions to run your code, which is way too much work for most purposes. In CBS, you can set up every single program to have a different set of permissions based on that program's needs. Furthermore, the program can internally manage those capabilities to insure that only a small amount of the program's own code has access to them. Then, as long as that code is secure, the program is secure, but even if it isn't, the worst it can do is abuse the capabilities you explicitly gave it.
How does this relate to web browsers? Well, a web browser really only needs the capability to render to its GUI window, read its install files, and read/write its config and cache. So don't give it any capabilities beyond that. Voila, now it does not matter what malicious program takes over your web browser, because it can't do a thing to your system.
I just wrote a little HelloWorld.cpp to demonstrate the problem to admins of a cluster on our campus. Basically, there was a problem in <ostream>. (Interestingly enough, the problem could be "worked around" by using <iostream>.)
Ben Hocking
Need a professional organizer?
Please, halt the "swirving" of your vocabulary and don't write with all capitalized letters. "DL" is not a verb. Executables can not be stupid per se; stupidity refers to a lack of intelligence or pointlessness, neither of which apply to the programs of which you write. If you do find a pair of "scisors", try cutting out a few commas from that last sentence.
Konqueror mostly, Mozilla on ocassion, Firefox on lesser occasions. I tend to like the swiss army knife abilities of konqueror (ftp, fish, far better tab control than Firefox without installing extensions, overall integration with kde, etc) over Mozilla and Firefox. I guess I pick Mozilla over Firefox because of composer and I'm just used to Mozilla a lot more than Firefox simply due to familiarity and length of use.
What I can state is that since I've been using Konqueror (khtml, like Apple's browser) on Linux, I've never had an issue with spyware or adware. Never. I've never had a problem with security, even though there have been security alerts for konqueror as well as the other browsers. Konqueror makes it simple to surf without images turned on (one button click on top of window without going into drop down boxes to turn images on), makes it simple to surf without javascript turned on (simple and fast two step process to turn it on for a web site, can specify in settings which web sites to turn on javascript by default if needed regularly), and makes it a satisfying all-around experience in using the web.
I help adjust/maintain/bugfix windows for another user and I just can't understand how windows users can possibly put up with the spyware/adware. Taking a look at server logs, I can't believe how many people's browsers are infected with FunWeb, something else "Fun", and other spyware.
If you are a windows user, do yourself a favor and visit a friend's website (after alerting them) and ask them to send you a copy of the log entry from your visit. If your browser is infected with spyware, it just may show up as part of the browser identifier.
The ability of spyware/adware to infect a windows computer is a serious security problem. If you've been infected, you are running a system that is insecure. Please re-read that last sentence. If you've been infected with spyware/adware, you are running a system that is insecure.
" would be willing to wager a very large bet that if Mac OS X was the industry leader there would be the same difficulties with viruses, and other criminal activities that are currently associated with Microsoft's products."
It is not the industry leader, so there are not these problems. This means that for any given individual, OS X is a safer choice, and is likely to remain so for the forseeable future.
Why even bother talking about this hypothetical? By the time OS X is the industry leader, if ever, Linux will be ready for the desktop, and there will be about fifty different interoperable systems. This will probably bring virus activity below the critical point at which a single virus attack can bring down a quarter of the internet, and cause a billion dollars in damage.
The problem is that with 95% of the market unified, it's worth writing viruses. If everything had 25% or less, they wouldn't spread so fast, they wouldn't kill so much, and on the whole they'd be much less tempting to make.
In the meantime, stick with a minority player that's easy to use and *you* will be safe.
-Waiting
-Rebooting
-CLICKING "YES" or "OK" ON STUPID REQUESTERS THAT SERVE NO PURPOSE WHATSOEVER.
When using windows, one very quickly develops a habit of clicking OK or YES everytime some stupid fucker pops up just to get rid of it and continue trying to use the friggin puter.
God damn I hate those stupid alerts, reminders and other forms of user harrassment. Focus stealing, mega-annoying friggin useless requesters - the Windows way! I was happily typing the last page of this 20page document when the fucker decided it's a good time to pop up stupid shit asking whether I'd like to reboot now (OF COURSE NOT! WHO WANTS TO REBOOT THEIR PUTER? YOU TURN IT ON, YOU TURN IT OFF; REBOOTS ARE SILLY BULLSHIT) - and the requester stole focus, and had [YES] as default. I hit enter at end of line and VOILA! The Windows way! I'd pay for the privilege of stabbing the fucker who invented those requesters to death - with a SPONGE, so it would take longer.
M$ should replace all those fucking "Do you want to reboot now"-requesters to "We know you don't want to reboot now but you're gonna have to anyway! Now bend over [OK]".
It's better to silently fuck up than to let the user decide whether to fuck up now or whether to show another fucked up requester 1 minute from now asking the very same thing.
This message must have broken some F-word record but fuck, I hate windows.
'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
Fact is IE has more penetrated holes than a French whore in Afghanistan . In contrast, Firefox has shown two possible vulnerabilities that were fixed within 4 days . Sheets uses the latter as proof that FireFox is as vulnerable as IE. What a lamer.
You have been accused of and hereby been found guilty of the crime of FAGGOTRY. You must be and will be thrown in jail, where you will be anally violated at all times. NOW!
I telnetted to port 80 once, and interpreted the HTML in my head.
Unfortunately there was a infinitely recursive Java script function on there.
I'm still not quite myself.
The Internet is full. Go Away!!!
Ways to browse safely:
1) Use a browser that has no design or implimentation bugs. Not gonna happen with any modern full-featured browser.
2) Browse in a "disposable" sandbox environment - possible with adequate firewalls, but not going to happen on most home PCs any time soon.
3) Browse in a read-only environment, with output limited to the screen, legitimate requests for web pages, and temporary disk space. A firewall will need to reject any illegitimate port-80 outbound traffic. This is the best solution for kiosks.
Even these conditions aren't immune from server- or DNS-level compromises to hostile fake web pages that trick users into revealing personal information.
#2 is the most realistic medium-term home-user solution - the OS should put the web browser in a "jail," restirct its network permissions, and only let it and its helper programs read and write to certain directories while browsing, limit CPU utilization, and otherwise protect the machine. Configuration changes and other "out of jail" activities can be done by an auxilliary special-purpose (less code = less change of bugs and general weirdness) process in a separate memory space. Jails is they should be easy to "terminate with extreme prejudice" should the need arise.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
there's NO WAY I'm going to code for your whacked out HTML rendering too.
That's one serious difference, you can turn off Java and Javascript in all the browsers, but when you do it to IE, you kill all the other Microsoft apps that also use scripting, which leads you to turn it back on and leave it.
Bavarian Purity Law of Rice Krispie Squares: Rice Krispies, Marshmallows, Butter, Vanilla.
How safe is Linux? A dedicated hacker on a mission could take down my system within an hour. But that's different to Windows, which doesn't even require a person, it's all automated. Just visit a dodgy website or open an email or talk to someone over IM.
I'd still say the biggest danger to my fc3 box is myself. Yesterday I ran rm * in my home directory (since then I have set some safety aliases in my shell) and last week I formatted one of my hard drives, but forgetting that I had yet to back up it's data onto the other one.
The FIRST aspect of "security" is limiting the avenues of attack. You sort of touched on that, but I'll say it explicitly.
If FireFox doesn't run ActiveX, then that is one avenue that is NOT available for an attack.
As others have pointed out, lynx is very secure and that is because it completely blocks so many avenues of attack.
Exactly. Now, from TFA:
If they say that, then they are wrong.
Look at the typical junkie on the street. He's be happy to rob a bank. But the bank's security system is beyond his capabilities to SUCCESSFULLY attack.
So he picks easier targets with LOWER payoffs (mugging pedestrians).
Which brings me to the SECOND aspect of security: Build the defenses on the available avenues to defeat the attacks.
Sure, there are criminals out there who can pick any lock and defeat any alarm system. But they are very few and very far between. The odds that you, specifically, will be targetted by one of them is less than the odds of you winning the lottery.
So, contrary to what TFA says, crime will NOT find you if it wants you bad enough. It has to want you bad enough AND be intelligent enough AND be skilled enough.
Sort of. More accurately, they're lazy. The "vast majority" will NOT spend time and effort to learn how to bypass alarm systems. If there's an easier target, they'll go for it.
If your (and your neighbor's) defenses are more than they can bypass, they'll leave the area.
No. While it is more "convenient", that is NOT the reason that IE is subject to all the attacks.
The reason is that the level of skill/intelligence required to successfully attack IE is SO VERY LOW. ANYONE with a bit of programming skill can write an exploit for IE.
Sure, any junkie can get a knife, and a knife is good enough for a mugging. But that knife isn't going to get you very far in a bank robbery.
Again, it isn't about the POTENTIAL targets.
It's all about the AVAILABLE targets in your SKILL RANGE.
Which is why Open Source has such a great security rep. There aren't any market forces or deadlines to deal with. It's ready when it is ready.
This gets back to your statement on statistics and "the absolutes of security".
Sure, my system is vulnerable.
An attacker has to get to Seattle.
And into the office building.
And disable the cameras.
And disable the alarm system.
And break into the office.
And blow the server room door.
And then steal the server.
I'm not losing any sleep.
The author of TFA has some good points, however in the long run I think he's missinig what *could* actually count.
Gecko does better with standards than IE - with pressure building for standards compliant pages, the door is opened for any number of standards complient browsers to hit the market, which in turn allows for a wider selection of operating systems to become viable.
Crackers find themselves dealing with smaller and smaller user bases that are in better positions to jump ship if their particular OS/Browser combo isn't secure enough. Basically, the whole system becomes more diverse and more adaptable, and you can't realistically argue that this is bad for overall security.
Sorry but that's all you're spouting.
I use my machine for games which means I need every ounce of performance I can get out of it and EVERY SINGLE UPDATE from M$ *slows* your machine down. It's a bloated o/s at the best of times and frankly I don't like the idea that I need a 3.2Ghz dual-core Pentium just so I can run sodding Calculator with a decent response time.
So the point about updating your browser is a load of bollocks coz IE is tied in too closely with the o/s. I can't update the browser without bloating the o/s further which means I need to upgrade my hardware if I want to enjoy a sustained performance in games, and frankly I ain't got the money for that.
For the home games player M$ is an expensive option and as my IQ is in triple digits consoles simply don't interest me.
Now, if well we can say that no matter how unsafe is to climb the himalaya with beach clothes compared with staying in your house (a meteor could fell over you, after all) you are not complelely safe, these are very different kind of probabilities, and experience tolds us that in average you are i.e. far unsafe playing with MS IE/Outlook/Windows than with Firefox/Opera/Thunderbird/Linux.
It's at times like this that I remember what Ben Franklin said:
"They that would give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."
In short, if you're ulcer-inducing afraid of your computer being "insecure" when you take it out to the big wide world, then don't use your computer at all. Go worry about something else and leave more bandwidth for the rest of us.
Sure send me to some baddie site, won't do much on my system. Whatever malware sent down the pipe to me can't do anything to change my system (C:\WINDOWS).
It still can transform your machine into a zombie host spreading spam and performing dDoS attacks. Or change some numbers in your precious documents. Or insert a backdoor into the piece of code you just wrote.
The "Don't work as superuser" doctrine is often greatly overestimated.
OS Reviews: Free and Open Source Software
First, I don't know that many Mac users who "brag" about not having all the security problems that Windows users have to confront. As someone who uses Macs, Windows, and Linux, I'm happy when I don't have to screw around with security-related issues, and what I find is that occasionally I have to deal with a security issue on my Linux server. I have to deal with all manner of crap with Windows, and I simply periodically update OS X using software update.
So far in twenty years of using Macs, I've only had one security problem. An OS 8 machine I was using at work caught the Stoned virus. Come to think of it, over the years, I've also had one or two Word macro viruses that forced me to install Microsoft's macro-scanning software. That's it.
Bragging about using a computer that has fewer security problems would be like bragging about the off-the-showroom-floor car you just purchased. You didn't make it, you just bought it.
So I'm not bragging when I say that in my experience Macs allow me to focus on working with my computer, rather than on security problem after security problem. In general I have to spend more time dealing with security issues on the Linux server than with my Mac, but I still spend easily five times as many hours each year with Windows as with Linux.
Read the EFF's Fair Use FAQ
An interesting concept to do exactly what you describe in #2 - create a sandbox to trap all the nasties.
The safest web browser is the one nobody else is using.
Isn't this missing the point. Just because the Windows/Firefox combination has some insecurities does not mean Firefox is equally insecure on Linux/OS X. How can it be? The exploits attributed to Firefox so far are largely confined to the Windows platform. That's the real issue. I'm tired of listening to claims that OSS is insecure simply because there are problems with the Windows version. OSS should be evaluated in its natural environment - Linux/*BSD/OS X.
What about lynx?
You see? You see? Your stupid minds! Stupid! Stupid!
Note the increasing instances of popup ads that are tailored for firefox users etc.
With Firefox and Adblock, I guess I must have missed this exciting development.
But at least there are more secure http://www.mozilla.org/products/firefox ones...
Insanity: doing the same thing over and over again and expecting different results.
Anyone having problems with FF's popup blocking being too restrictive?
I usually avoid sites that use them, but a lot of the sites I visit that have a "click for newwindow/popup" don't work most of the time. I have to boot up Opera to get them to work.
Even giving the sites permission seems to do squat in solving this problem.
What about human mind vulnerabilities? Like DOS by too complex html, various dizzying ascii image patterns? Leave alone vulnerabilities in telnet?
http://www.pinetreeline.org/photos/pagwa/pagwa109. jpg
They prefer convenience to challenge. For now, it's more convenient for them to pick on Internet Explorer.
It's not really a question of convenience, it's that Internet Explorer is on a majority of Windows systems. If you're a criminal trying to exploit a browser vulnerability, wouldn't you pick the most-used browser? It's a better return on investment.
Because only Sith speak in absolutes!
No matter what type of car you drive, you're still vulnerable to accidents.
but some are safer than others.
I used to have adblock installed and loved it, but it stopped working when I upgraded to FF 1.0.4.
The adblock page says:
Requires: Firefox: 0.7+ - 1.0
And it won't install on my FF.
I think this is a MAJOR issue that FF is going to need to address. Every time I update my FF, about half my extensions stop working and don't have updates that match the latest FF version.
A dog is a great deterrent for this 5 minute rule.
peace
michel
just like there's no safe condom....even the best will break some times....it's just a matter of using one that doesn't already have a gaping hole in it.
And your practice was sooooo easy. We all know that everyone wants to know what an ACL is, what the difference between a privileged user vs. a nonprivileged user is and why they should get into the (additional) practice of using RUNAS, or hell, what mutexes and semaphores are, much less what the registry entails. You know what? I understand all of this, but I do NOT expect everyone else to. Thus, you, my friend, are a certified computer weenie. 99% of the rest of the population (aka "the ones that this shit is supposed to be set up like this out-of-the-box for") do not give an effing shit. They just want it to "work". They have jobs, that entail them to know and understand other realms of knowledge and experience. You shouldn't need a CCNA or an MCSE or 10 years of computing experience to f*ucking just run a program securely that happens to need privilege for some stupid reason.
I prefer the OS X approach (and hey... weenie to weenie, I recommend you check it out if you haven't... hey, 10.4 aka "Tiger" has ACL's now!). When a process tries to access a directory it isn't permissioned to (and it's not permissioned to out-of-the-box!), the OS itself throws up a privileged user auth window. What a novel f*cking idea. This, coupled with Little Snitch (a VERY nice third-party util that allows you to control ALL outbound internet traffic from your machine... only processes you allow out are let out, and you can allow by port, by protocol, by destination, temporarily, etc. etc.), means that I always know I have ultimate control over ANYTHING an app can do to my data (or my privacy).
There is a filter for Proxomitron that stops pop-unders. Since Proxomitron's matching rules are regex-based, I imagine it could be adapted easily enough into a script for the GreaseMonkey extension.
3 1
The pop-under filter is included in this batch of filters: http://www.scriptdungeon.com/script.php?ScriptID=
Is anyone aware of any Safari (OS X web browser) vulnerabilities, especially exploited ones?
I think the fact that OS X throws up an auth login whenever any app tries to access a directory that the current user doesn't own, pretty much makes casual takeover difficult, even by an insecure web browser...
Jeeze, all the internet needs is another damn article sugguesting abstenance is the only safe method.
-AC
Focus stealing, mega-annoying friggin useless requesters - the Windows way! I was happily typing the last page of this 20page document when the fucker decided it's a good time to pop up stupid shit asking whether I'd like to reboot now
And of course, you saved at least 19 times along the way. Saving changes regularly is a good idea no matter how reliable your operating system and application software are, as at some point, the power company's uptime becomes a limiting factor.
If there was an easily exploitable flaw in FireFox that allowed crackers to capture people's bank account info or credit card info, the crackers would be all over it.
25 million accounts, even at $100 each is still over 2 billion dollars (25,000,000x$100 = 2,500,000,000).
And $2.5Billion is enough to interest any cracker/criminal.
There is no 100% safe browser, nor there will be. the question is how fast you fix the flaws discovered. in this article based on facts you can see how fast it takes for MS, Mozilla and Opera to fix known security flaws, and then you can figgure out what is the safest browser
While I agree completely with the "nothing is 100% secure" paradigma, I still see a big difference between IE and FF. AFAIK, IE security paradigma is based on relying in the user to choose it's own "level" of protection (ie. Discretional Access). Sure, you can use "group policies" or even the IEAK to minimize the risk of the user screwing it self by placing a malicious web site in the wrong IE security zone ... but this implies the use of whatever resources are necessary.
OTH, FF has a "build in" security design that offers a much robust approach to protect the user from Internet's risks.
Is not this somewhat (very loosely, though) equivalent to the "Orange Book" classification for Computer systems???
Just my two cents ...
...roll over and play dead then whine about nothing being safe, do nothing about it and rock yourself to sleep at night while whispering "the boogey man's out to get me" in your nice padded cell while waiting for the nice man with the big needle.
These posts express my own personal views, not those of my employer
This has been pointed out before regarding Windows: a homogenous environment can be dangerous.
As browsers come closer to matching each other's features, the more homogenous the environment is. If all browsers supported JavaScript exactly the same (and I realize that's highly unlikely), flaws that affect one would affect them all.
The various specifications are still evolving. It seems naive to believe that there won't be flaws in the specification which, even if implemented correctly, wouldn't be noticed and exploited until someone looks at it slightly differently. Consider pop-ups, for example. Firefox, et. al., defeat them by deliberately breaking the specification (and thank you Mozilla Foundation so much for doing that).
+ Downloads from download.com and possibly other download sites + Downloads directly from FTP mirrors + Linux distributions that provide Firefox + Distribution via CD or SD card or USB stick, ...
+ Countless other possibilites, such as downlads from localization homepages
+ Slashdot's I'm-not-a-script-confirmer is annoying as hell
https://bugzilla.mozilla.org/show_bug.cgi?id=45375
I would say more hackers have a field day looking for bugs using code analysis programs etc. Which ain't that easy with IE.
It's all about minimizing risk. Choose the one that is less likely to slide off your dick, have a hole torn in it, or least likely to be a party to your own anal rape. Choose carefully, choose wisely, and remember past experience counts.
Join the Slashcott! Feb 10 thru Feb 17!
There is such a thing as safe programming.
There are safe languages.
There exists formal methods.
There are best practices in programming.
There exists tools for source code verification.
If you program and don't care about any of these things, hey, guess what - you're 20 years behind in your programming practices and your reading list. Even if you program in C, you can adopt better practices (*).
90% or more of the problems related to software security spring from C/C++ hacking without any method of program verification for correctness. Just read a security site vulnerabilities list.
If only people were to program: medical; military; aerospace software like Firefox or IE programmers, the we'd all be dead one way or another by now.
(*) see OpenBSD for instance and compare their security advisories with Linux or Microsoft.
PS: Just one such example of a little used tool: CIL - Infrastructure for C Program Analysis and Transformation
Main difference between the BSD license and the GPL license: one is from California and the other is from Massachusetts
The feature article is from the mainstream press. The author has basically come to the realisation that there is no such thing as 100% secure/safe web browsing. This is something all competent IT professionals know--in fact the only "safe" computer in terms of security is one that is never connected to a network and is not physically accessible to anyone but yourself (pretty much impossible to do of course). Any IT professional who believes otherwise is not competent in computer security.
There are degrees of "safeness" however. Rationally explaining this does not pull in readers of the mainstream press of course--the local news knows being a bit more alarmist than required will boost ratings. The fact is that IE and Microsoft Windows are architecturally flawed. ActiveX object, BHOs and the like in IE grew out of ancestors like COM, OLE etc, which have roots in the Windows 3.x era when the Internet was not even on MS' radar (remember as late as the end of 1995 BillG thought an MSN based on its own proprietary infrastructure could compete with the open standards of the Internet). As a result, the components that make IE powerful are wholly unsuited for a networked environment. Windows XP/Server 2003 have stable VMS-inspired underpinnings that make them acceptably stable, however for compatibility reasons and due to MS culture it retained higher-level interfaces and deplorable security model of DOS/Win3.x/9x/Me.
By contrast, the Mozilla team threw out the unmanageable legacy Netscape spaghetti-code and re-architected from the ground up at a time when ther was already a good deal of awareness of internet security. Linux and MacOS X are rooted in UNIX heritage. Although it has a longer history than MSDOS, UNIX was designed form the start for a networked environment. The combination of these browsers and OSes are thus inherently superior regardless of their marketshare because their very foundations are better.
Microsoft can build the biggest, deepest moat around its house, put bars on the windows and doors, and add a layer of brick to the walls, but the creaky foundation will still crack, shift and leak and allow toxic mold to creep in. The F/OSS house may need repair from time to time, but it is much less likely to be condemned for sitting on crumbling footings.
We have SELinux. But we don't use it where it is of most use: securing web browsers and, in general, all network clients (ICQ, IRC, ...). Look at firewalls available on Windows PCs: they let the user choose if he wants an application to be allowed to connect to specific sites. Why don't we use SELinux to do that under Linux?
And when it comes to browser security: why don't we integrate Firefox with SELinux? Each time Firefox connects to a site, its security domain gets switched! Browser bugs could not do any harm any more...
What about Konqueror? Doesn't seem to be as targeted as Firefox or IE. Are there any more recent vulnerabilities than this one? http://secunia.com/advisories/13586/
Even a unsupported distro of redhat 9 has held its own.
Note autohacks are far harder on linux.
I hack into a linux box threw a service normally does not provide complete system access.
So a secound hack is required to get control.
Hack a windows service and you normally have the system because they don't have controled system.
By the time linux gets as many systems as windows I would not want to be the hacker attacking it.
selinux keeping a eye on every daemon(server in windows terms).
Soild Firewall. And no direct run of programs in side email.
Basicly Microsoft is caused by missing features.
I'd maintain that, yes, that is a bad idea. And I'm a KDE fan, to the point that I'd probably install it on windows if I could and mac if I had one.
Using your file browser as your internet browser opens you up to spoofing if nothing else... i.e. a web page that looks like a local folder with some executable malware in it is more likely to get run than malware on a web page. Simple social exploit.
Let's keep the web in a nice sandbox, with clear lines between it and the rest of the system.
Its always a cat & mouse game. Secure thing, exploit found for thing, secure thing etc.
If it were not, security would have been solved and the entire concept wouldn't exist anymore. Or...maybe we're about to achieve it? Wait...I've got the fix! I'm rich....I'm rich!
Security gets good, exploits are found...rinse wash repeat. All we can do is get better and rinsing and washing.
What we measure is not is one secure and the other not, but is one setup to less easily exploited, more easily fixed and then fuzzies like is the organization commmitted to security, able to respond well etc. etc. etc.
This one is valid as-is in 8 languages.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
Bah, I figured it out, it was TabBrowser Extension's "fault." I don't recall if it prompted me or if I updated and it didn't let me know, but its aggressive popup blocking features must have got turned on.
I just wanted to see if anyone else was having trouble with site such as this one and its second example("Script Extra - Script to facilitate opening windows.") or have some custom javascript window thing.
Has anyone else noticed the frequency of these articles? Now that there is a serious contender to IE, suddenly I see all these articles how "no browser" could be secure. Just this month there was a pretty big column in PC Magazine about how using Firefox "just isn't enough" for your web browsing security. My problem with most of these articles is they seem to ignore what a leap forward Firefox is and was. As in, "eh, why bother changing from IE, Firefox isn't fully secure" instead of "use Firefox because it really is more secure, but also do this and this." I don't know that Firefox is going to gain much more marketshare with these silly (and really, very odd) trains of thought. If it's better, it's better. And then there is the openness, which if you listened to some writers (eh, PC Mag) doesn't add any value what-so-ever.
Posted by yintercept - "...science...[is] the study of the 'divine creation.' "
In a dangerous environment, the safest and most survivable are those who are most flexible and adaptable.
:)]
Right now Firefox rules this...
open source, extension capable, highly customizable, bleeding-edge development... Microsoft Internet Explorer can't even hold a candle in the dark to this. [what a cool analogy hm?
Another aspect of keeping something secure is keeping it simple. The more unneccesary features and bloat that comes with the browser, the more angles the hacker has to exploit you. So use something that will let you turn the bad stuff off. Easy peasy.
Firefox is grand. I can strip it down, streamline it, and if I want... configure it to the point that only HTML displays (no Java/Javascript, ActiveX, or other controls), and keep it fully up to date. Features and functionality is fully under my control. The extensions are excellent at getting rid of ads (adblock), even formatting the raw HTML to my liking. You can hack it, squeeze it, do whatever you want with it and no EULA, or closed source BS is going to keep you from doing what you personally want to do with it. Firefox for the win.
and has been for years. I haven't had a security issue hit me in the browser since I switched to opera, and have had both mouse gestures and tabbed browsing for about a couple of years now. Really makes me wonder about all those ie users going bananas about this new thing called "tabbed browsing"...
:)
Yes, I understand that fewer people use opera - but that's *your* problem to deal with. It's safe for me and anyone I've recommended it to so far, and that's all I care about.
Why do people always use the argument that not many people use it? That is *precisely* the reason I do! I've always loved Opera's features, but I love the security even more. I think it's completely arbitrary that "not enough people use it" to create/find security holes. Again, it's safe for me, that's all I want.
I have been using this for a week and it works great. I have gone back from Firefox to IE. However, I do wish they would make a Firefox version.
- 8022_4-10399287.html
http://www.download.com/SpyWall-Anti-Spyware/3000
We have developed a small program that works within both IE and FireFox that protects you completely. It's not a browser - but we are currently working on a FireFox based Browser version of the same software (using the Gecko engine). So you would be protected at all times. You can see it here... http://www.download.com/ViewSmart-by-ViewFour-com/ 3000-8022-10391975.html?part=dl-ViewSmart&subj=dl& tag=button
The reason we can make it safe is because it's the first ever VISUAL search engine. Rather than seeing the results in a list you see then in windows. Since we can scan the pages as people use them we can stop everything. If a page would download something to your computer we stop it and post a stop sign and a warning.
You get NO popups, adware, malware, spyware etc.
After developing the application we decided it would be better suited to build it directly into an existing platform and we chose the Gecko engine. It's currently being programmed. But there is no question it will work since it will use the same programming we use for the plugin you get from ViewFour.com.
I think to say there is no way to safely browse is just wrong. You just have to know how to protect people from the ways hackers get into your computer.
It's not that IE is that insecure.
Run the browser as another user separate from your main user account. You can do that whilst still using your main account in Windows NT/2000/XP and most linux distros.
This way when your browser is exploited, you only risk all that your browser account can access[1].
There are some issues e.g. Mozilla on SuSE 9.1 refuses to save files with permissions allowing my main account easy access to the files (saves as 600). Yes I tried the umask thing. No it doesn't work.
Windows+IE does that file permissions thing better. I should upgrade Mozilla to one which isn't broken, but then it won't be part of the SuSE distro anymore and I've got better things to do than to regularly manage updates etc of Mozilla myself.
[1] Sure there could be exploitable security problems in graphics drivers and the windowing/desktop software, or some dumb kernel bug, but these are usually much harder to exploit than exploiting the typical _mind_ of the average joe - who'd open encrypted attachments, enter the password, and run them.
Shouldn't hackers be targeting Mozaic more than any other browser. I don't know, I'm not up to date on Moazaic security patches, maybe it was too simple to need one, but it would seem to be easier to simply hack mozaic than IE.
Just what is a "Web Browser"? It is a program that retrieves information from multiple untrusted servers, and executes it. Sure, HTML is seemingly innocuous, but that is what it does.
Then we add in randoms writing extensions that add capabilities to be offered to these untrusted servers, including fully-featured programming languages like javascript.
My point is that, as a class, a Browser is an insecure application. _Exactly_ the reason why it must be used as the core of an OS.
My next aim: to run my browser with no write permissions to anything but it's internal cache.
Actually, I would object to running standard commands from a window manager (that's what xterms are for). Also, can't you tell by the address bar whether the URL is local or from a network?
No program that is created is 100% safe as previously mentioned in other posts. I think the key in using a "safe" browser is looking how fast security fixes come out for it. I think I will let the record for IE and the record of firefox to speak for themselves.
Safe surfing is easy.
All you need is MS-VirtualPC or VMware-Workstation. These emulate a full computer in software.
Setup the virtual computer with the virtual NIC in NAT mode. Install your favourite OS. Setup the browsers, bookmarks, etc. Lock the virtual computers' harddrive with the "SNAPSHOT" function.
Everytime you start the virtual computer, it will come up at this point - fresh and clean. Then you can surf and have the virtual computer infected with spyware and viruses.
The only danger to your real (physical) computer is the fact, that there is an infected machine in your LAN (although separated through NAT).
Once you turn off the virtual machine and revert back to the snapshot, all changes are lost. The cookies, the history, all installed plugins and viruses - they are all gone!
Of course you need to off-load downloaded files before turning off, otherwise they would be lost, too.
This setup is a great tool as well for testing software before installing them on the "real" machine, by the way.
Marc