There Is No Safe Web Browser

Michael writes "David Sheets has up an interesting article on browser security, and I have to agree with his conclusion: no web browser is safe. The article details the recent Netscape fiasco, and touches on the whole Firefox/Internet Explorer debate. From the article: 'So if it sounds as if we're all at the mercy of hackers just looking for some new challenge, that's partially true. As law enforcement officers will tell you, crime finds you if it wants you bad enough, no matter what preventative measures you take. But the vast majority of criminals have an Achilles' heel: They prefer convenience to challenge. For now, it's more convenient for them to pick on Internet Explorer.'"

Dictionary Security Definition

[Crimson+Dragon]

While I understand the point that Mr. Sheets is making, however, I disagree with his definition of safe.

The implication of this article stems in the absolutes of security: can it ward off intruders or not. This is a flawed approach, and while seemingly a logical one, denounces another reality of this level of breach: the lion's share of these breaches are not of the most malicious sort (read: that stupid data miner which causes popups, search bars from hell, etc). These kind of easily hackable sections of Internet Explorer are less prevalent in Firefox. Market forces of the sheer user base would dictate that if this were not so, more spyware would have been ported to Firefox by now. 25 million downloads, right? That's a sizable chunk for any malware vendor, or aspiring intruder, to infiltrate.

One must acknowledge the reality of security by statistics alongside security by absolutes.

This just in!

[Enigma_Man]

Newsflash! There's no such thing as perfect security, who would have thought it? Whether it be through a flaw in the code (which we all try to fix, when they are found), or stupid users running crap they oughtn't.

I for one use Firefox, because it is MUCH more secure than IE. It may not be perfect, but it's by far good enough for regular use.

That's like saying that houses aren't secure, even the new model homes with electronic alarm systems. No crap, but that doesn't mean sell the alarm systems and leave your front door unlocked (like IE).

-Jesse, disliking alarmist poop articles.

Re:No browser is safe?

[dougmc]

For TOTAL protection go [check out netcat]

Even netcat isn't perfectly safe. It just dumps network traffic directly to the terminal, and with the right characters in this code, it could very well remap the keyboard or cause your terminal emulator to execute certain commands.

This sort of thing may have already happened to you. Have you ever accidently just catted a binary file, and then discovered that your command history had all sorts of garbage commands in it? Same thing.

This sort of vulnerability has been around for decades. People used to trigger it via `talk' requests or by using the `write' command, and while talk eventually learned to filter things better, as for write eventually everybody just did a `mesg n', because all write does is write text to your tty, so changing write won't help. Of course, fixing xterm and other terminal emulators is another fix, but these features can be useful too. Still, I'm surprised that they haven't been disabled by default, but even today, xterm seems to have this `problem'.

Many vulnerabilities are caused by this sort of mixmash of different utilities -- in this case, netcat doesn't really have the vulnerability, but it would allow text to come in that could affect your terminal emulator.

Yes, with the right filtering of the output this could be safe, but not with netcat by itself. Still wouldn't make it a non-crappy browser though.