Germany Warns Against Using Firefox

← Back to Stories (view on slashdot.org)

Germany Warns Against Using Firefox

Posted by timothy on Monday March 22, 2010 @06:51PM from the fuer-ihre-sicherheit dept.

jayme0227 writes "Due to the recent exploit in Firefox, Germany has warned against its use. This comes a couple months after Germany advised against using IE. Perhaps we should start taking odds as to which browser will be next." Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.

17 of 509 comments (clear)

Min score:

Reason:

Sort:

Free software in action by Statecraftsman · 2010-03-22 18:58 · Score: 4, Insightful

As soon as I read about this on /. I realized Firefox is downloading an update to 3.6.2. This is why free software is our best tool against malware. Reaction time can scale with importance. And (shameless free software plug alert) it's why I wrote what's in my sig.
1. Re:Free software in action by Zontar+The+Mindless · 2010-03-22 19:51 · Score: 3, Insightful
  
  I want software that was correctly written and had no exploits to begin with.
  And I want Anonymous Cowards to start making /. posts that are insightful, useful, and realistic.
  And WHERE'S MY PONY?!
  
  --
  Il n'y a pas de Planet B.
2. Re:Free software in action by DNS-and-BIND · 2010-03-22 20:17 · Score: 5, Insightful
  
  A sad day on Slashdot when someone saying "programming correctly is the right response" and he's ridiculed by at least 4 replies and modded +3 Funny. What the hell happened to this place?
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
3. Re:Free software in action by selven · 2010-03-22 21:54 · Score: 5, Insightful
  
  Because "don't set this place on fire" is not a fire escape plan. Bugs and vulnerabilities will happen either way, and you still need a plan for dealing with them.
4. Re:Free software in action by TheLink · 2010-03-22 23:11 · Score: 3, Insightful
  
  > OpenBSD seems to do just fine, with a bigger codebase, written in C.
  
  They just ship OpenBSD with most services disabled by default, and then claim it is safe by default.
  
  That's similar to Microsoft's shipping IE on their server O/S with most stuff disabled by default, and then claiming that IE is not vulnerable
  on their server O/Ses by default.
  
  Yes they are safe by default just like a car with its wheels, engine and battery "disabled" by default is safe from most carjackers.
  --
  
  Too many replies beneath your current threshold
5. Re:Free software in action by Aceticon · 2010-03-22 23:39 · Score: 3, Insightful
  
  Creating 100% secure software is like trying to prove an absolute statement (as in "All X have Y") - to prove it right, every single one of the subjects of your statement have to comform to it, while proving it wrong only takes one that does not.
  Or in more specific terms: no matter how good the team developing a piece of software is and how long they have to do it, all it takes is one of them doing a single mistake and the results is not 100% secure.
  It's reasonable to expect that all first order mistakes (i.e. the blindingly obvious) are caught, it is however not reasonable to expect that higher-order mistakes (for example: "unexpected interactions with a different version of a certain library installed in the same system in the 64 bit version of the OS") are caught, expecially those relating to external factors (which can change after the release is done).
  Also there are economic limits to the level of security in a piece of software: more specifically, time is money, getting only the top best professionals to do it is a lot of money and (suprise, suprise) people are not willing to pay the higher price that such a product would require to break-even.
6. Re:Free software in action by Rockoon · 2010-03-23 01:35 · Score: 3, Insightful
  
  While its true that Mozilla got the fix out pretty fast once someone pointed right at it for them, it is often claimed that Open Source is more secure because there are thousands of eyes looking at the source code.
  
  None of those Mozilla-loving eyes found this bug, yet a researcher unaffiliated with Mozilla but certainly looking for exploits, found it. Now what about all the researchers looking for exploits in order to driveby firefox users.. that will just keep the damn thing a secret?
  
  Yeah.. they got the fix out fast. Bravo. Look at the real significance of these events, tho..
  
  ..exploit found
  ..went unpatched for a month
  ..only got patched because the person who discovered it pointed right at it.
  
  --
  "His name was James Damore."
7. Re:Free software in action by natehoy · 2010-03-23 01:52 · Score: 2, Insightful
  
  No matter how clever you think you are, no matter how hard you work to prevent vulnerabilities, they will be in the release code in something as complex as a web browser (or an Operating System).
  "I want software that is written correctly and has no exploits" is an unrealistic expectation. It's like saying "I want my power tools to be built in such a way that they cannot possibly harm me"
  Most (certainly not all) software is built with very careful reviews, trying to figure out ways that black hats might exploit the software and code against it. But it's an arms race - the black hats are constantly working on ways to get by the software.
  So, yeah, while I agree with GP that "I want software that is written correctly", this is the real world, where there are bad people who will think of things you didn't and break your software. So this cannot possibly be an "either/or" decision.
  I want people who write software as correctly as feasibly possible, understanding that humans make mistakes and that other people are out there who are just as clever as the software authors and who do nothing but try to break it. I accept, in return, that I have to take a role in securing my system if I want control over my system.
  More importantly, I want people who are open and honest about those flaws when they happen, acknowledge the flaws quickly, and fix them very rapidly. I can't defend myself against a flaw I do not know exists, and I want that flaw to go away very quickly once it is discovered. I have seen precious few teams who crank out fixes faster than Team Firefox.
  So far, in the browser world, I have yet to find a team that releases consistently higher-quality (not perfect, but high-quality) code, is more open about their vulnerabilities, and responds to defects more quickly than the Firefox team. That's not to say that all other browsers out there are bad, or that Firefox is 100% secure, but the Firefox team appears to be doing about the best job one could realistically expect. And yet, it's still all free.
  
  --
  "This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
This just in by Rijnzael · 2010-03-22 19:04 · Score: 3, Insightful

German government warns against use of the internet and software that has bugs.

Software is inevitably going to have bugs in it and try as we might, it's something we'll always have to deal with. There are always mitigation strategies, such as running Firefox in a virtualized environment a la Sandboxie or a full virtual machine, but we'll never be privy to using only bug-free software day to day. I'm glad to see the German government taking an active approach to notifying people in regard to vulnerabilities in an attempt to mitigate them, but as TFA states, what's the point in suggesting users quit using Firefox when the alternatives are potentially just as vulnerable?
Re:To add some information to the void.. by n6mod · 2010-03-22 19:05 · Score: 2, Insightful

Seth, scroll up one post in the blog. 3.6.2 was released tonight.

--
You have violated Robot's Rules of Order and will be asked to leave the future immediately.
Bah by tsotha · 2010-03-22 19:05 · Score: 3, Insightful

The take-away from this is Germans are never happy.
1. Re:Bah by beh · 2010-03-22 19:20 · Score: 3, Insightful
  
  So, what would you rather have?
  That they warn you about vulnerabilities in IE6, but ignore vulnerabilities in open source browsers?
  I think they've done the right thing - there was a security hole (in the 'current' 3.6), and they warned about it. Their warning DID include that it affected the 'current' 3.6 version and that it should be fixed in 3.6.2.
  That's fair comment, and it's their job to report it and not lull people into a false sense of security that the (then current 3.6) version of firefox was safe.
  If they had NOT warned, it might have damaged their reputation for NOT covering it, and it might also have helped MS lobbying efforts if they could have been shown to be biased by reporting on IE issues, but not Firefox ones...
Responsible reporting by AmiMoJo · 2010-03-22 19:07 · Score: 2, Insightful

The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.
The government is simply trying to keep people informed about this rather important topic, and has done so in a reasonable and proportional way. Not every warning put out is a damning condemnation of flawed security that mandates switching to Lynx you know.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:3.6.2 released by Z00L00K · 2010-03-22 19:13 · Score: 3, Insightful

And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Re:3.6.2 released by gzipped_tar · 2010-03-22 19:22 · Score: 5, Insightful

> No ability to view pr0n.
I doubt that.

--
Colorless green Cthulhu waits dreaming furiously.
Re:3.6.2 released by rvw · 2010-03-22 20:27 · Score: 2, Insightful

And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.
Use Noscript.
Re:Bah humbug! mod parent TROLL by Dr.+Evil · 2010-03-23 01:11 · Score: 2, Insightful

The difference is that Firefox has vulnerabilities like any normal application... Internet Explorer on the other hand has been the forefront infection vector for botnets of hundreds of thousands of machines for the past decade.