There Is No Safe Web Browser

← Back to Stories (view on slashdot.org)

Posted by Zonk on Friday May 27, 2005 @07:48AM from the internet-is-a-scary-place dept.

Michael writes "David Sheets has up an interesting article on browser security, and I have to agree with his conclusion: no web browser is safe. The article details the recent Netscape fiasco, and touches on the whole Firefox/Internet Explorer debate. From the article: 'So if it sounds as if we're all at the mercy of hackers just looking for some new challenge, that's partially true. As law enforcement officers will tell you, crime finds you if it wants you bad enough, no matter what preventative measures you take. But the vast majority of criminals have an Achilles' heel: They prefer convenience to challenge. For now, it's more convenient for them to pick on Internet Explorer.'"

20 of 444 comments (clear)

Min score:

Reason:

Sort:

Lynx is safe by Bodysurf · 2005-05-27 07:50 · Score: 4, Funny

As is telnetting to port 80 and interpreting the HTML in your head.
1. Re:Lynx is safe by Profane+MuthaFucka · 2005-05-27 08:28 · Score: 5, Funny
  
  I don't even see the code. All I see is blonde, brunette, and redhead.
  
  --
  Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
Dictionary Security Definition by Crimson+Dragon · 2005-05-27 07:50 · Score: 5, Interesting

While I understand the point that Mr. Sheets is making, however, I disagree with his definition of safe.

The implication of this article stems in the absolutes of security: can it ward off intruders or not. This is a flawed approach, and while seemingly a logical one, denounces another reality of this level of breach: the lion's share of these breaches are not of the most malicious sort (read: that stupid data miner which causes popups, search bars from hell, etc). These kind of easily hackable sections of Internet Explorer are less prevalent in Firefox. Market forces of the sheer user base would dictate that if this were not so, more spyware would have been ported to Firefox by now. 25 million downloads, right? That's a sizable chunk for any malware vendor, or aspiring intruder, to infiltrate.

One must acknowledge the reality of security by statistics alongside security by absolutes.

--
The Crimson Dragon
1. Re:Dictionary Security Definition by Tenebrious1 · 2005-05-27 08:11 · Score: 4, Insightful
  
  While I understand the point that Mr. Sheets is making, however, I disagree with his definition of safe.
  
  I have Firefox on a computer, and it's 100% safe. I have IE loaded on that machine, heck it's unpatched Win2K, and even that's 100% safe. The reason it's "safe" is because the power supply died a few months ago and I haven't been able to turn it on.
  
  So in this case, 100% safe = 0% usability. Which doesn't help me much, there has to be some acceptable level of "safe" that corresponds to a high level of usability, and that's where Firefox wins over IE.
  
  --
  -- If god wanted me to have a sig, he'd have given me a sense of humor.
Doesn't go far enough. by El+Cubano · 2005-05-27 07:51 · Score: 4, Insightful

David Sheets has up an interesting article on browser security, and I have to agree with his conclusion: no web browser is safe

No program that accepts input is safe. Even some programs that don't accept input aren't safe either. It is the nature of how complex software really is and how little of it we understand.
Nor is there a "safe" OS.... by Total_Wimp · 2005-05-27 07:51 · Score: 4, Insightful

...at least not one you'd want to use. Sorry people, Linux is not "safe." Mac OS/anything is not "safe." There are a very few OSs that are pretty safe, but the only reason Mac and Linux fans can brag right now is that they're ignoring all the patches, hacks, etc that already exist for their OS of choice.

TW
1. Re:Nor is there a "safe" OS.... by RatBastard · 2005-05-27 08:04 · Score: 4, Funny
  
  There is not "absolutely, 100% safe from everyone" not safe and then there is "dropped the soap in the prison shower" not safe. While even Linux and Mac OS X fall into the first, Windows falls into the second. Windows is unsafe due to the lack of planning or safety concerns of the programmers. Programmers told by the marketting department to spend their time on features above all other things.
  
  I can't speak for Linux users as I am not one, but I can speak for some Mac users. We don't ignore the bugs, hacks and patches out there. I keep my system fully patched at all times, just as I dio my Windows boxes. The difference here is that my Mac has never had a spyware infestation, nor a virus, nor any of the other intrusive attacks that my Windows machine has suffered through. And I'm careful with my Windows machine.
  
  Windows has gotten safer as MS has finally deigned to pay attention to safety concerns. But a fresh Windows install is as unsafe as a child molester in a maximum security prison. A significant number of patches and extra utilities need to be installed, many of them only practically available from the Internet, before it is reasonably safe to connect that computer to the Internet. This is not true for Linux and OS X bioxes.
  
  --
  Boobies never hurt anyone. - Sherry Glaser.
2. Re:Nor is there a "safe" OS.... by NickFortune · 2005-05-27 08:29 · Score: 4, Insightful
  
  The flaw here lies in considering safe as an absolute. There is no safe method of travelling, but there are substanially more risks associated with skydiving than there are with walking.
  Even apologists for MS poor security record acknowledge that firefox is more secure, if only with the argument "when more malware starts targetting it, then it will be just as bad"
  
  And the same applies to OS security as well. Safe is a relative concept, and to try and confuse the issue by casting it as an absolute does no one any favours.
  
  --
  Don't let THEM immanentize the Eschaton!
Hit the Nail on the Head by Anonymous Coward · 2005-05-27 07:52 · Score: 5, Insightful

I think that this author has finally gotten it right. Note the increasing instances of popup ads that are tailored for firefox users etc.

As firefox gains in popularity, expect that the number of exploits aimed towards it will continue to rise.

That being said, the nice thing about firefox (and OSS), is that lots of eyeballs can look at, and fix, the code in a timely manner.
1. Re:Hit the Nail on the Head by jedidiah · 2005-05-27 08:06 · Score: 4, Insightful
  
  No, the greatest thing about Firefox is that it exists for the benefit of it's end users. This means that it is far more likely that Firefox will be changed (and changed quickly) to suit end user requirements than IE.
  
  If it turns out that there is some feature or technique that really should never be in a browser, we have some hope that Firefox would expunge it and do so quickly.
  
  --
  A Pirate and a Puritan look the same on a balance sheet.
Obvious -1 by Nom+du+Keyboard · 2005-05-27 07:52 · Score: 4, Insightful

I'd give this article an Obvious -1 simply because it is axiomatic, and everybody should have realized by now that There is no 'safe' web browser. Especially how after it was demonstrated that a Firefox exploit allowed infection of IE when IE itself would have blocked the malware site. Cute!

--
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
This just in! by Enigma_Man · 2005-05-27 07:53 · Score: 4, Interesting

Newsflash! There's no such thing as perfect security, who would have thought it? Whether it be through a flaw in the code (which we all try to fix, when they are found), or stupid users running crap they oughtn't.

I for one use Firefox, because it is MUCH more secure than IE. It may not be perfect, but it's by far good enough for regular use.

That's like saying that houses aren't secure, even the new model homes with electronic alarm systems. No crap, but that doesn't mean sell the alarm systems and leave your front door unlocked (like IE).

-Jesse, disliking alarmist poop articles.

--
Nothing says "unprofessional job" like wrinkles in your duct tape.
Integration with the OS is B-A-D.. BAD by TheCeltic · 2005-05-27 07:53 · Score: 4, Insightful

When a webbrowser is integrated with the OS, this greatly increases the ways a hacker can damage the system. Hence, while no browser is secure, one can is MORE secure simply because it is NOT woven into the OS. Of course, having updates frequently and being in more active development are good things as well.

--
=-=-=-=-=-=-=-= - The Celtic - =-=-=-=-=-=-=-=
Always protect yourself... by logik3x · 2005-05-27 07:54 · Score: 4, Funny

Don't forget to wear a condom for safe browsing...
Re:No browser is safe? by slavemowgli · 2005-05-27 07:55 · Score: 5, Informative

Lynx has had vulnerabilities in the past, too - this one, for example. The only *really* safe way to browse is probably to use telnet, but I'm not sure you can even call that "browsing" anymore.

--
quidquid latine dictum sit altum videtur.
Re:I want you to meet my little friend by macaulay805 · 2005-05-27 07:56 · Score: 4, Informative

Lynx had its fair share of vunerabilities also ....
Come on by a_greer2005 · 2005-05-27 07:57 · Score: 5, Insightful

The problem is ignorant users, the headline is like saying "THERE IS NO SAFE CAR" of cource no car is safe when you dont buckle up, drive 120MPH and swirve, but when proper precautions are taken, I dare say a Lexus is safer than a Pinto.
Browsers can be totaly safe, as much as I hate to say it, IE can be pretty safe too. just follow these rules:
1:USE A FIREWALL
2: update your browser
3:disable ActiveX, any site that uses it is a site you should learn to live without.
4: (the one most often broken) DONT CLICK YES ALL THE TIME, warnings are there for a reason.
5: Dont DL and run STUPID executables
Most Browsers do a decent job of protecting you fron the bad stuff, but NOTHING can protect you from yourself, short of cutting the cable, and if you do that, dont run with scisors
Re:No browser is safe? by dougmc · 2005-05-27 08:08 · Score: 4, Interesting

For TOTAL protection go [check out netcat]
Even netcat isn't perfectly safe. It just dumps network traffic directly to the terminal, and with the right characters in this code, it could very well remap the keyboard or cause your terminal emulator to execute certain commands.
This sort of thing may have already happened to you. Have you ever accidently just catted a binary file, and then discovered that your command history had all sorts of garbage commands in it? Same thing.

This sort of vulnerability has been around for decades. People used to trigger it via `talk' requests or by using the `write' command, and while talk eventually learned to filter things better, as for write eventually everybody just did a `mesg n', because all write does is write text to your tty, so changing write won't help. Of course, fixing xterm and other terminal emulators is another fix, but these features can be useful too. Still, I'm surprised that they haven't been disabled by default, but even today, xterm seems to have this `problem'.

Many vulnerabilities are caused by this sort of mixmash of different utilities -- in this case, netcat doesn't really have the vulnerability, but it would allow text to come in that could affect your terminal emulator.

Yes, with the right filtering of the output this could be safe, but not with netcat by itself. Still wouldn't make it a non-crappy browser though.
I don't think you understand economics by geekee · 2005-05-27 08:24 · Score: 4, Insightful

"Market forces of the sheer user base would dictate that if this were not so, more spyware would have been ported to Firefox by now. 25 million downloads, right? That's a sizable chunk for any malware vendor, or aspiring intruder, to infiltrate."

If 1 hack hits 90% of the market, spending more money to get a hack for the rest may not be worth the effort even if Firefox has as many holes as IE. Simple economics.

--
Vote for Pedro
Be careful!!! by 3770 · 2005-05-27 08:46 · Score: 5, Funny

I telnetted to port 80 once, and interpreted the HTML in my head.

Unfortunately there was a infinitely recursive Java script function on there.

I'm still not quite myself.

--
The Internet is full. Go Away!!!