Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy)

darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."

what?

if open source isn't more secure than closed source, wtf?

Re:what?

[sittingnut]

correct that to "open source sell out", for that is what firefox is

Re:what?

[sittingnut]

to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc

Re:what?

move those goalposts...

Re:what?

[jellomizer]

Why would the distribution license affect quality and security of the software?

Re:what?

They didn't say Firefox isn't secure, they said it hasn't made many recent security improvements; that's not the same thing. Firefox already had superior security, so it has not had to make many improvements in the last year compared to less secure browsers.

Re:what?

Because they've inherently activated spyware, and encumbered the license with the permissions to activate it by default.

Re:what?

Because opensource RMS magic pixie security dust! Because many eyeballs! Because cathedral and bazaar!

Please don't tell me you never read the bull that opensource zealots spew on how opensource is inherently more secure than closed source. If not, just go to fsf.org and enjoy.

Re:what?

[Lunix+Nutcase]

+5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.

Re:what?

Praytell, when is the last time Apple admitted a security flaw? Windows is plagued by bad design decisions. Open source flaws usually tend to be dealt with fairly rapidly once discovered. I think you're going a little overboard calling people zealots there Chuck.

Re:what?

Or: The license is a symptom of the intention and focus of the developers.
By looking at the license and why it was chosen you can make rough estimates of what they are aiming for and where they are going.

My favorite is the traditional cookie/beer-ware commonly found on aminet. The phrasing is typically something in the line of "Use at your own risk. If you like it, buy me a beer or a cookie if you pass through the town where I live."

This license is used by people who wrote the software because they wanted to write it or needed it themselves. They share it because someone else might find it useful and they ask that people who benefit from it show their appreciation if it is convenient.

Re:what?

I highly doubt Firefox is all that secure nowadays tbh. They used to be really great, lately, well...their quality and design decisions are decidedly suspect.

Re:what?

[Carewolf]

+5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.

All the browsers fail every single year.

Re:what?

Google gives them their marching orders. As Chrome has taken hold they've been giving nudges to move people from firefox to chrome. So this isn't really surprising in the least.

Re:what?

You did read the article under which you are posting? You do know that Firefox is opensource?

Re:what?

I personally don't consider Firefox to be an open source project in any meaningful way. I see it more as a proprietary project whose source code is publically available, and that's all it is.

A true open source project is driven by the community, not by the maintainer alone. Firefox is driven solely by Mozilla. Regular users have no real say. The best we can do is submit a bug report, and it'll likely be ignored, sometimes for years. It's really not worth the effort to even bother sending in a patch.

Mozilla sure as hell didn't listen to the Firefox community at large when this community rejected Australis, Pocket, Hello, tile ads, and the many other smaller unwanted UI changes that have been forced on us.

Mozilla sure as hell didn't listen to the Firefox community at large when this community requested that the performance be improved, and the memory usage reduced.

Now we're being told that the extension system is going to undergo massive restructuring, and our extensions will very likely break, without us getting any real benefit from these changes.

Heck, we only have to look to Mozilla's own Firefox feedback stats to see how disappointed Firefox's users are. Something is seriously wrong when 80% or more of users are unhappy with a product!

The only time we've seen the community have any sort of real involvement in the development of Firefox is when it has been forked, and Mozilla is left out of the picture completely. See the Pale Moon project for an example of this. It's perhaps the closest thing there is to an open source project built around Firefox's technology.

As far as I'm concerned, Firefox is a proprietary project and we just have access to the source code. It's not a community-driven open source project.

Re:what?

What "superior security"? Firefox lacks the sandboxing of all other modern browsers.

Re: what?

You're clueless. Firefox is an insecure piece of junk. That project has changed directions so many times. I'm surprised it's still around. Opera is more relevant and it's another dead browser. The only three with a GUI of any relevance in order of importance are Chrome, Edge and Safari. The later two lag severely behind Chrome. Anyone using any other GUI browser is doing do for either nostalgia or they think they are special or think they know something other people don't.

Re: what?

That's not how self-selection works. 80% of people *who bother to send feedback* are unhappy.

I don't think most Firefox users have a daily diary entry "remember to tell Mozilla that everything was OK today".

Re:what?

[naris]

Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.

Re:what?

[Trailer+Trash]

to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc

And making sure that it's not run by some guy who holds the same beliefs on gay marriage as Hillary and Obama did a couple of years ago.

Re: what?

Opera uses Webkit and didn't dump support for NPAPI, so better than Chrome for my usage.

Re:what?

See the Pale Moon project for an example of this

Yeah, the all of the ten Pale Moon users over the world will really stand out, as far as fingerprinting goes.

Re:what?

Can we just turn back to FF 3? Those were the days.

Re:what?

I agree that the phrasing doesn't say that Firefox has worse security, but I'm going to say it myself: Firefox has, for nearly a decade at least, not had "superior security". If they haven't improved in the last year that's shocking.

Re: what?

Do you have any actual experience with these kinds of metrics? Having worked in quality control, customer service and analyzing customer feedback in several different industries over a number of decades, I can tell you that you're absolutely wrong. Self-selection proves to be irrelevant in most cases, and contrary to popular misconception it usually results in more positive ratings for a product. If there's one thing that people like to do more than complaining about bad product it's raving about good ones! The people who "bother to send feedback", as you put it, are actually biased toward liking the product. Those who have a bad experience often don't provide feedback, because they see it as a waste of time, especially if there's a high likelihood that they won't receive any financial compensation by complaining. This causes problems for us studying such feedback, because we typically want to focus on the bad experiences. Furthermore it's extraordinarily rare to see an 80%/20% gap like we're seeing in Firefox's case, regardless of whether the feedback was voluntarily provided or whether it was prompted for, and regardless of whether it's in the positive or negative direction. Typically we see around 60%/40% for most products. We'll get 70%/30% for products that have a reputation for being unusually good or unusually bad. But 80%/20% is basically unheard of. Something is serious wrong, in a good or bad way, when we're consistently seeing numbers like those. In a case like that of Firefox, where 80% of the respondents are unhappy, we'd typically look beyond the survey. We'd look at comments in other discussion forums, which in the case of Firefox are often overwhelmingly negative. We'd look at market share stats, which in Firefox case shows a significant drop over time. We'd look to see if a major competitor, like Chrome, has seen an upswing in its market share, as users dissatisfied with Firefox would typically be moving to it instead. When we consider all of these factors together, the conclusion we can draw in the case of Firefox is that users are highly dissatisfied with it, to a degree that's almost never seen. In other industries, and even for most software providers, such observations would result in panic and immediate action. Something is miraculously wrong when 80% of a product's users, even if they're self-selected, report being unhappy with the product.

Re:what?

[TemporalBeing]

Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.

While I agree it is a myth, I don't think it's the zealots that really pushed it, but those that didn't really understand their message that open source has the *potential* to be more secure *because* of the many eyeballs effect. That doesn't mean it *will* be, just that it has the *potential* to be.

Open Source Zealots typically won't talk about security, they'll talk about bug fixes and may be equate that to security since more bugs fixed typically will mean less potential for exploits, which is true unless there are fundamental flaws in the programming related to security.

At worse, an open source project has the same security profile as a closed source project - only the people that started the project do anything on it.
At best, a large community builds around it and thereby the many eyeballs effect can take place and the bugs found/fixed (and thereby security improved) by magnitudes higher than a closed-source project of the same initial size.

Re:what?

[jellomizer]

Praytell, when is the last time Apple admitted a security flaw? January 2016 http://lists.apple.com/archive...
Windows is plagued by bad design decisions. Such as? Taking granted that Windows foundation was based on running on a 16bit PC.
Open source flaws usually tend to be dealt with fairly rapidly once discovered. However what is the fallout for a quick patch update?
I think you're going a little overboard calling people zealots there Chuck. Zealots are not just fans of open source, but ignore the problems that do exist and point to the problems in others select cases to make your point.

There are a set of Large Open source project, but a lot of small ones where there is a few people who care about the source.

Re:what?

Here you go: https://ftp.mozilla.org/pub/firefox/releases/3.0/

Re:what?

[ChoGGi]

>>Open source only means that, the source can be viewed, and most likely changed, by anyone.
Pretty sure that's shared source. I thought open source means being about to compile / distribute it?

Re:what?

[macs4all]

Praytell, when is the last time Apple admitted a security flaw? Windows is plagued by bad design decisions. Open source flaws usually tend to be dealt with fairly rapidly once discovered. I think you're going a little overboard calling people zealots there Chuck.

Can't say about Windows; but Apple does it regularly, and publicly, after an internal investigation and fix (which is the prudent thing to do, to protect users).

Re:what?

[ShaunC]

I thought Google was out and Yahoo was the new benefactor/overlord. The Mozilla Foundation's most recent public financials are for 2014 so it's hard to tell for sure.

Re:what?

[thegarbz]

All the browsers fail every single year.

Yes but out of Firefox, Edge, Chrome, and Safari, Firefox fails more often every single year. Actually it's typically up with IE, and we all know that IE is a model browser for internet security. /sarcasm

Re:what?

[NotDrWho]

Sorry, but I'll still take Firefox over Chrome, IE, or Opera any day. Here is the dialogue I always have on some message board whenever I try to go over to Chrome:

Me: Where is the menu bar?

Them: You don't need a menu bar, the menu button will do everything instead.

Me: Will it let me open a file?

Them: Uhm....well...no.

Can I at least add a stop button and zoom controls to the toolbar?

Them: Sorry, Chrome doesn't allow any customization. You're supposed to do it the way Google tells you to.

Me: Okay. Where are the options to automatically clear my history at close, erase all cookies at close, not remember search form histories, etc.?

Them: Why would you need that?

Me: For privacy.

Them: What's "privacy"?

Me: It's something Google has never, and will never, respect.

Re:what?

[Bengie]

They didn't say Firefox isn't secure

Nope, they just said they haven't made any meaningful improvements. I guess you assume Firefox has perfect security. "Firefox already had superior security" ahh yes, you do. And superior by what metric? FF has had about 3x more critical critical vulnerabilities than Chrome and about 10% more overall. Not a huge difference, but it definitely puts them at "worse" not "superior".

Re:what?

[Lunix+Nutcase]

So then the claims that Firefox isn't being included anymore because its "superior security" is just a huge joke. Which was, you know, the whole point me laughing at the person.

Re:what?

[Carewolf]

All the browsers fail every single year.

Yes but out of Firefox, Edge, Chrome, and Safari, Firefox fails more often every single year. Actually it's typically up with IE, and we all know that IE is a model browser for internet security. /sarcasm

Safari is the browser the fails the fastest and most regularly. Google Chrome is second.

It is assumed because it is pwn2own, and people attack Safari first to win a MacBook.

Re: what?

That's completely wrong IMO. I use the web browser as a web browser. I have no need to send feedback unless something doesn't work. If everything goes well then I use it and close. I don't want to waste a developer's time with positive feedback (as much as they might appreciate it).

In an amazon review I am more likely to post positive or negative reviews, because I'm being prompted to say "something".

If I closed firefox and it popped a feedback window I might post, but I'm not likely to hunt down a feedback button just to say all is well. I've been using Firefox for a long time, and while I'm not always gung ho about the changes I get used to it.

Re:what?

[StikyPad]

Ctrl+O

Re: what?

[reve_etrange]

think they know something other people don't.

I switched back to Firefox because vertical tabs, dynamic loading/unloading of tabs from memory, and NoScript. I don't just think that Firefox has these nice features...it really does have them (yes, add-on features count as browser features).

It would be cool to see how Firefox with NoScript does in pwn2own.

Re:what?

[reve_etrange]

and most likely changed, by anyone

Great story, but then where are my commit privileges for Firefox or the Linux kernel?

Re:what?

[Ramze]

You're forgetting the 3rd option:

Horribly insecure code that's too complex (or obfuscated or just plain badly written and possibly poorly commented) for most people to bother looking at, much less fixing & for those that DO bother, they submit a fix/patch which goes ignored or rejected by the maintainer. This, of course, followed by no one bothering to fork the project b/c no one has time for that. This is where most open-source users whine and complain about features, design flaws, and bugs while devs and fanboys tell them "If you don't like it, fork it and do it YOUR way." as if that were a trivial thing just anyone can do in their spare time... b/c we all have such amazing coding skills and free time to take on such an enormous effort by ourselves.

Re: what?

and that is exactly how fiorina and clinton want it to be. they and their ilk hate secure software. and they have the means to achieve their objectives.

Re:what?

> sudo grep -r privileges *

Re: what?

you can run it inside apparmor to protect your non www stuff.

i once created a aa profile in about a day.

that is much more trustworthy than most other solutions.

Re:what?

[BarbaraHudson]

Most of the contributions to many open-source projects, including linux, are made by a small group of people. People have complained for a long time that linux ignores the user community to cater more to servers. You won't find many "community-driven" open source projects out there, since the core group has its own priorities, and since they're the ones doing 95% of the work ...

Re:what?

[Cacadril]

Menu button - "New Incognito Window"

Re:what?

[TemporalBeing]

You're forgetting the 3rd option:

Horribly insecure code that's too complex (or obfuscated or just plain badly written and possibly poorly commented) for most people to bother looking at, much less fixing & for those that DO bother, they submit a fix/patch which goes ignored or rejected by the maintainer. This, of course, followed by no one bothering to fork the project b/c no one has time for that. This is where most open-source users whine and complain about features, design flaws, and bugs while devs and fanboys tell them "If you don't like it, fork it and do it YOUR way." as if that were a trivial thing just anyone can do in their spare time... b/c we all have such amazing coding skills and free time to take on such an enormous effort by ourselves.

That's the same regardless of whether it's open source or not. So, no - I'm not forgetting. Been there, done that.

Re:what?

[BarbaraHudson]

Yahoo? Hahahahahahaha.

Re: what?

[dimko]

If it was OK to begin with - no point to listen to them. They are happy already. So you need to concentrate on unhappy lot. If I can suggest improvement without making other unhappy - it should just be implemented, if appropriate.(technically sound, secure, performant, etc)

Re: what?

[KGIII]

Seeing as we're posting anecdotes and personal preferences... I seldom complain and very infrequently leave a review that is negative in any way. I've left many, many reviews and almost all of them (it'd surprise me if someone crunched the numbers and it was less than 90% positive) were supporting and positive. I'd much rather review something I like than something I dislike. I'm not interested in tearing stuff down but interested in keeping good things going.

Hell, it works with donations too but sometimes in reverse. I've often donated to software authors who write things I not only don't use but probably never will. I figure it helps others and helps to build things up. I'd rather improve than tear down. I want something good - even if it is for others. Sometimes, I use a competing piece of software and I figure if the other improves than my preferred choice will also improve.

I really can't think of the last time that I left a negative review - for anything.

Re: what?

[ChrisMaple]

Beating dead horse faces.

Re:what?

[KozmoStevnNaut]

Menu bars have fallen out of fashion, deal with it.

Ctrl+O.

The refresh button becomes a stop button during page load. Zoom controls are in the menu, they are literally one click away. Alternatively, learn to use shortcut keys (Ctrl-plus, ctrl-minus, ctrl-0).

Learn2incognito.

Re:what?

Safari is the browser the fails the fastest and most regularly. Google Chrome is second.

Except that neither of those statements is true when you look at the results, especially when you use the word regularly since all browsers fail. Troll harder fanboy.

Re:what?

[Hognoxious]

It's a plan to avoid complaints about the UI by not having one.

Re:what?

[shellbeach]

A true open source project is driven by the community, not by the maintainer alone

Wait, you just make up definitions on the fly, post as AC, and get modded up for it? A true open source project is a project whose code is freely available. That's all.

As for community contribution, firefox looks reasonably healthy to me: https://github.com/mozilla/kit...

Compare that to Pale Moon, which you praise: https://github.com/MoonchildPr... ...

Pale Moon has fewer contributors and a much higher volume of commits coming from a single dev. Not that this is bad -- they're both true open source projects, and different projects have different numbers of contributors.

Maybe instead of whinging, you could learn to code and contribute too?

Re:what?

[shellbeach]

This is where most open-source users whine and complain about features, design flaws, and bugs while devs and fanboys tell them "If you don't like it, fork it and do it YOUR way." as if that were a trivial thing just anyone can do in their spare time...

Sure, but at least with OSS you have the option to fork the project.

If that's not something you appreciate, why would you use OSS? It's not like anyone forced you to.

Re:what?

You just reinforced everything NotDrWho listed as reasons he does not switch.

"You're supposed to do it the way Google tells you to."

Re:what?

There is no menu bar because there is no menu. You use the control drop down in the tool bar to do everything you need.

Opening a file? ... Navigate to the file and open it in your file manager or ... Ctrl+O ...

There is a stop button on the toolbar... it is only visible when the page is currently loading, then the page is not loading it changes to the reload icon.

The zoom controls are in the control drop down on the toolbar or you can do what pretty much every browser supports and hold ctrl and scroll your mouse will to zoom in and out or use ctrl and the plus and minus keys...

There is a built-in option you can set to clear cookies on exit, the rest can be done via extensions.

Re:what?

[KozmoStevnNaut]

Because he's a luddite who complains loudly when things aren't the same as 10 years ago.

Re: what?

Except the ones that are not there, I'm interested to see people using links -g, it's really not bad at all.

Re: what?

You must've missed the memo about opera switching from their engine to chromium... Plus investigate WebKit, it's suffering from as much splintering as android is

Re: what?

It's funny you say that, because the commit that was heartbleed was pushed on new years eve to the public repository of a very public project and then baked+in to a countless number of other projects that just make pulls of the committed source.

Review that.

Re:what?

[toddestan]

Because at least in theory, people can examine the code, find and fix issues with the software, and make improvements. Mozilla does appear to accept submissions, though I have no idea how difficult it is to get something accepted. My guess is most anyone who has the time and energy to contribute to Firefox is probably involved with one of the forks like Palemoon.

Re:what?

That's because Safari is a terrible browser. The fact that so many of the jailbreaks for the iPhone basically involve going to a certain website shows just how easy you can be rooted from running Safari.

Re:what?

Oh, like everyone who hates Gnome3 and Unity.

Re: what?

Firefox is hopeless when it comes to supporting large enterprise features.
Case: Busted proxy support. Firefox has had issues with prompting users for passwords behind enterprise grade proxies since 2005 - no end in sight for this bug.
Case: Central management is almost non existent. As a Sys admin I want to easily be able to push settings to my clients. Chrome, IE and edge all support group policy out of the box - minimal config required. Chrome even supplies msi files to make it easier to deploy.
Case: Firefox won't read the Windows certificate store. Not a problem with chrome or ie - we can push out certificate updates via our CA servers to our windows clients no config required for chrome or ie. Firefox is a nightmare for this.
I have posted on bugzilla about all of these - the response is basically "we don't like Microsoft - get lost" (this is from one of the lead devs....)
Upshot of all of this is we are currently removing Firefox from our company (15,000 installs). I know of many other companies currently doing the same.

Re:what?

[mcswell]

What's fashion got to do with it? I want to *use* a computer, not pretend it's a fashion show.

Re:What?

[TheRaven64]

Now look at the entitlements for that process. It runs without any sandboxing. A crash in the plugin won't crash the browser, but a compromise of that plugin will give enough privileges to attach a debugger to the main process (on OS X the system will prompt for this, because it looks suspicious, but it can still open arbitrary network connections and read every file in your home directory). Reliability and security often have similar mechanisms, but don't confuse one for the other.

Re:what?

[KozmoStevnNaut]

Like anything else, user interfaces are influenced by news trends and ideas.

I (and millions of others) use Chrome every single day, some of us in a professional capacity, without any UI issues at all. In fact, I find the comparatively large area for actual content a great plus when comparing Chrome to older browsers.

Re: what?

[allo]

But the People DO send negative feedback. Why do they take the efford? Because they are fucking annoyed by firefox.

Re:what?

[dave420]

The problem wasn't his beliefs, but him funding an organisation which sought to deny basic human rights to others. Phrasing it the way you did shows one of two things: Either you are ignorant of what actually happened, or you don't care about that and are trying to make some sort of political point while deceiving people.

Re:what?

[KozmoStevnNaut]

Yes.

(I use KDE)

Re:what?

Safari is the browser the fails the fastest and most regularly. Google Chrome is second.

Not really.

Re:what?

[Aaden42]

when is the last time Apple admitted a security flaw?

January 19, 2016.

Source: https://support.apple.com/en-u...

SubjectsInCommentsAreStupidCauseTheSubjectIsTFA

[lesincompetent]

I immediately thought about TOR Browser. The horror.

Re:SubjectsInCommentsAreStupidCauseTheSubjectIsTFA

Same

This is a big bitchslap to Mozilla

[Sax+Russell+5449D29A]

As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers. Many of the security risks can probably be averted by configuring the browser for added privacy and disabling certain features, but this is no excuse for lagging behind.

Maybe Mozilla will someday focus on its core competencies again and stop fooling around with nonsense like Firefox OS...

Re:This is a big bitchslap to Mozilla

The fact that Firefox runs all its plugins in one process means that if something compromises a thread in that task, they own all the plugins, and can do a lot of damage, perhaps even escaping and running as a user context... which means easy access to files for ransomware.

Google Chrome, OTOH, runs every tab in a separate process, so only that tab is pwned... not the browser, nor the user account.

The only advantage Firefox gives is that one can run NoScript to block all scripting completely.

Re:This is a big bitchslap to Mozilla

Google Chrome does not run every tab in a separate process. It's a little more complicated than that. AFAICT from messing around, it creates a process per visited domain.

Re:This is a big bitchslap to Mozilla

[TheRaven64]

It also scales based on processor resources. They hit serious TLB scalability issues at around 17 processes (varies a bit between CPUs, in some systems - particularly mobile - you'll hit RAM limits sooner), so if you have more tabs open than this, you will start having multiple independent sites share the same renderer process.

Re:This is a big bitchslap to Mozilla

[RandomFactor]

"The only advantage Firefox gives is that one can run NoScript to block all scripting completely."

However, that's a pretty significant advantage.

I would love to see how firefox compares with that one addon in place since that's how I run.

Possibly a 'hardened browsers' version of the competition?

Re:This is a big bitchslap to Mozilla

[TheReaperD]

Yea, Chrome gets a bad rap for how much resources it uses but, it actually has a good reason and, as you pointed out, if it starts hitting your system's ceiling, it starts scaling back. Personally, I'm torn between Chrome and Firefox as there's things I like on each, except on mobile where Firefox wins due to plugins.

Re:This is a big bitchslap to Mozilla

What features does it lack?

Re:This is a big bitchslap to Mozilla

[Tukz]

ScriptBlock on Chrome does the same thing, or am I missing something vital?

Re:This is a big bitchslap to Mozilla

I still use Firefox, but I feel like the extension system is really the only reason to do so. Chromium is open-source as well and is dramatically better than Firefox in many, many ways -- except customization. However, I understand that Firefox is converting to a new extension system that allows from Chrome extensions to be used on FF. This will kill NoScript functionality and the functionality of many other extensions as well.

I used to be able to justify FF by saying, even if it doesn't meet modern security standards, NoScript is very good protection that meets or exceeds what's in Chrome. But killing off NoScript while also refusing to adopt the type of sandboxing that makes Chromium so secure? God... what are these people thinking?

Firefox was amazing back when it was the only real alternative to IE but they've done a horrible job in competing with Google. I wouldn't be surprised if the FF project is dropped in 5 years.

Re:This is a big bitchslap to Mozilla

Just make up dumb shit why don't you without specifics.

Re:This is a big bitchslap to Mozilla

ScriptBlock on Chrome does the same thing, or am I missing something vital?

NoScript does quite a bit more than just basic script blocking.

Re:This is a big bitchslap to Mozilla

[Nemyst]

It's not even much of an advantage since uMatrix exists on Chrome and is arguably superior. Then again, using either tends to get really aggravating and something only a microscopic proportion of the population will ever do.

Re:This is a big bitchslap to Mozilla

Or more importantly, RequestPolicy Continued, which blocks a slew of unexpected or undesirable cross-site behaviors. That combined with NoScript is how I use both Firefox and Seamonkey, whitelisting only the stuff I want to see or execute while ignoring the vast majority of crap being foisted on me by obnoxious web developers.

Re:This is a big bitchslap to Mozilla

[Carewolf]

As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers.

No being default on spyware? ;)

Re:This is a big bitchslap to Mozilla

[Burz]

I'm not aware of any browser that can withstand a determined and resourceful hacker. Browsers are huge beasts that are 80% attack surface. So I'll continue to fault Chrome for its memory use and other bad habits, and keep using Firefox.

I'll go further and point out that Pwn2Own folks obviously like using VMs to provide security when browsing, since they are putting VMware in the mix. And that hypervisor was originally designed for administrative convenience and full utilization of hardware, not security (now they are trying to make it a security platform, bless 'em). OTOH, Xen has long touted its security focus and has a really tiny attack surface so I'm happy to be using that in Qubes OS as well.

Re:This is a big bitchslap to Mozilla

> Maybe Mozilla will someday focus on its core competencies again

nah, they'll just label you a misogynist.

Re:This is a big bitchslap to Mozilla

[hoggoth]

Using NoScript is pretty easy if you don't try and micro-manage it. Allow (whitelist) your most trusted and frequently visited sites just once. "Temporarily allow all on this page" for trusted sites you don't frequently visit. Don't allow anything you don't completely trust to run JS.

This is why I haven't switched to Chrome.

Re:This is a big bitchslap to Mozilla

Tracking beacon detected, advertisements launched!

Re:This is a big bitchslap to Mozilla

JSBlocker 5 on Safari is awesome for granular control of exactly what JS gets to run and what doesn't. Also randomizes environment variables that get passed to servers and interferes with Canvas tracking.

Re:This is a big bitchslap to Mozilla

ScriptBlock on Chrome does the same thing, or am I missing something vital?

I can't answer for the original poster, but Chrome mobile doesn't allow extensions, and FF Mobile does. So at least in mobile browser space (which is the one that's increasing while others are decreasing) that is a factor.

Re:This is a big bitchslap to Mozilla

[arth1]

Yea, Chrome gets a bad rap for how much resources it uses but, it actually has a good reason and, as you pointed out, if it starts hitting your system's ceiling, it starts scaling back.

That's not acceptable. A web browser isn't the only, or even main thing I use my computer for. I don't want my VM to be unable to start because Chrome has used all the memory it could find, less a small bit.

It's not cooperative. It assumes that all memory available has been made available for it only.
Chrome is like a self-serve cafeteria where some people are gluttons who hog all the food, and latecomers only get crumbs. It might be legal, but it sure isn't playing nice. We shouldn't have to have guards standing at the food stations to prevent greedy bastards from ruining the experience for others. Taking all the biscuits and putting one or two back isn't generosity.

Firefox isn't much better. One of my users forgot to close a browser window on a server before going on vacation, and just periodic auto-refresh had caused it to gobble up a quite a few gigabytes of RAM - a large portion of the server's RAM. The server has extra RAM because of disk caching, to the benefit of all users. I ended up having to implement cgroup memory limiting because of Firefox.

Re:This is a big bitchslap to Mozilla

[The-Ixian]

Yeah, I use NoScript but I am very attuned to going through every new page I visit and temporarily allowing 1 thing at a time (and sometimes having to resubmit forms over and over) until the page works well enough to use. I don't mind doing this at all.

I know that most people will never do this.

I have tried installing NoScript for some people who liked the idea of being more secure in this way. Then later was horrified that any time they ran into any problem they just permanently allowed all on the page or even just globally allowed all... completely defeating the purpose.

Re:This is a big bitchslap to Mozilla

[greggman]

So you never, ever turn on JavaScript? Or every time you turn it on you read through every line of it to make sure it hasn't changed and isn't doing anything bad?

NoScript is basically worthless. You can't possibly trust every website you run JavaScript on. Even if that's only 1 or 2 you still need a secure browser for those 1 or 2 sites or you just asking for trouble.

Re:This is a big bitchslap to Mozilla

When Chrome was released the NoScript developers put out that they would not develop for Chrome because it does not allow full control of JS to plugins. If that is still true, then uMatrix on Chrome is still less secure than NoScript on Firefox.

Re:This is a big bitchslap to Mozilla

Seems to me that your problem was running a browser on a server at all. That means you also had a full blow X install and a DE/WM going. Apparently, I was mistaken in my idea that you are supposed to reduce your attack surface on a server.

Re:This is a big bitchslap to Mozilla

[arth1]

This is a server on which developers develop web apps. Having access to multiple browsers on the server itself is useful. Not all servers are DMZ servers where reduction of attack surface is the key point. Many are "crash and burn" servers where people can do their job without worrying about causing damage.

Re:This is a big bitchslap to Mozilla

[Noryungi]

OTOH, Xen has long touted its security focus and has a really tiny attack surface so I'm happy to be using that in Qubes OS as well.

Excuse me? Xen had more than 100 security alerts in 2015, some extremely severe.

And Xen is based on qemu, which has been proved to be fairly insecure in its own right.

Using Qubes OS, which is based on Xen, which is based on qemu is... How to put it mildly? Maybe not the best idea if you are security conscious.

In the words of Theo De Raadt: "You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."

I agree with him. It's turtles all the way down.

Re:This is a big bitchslap to Mozilla

My apologies for misunderstanding then.

Re:This is a big bitchslap to Mozilla

[Forthac4]

I have NoScript set to allow the TLD by default, and I always fun Firefox in a sandbox set to auto delete between sessions.

Re:This is a big bitchslap to Mozilla

[sudon't]

...and Safari. Unfortunately, there are many other plug-ins/extensions which are only available for FireFox.

Re:This is a big bitchslap to Mozilla

[CrashNBrn]

And that's quite unlikely to change. Almost any feature of FF that requires a setting's change (beyond trawling through about:config) also requires a third-party extension to do so.

A very basic example:

Built into Firefox is "Scratchpad" (an on the fly JS editor). The Scratchpad window is an implementation of CodeMirror. The code itself is utilized across many of the Firefox Dev Tools. Within the Firefox Dev Tools is a "Style Editor". Everything you need to access|change a site's CSS and custom User Css is implemented by Firefox except none of it is exposed, and there is no management gui to do so.

So we need to use Stylish or the mostly-broken-for-the-last-year "User Style Manager". Neither of these addons implement CodeMirror|scratchpad. USM's editor is the thing that breaks constantly and poorly implements some of the features of a Scratchpad window. Neither of these addons allow you to use a custom (external) editor for css - like GreaseMonkey does. Stylish stores your CSS in database files, so when Stylish breaks you don't even have css text files that you can access.
There's many such features like this in Firefox

Re:This is a big bitchslap to Mozilla

[mujadaddy]

uMatrix exists on Chrome and is arguably superior

No, it is inarguably not the same thing. uMatrix does nothing for first-party scripts. (I use both in Firefox!)

Re:This is a big bitchslap to Mozilla

[amorsen]

A virtualization system is an OS with a strange ABI and an ill-defined API.

Re:This is a big bitchslap to Mozilla

[reve_etrange]

So you never, ever turn on JavaScript? Or every time you turn it on you read through every line of it to make sure it hasn't changed and isn't doing anything bad?

Sites load lots of resources from other domains, and script blocking is domain based. Right now Slashdot would like me to load scripts from 10 domains. The site is perfectly functional with just two of them whitelisted.

You can't possibly trust every website you run JavaScript on.

The point is that slashdot.org and wellsfargo.com are a lot more trustworthy than a million random ad networks and tracking services. No, they're not "trusted," but it's great that I can view, say, a random blog with just the blog framework's JS and not twenty other weird third-party scripts.

Re:This is a big bitchslap to Mozilla

[reve_etrange]

This will kill NoScript functionality and the functionality of many other extensions as well.

This is just false, maybe it's an honest mistake but the FUD spreading has to stop. The developer of NoScript is categorical on the topic.

Re:This is a big bitchslap to Mozilla

You're getting it completely wrong.

Qubes isn't about prevention, it's about convenience and mitigation. It automates and puts a lot of otherwise manual work in the background, and makes sure what protection comes from virtualisation actually gets used. It's pretty much based on the assumption that your various "boxes" will be compromised, but these boxes gets continously created and torn down so pwning them is of very limited value.

Re:This is a big bitchslap to Mozilla

No, it's very useful, but I bet you wish it wasn't, and that people wouldn't use it, asshat.

Re:This is a big bitchslap to Mozilla

[skids]

"The only advantage Firefox gives is that one can run NoScript to block all scripting completely."

One other -- the only reason I use it -- it still has a fully functional separate persistent search box instead of that stupid omnibar.

Re:This is a big bitchslap to Mozilla

NoScript is basically worthless

This page without NoScript: 2,163.55 KB, 1.93 seconds. This page with NoScript: 434.70 KB, 0.53 seconds.

Page works much faster with NoScript.

Re:This is a big bitchslap to Mozilla

[The-Ixian]

I am glad I am not the only one who likes this feature.

Sometimes, when I see a mass transition to a way of doing things across different vendors, I get the impression that some kind of new revelation struck everyone at once. Like "OMG this is so much better and we should have been doing it this way from the beginning! Don't you think? Well? DON'T YOU?!"

I sometimes wonder if I somehow got thrown out of the human continuum and am witnessing the collective dream state / mass delusion from afar.

Re:This is a big bitchslap to Mozilla

That's not acceptable. A web browser isn't the only, or even main thing I use my computer for. I don't want my VM to be unable to start because Chrome has used all the memory it could find, less a small bit.

It's not cooperative. It assumes that all memory available has been made available for it only.

While being a shameless memory hog IS objectively bad, dinging Chrome for not being "cooperative" is silly. *Everything* in Linux, including malloc() itself, assumes an optimistic memory allocation strategy, and this isn't kept secret. Graphics cards follow a slightly more sane strategy (gpu malloc > free mem *does* fail) but only because page-to-host is so slow there's no point.

If you use program foo in such a way that it eats all available physical memory and performance crashes because suddenly everything is paging to swap, it's your fault. If I ask enblend to render a 4 billion pixel composite and my machine only has 8GB of RAM, I'm the one who goofed.

Re:This is a big bitchslap to Mozilla

[KGIII]

Upper left, where it says (on this page) "slashdot.org" and select the * (wildcard).

Re:This is a big bitchslap to Mozilla

Opera 12 (and previous) has the ability to turn JS on/off on the fly. Opera 12 is still the best browser out there and it hasn't been updated in multiple years. Now we are left with Internet Explorer, Chrome, and Firefox. All three are horrible, at least IE is somewhat usable.

Re:This is a big bitchslap to Mozilla

[dos1]

Even ignoring the security aspect, using NoScript speeds up the web so much, it's definitely not worthless. Occasional annoyances like having to temporarily allow some scripts are nothing compared to performance boost.

Re:This is a big bitchslap to Mozilla

You can block first party scripts in uMatrix, saying "uMatrix does nothing for first-party scripts" is false.

The default behavior of uMatrix allows first-party scripts, but the default behavior can just as easily changed to disallow first party scripts by default.

Re: This is a big bitchslap to Mozilla

This is where uMatrix can help, it was httpswitchboard originally my suggestion is to play with it a little.

Re:This is a big bitchslap to Mozilla

[ebvwfbw]

I don't think that it's too easy. They said they were focusing on browsers that have made major improvements recently. That would be chrome, edge and safari. They had a lot to improve on. In the case of IE, it was miserable. In fact, there are sites out there that my Firefox won't even connect to because their security is so low. So far only Microsoft sites that still support export encryption and not much current, like > sha1. Sha1 and md5 breaks a lot of stuff now.

Re: This is a big bitchslap to Mozilla

They dropped Firefox OS...

Re:This is a big bitchslap to Mozilla

Try Palemoon. I would love to see some serieus testing on this browser
http://www.palemoon.org

Re:This is a big bitchslap to Mozilla

[Burz]

Few of those relate to Priv or Info vulns. Instead of listing every entry the same, here is a more accurate chart:
  http://www.cvedetails.com/vuln...

And Xen is based on qemu

Um... Xen is not based on qemu, it uses qemu's device model and BIOS for HVM guests. Xen emphasizes PV guests for general operation and security, and that's what Qubes uses by default. OTOH, HVMs are a hassle to use even in Qubes and they are known to have security issues on all x86 platforms. So... excuse you, lol.

Remove the stuff in the above list that is DoS, HVM-dependant, non-x86, needs qemu running in dom0, etc., and there is hardly anything there to hyperventilate over. Secure configurations of Xen do not operate qemu HVM features from the privileged (dom0) domain, they use unprivileged stub domains instead. One "severe" CVE in 2015 was related to qemu, but it affected almost no one (certainly not Qubes users) because of this fact.

I'll also repeat what I said about Xen vs monolithic kernel-based security back in November:

Linux has racked up 3X the number of CVEs over 5.0 so far this year, compared to Xen. And of those, Xen had zero with a score of 8.0 or higher -- while Linux had a staggering six. Xen has had only two of these (both 8.3) ever, so looking back to Jan. 2015 is being very, very kind to Linux. I think what the CVE charts are showing is an inherent mitigation effect due to structural features of type-1 hypervisor.

OpenBSD, which doesn't support many desktop-related features, is a rarely-encountered odd duck; Not sure it fits into this conversation. FWIW, Qubes has an abstraction layer that allows Xen to be replaced with other isolation mechanisms. Among all the Qubes discussion about possible alternatives, I see no mention of using an OpenBSD host (although some people express interest in it as a non-GUI guest for proxy vms etc). It would be interesting to see someone try it.

Re:This is a big bitchslap to Mozilla

[Burz]

Except that having a compromised guest -- temporary or permanent -- still leaves you with a core system and isolated guests that are uncompromised.

What you're not getting is that when the Qubes devs say "security is not a boolean", they mean that in the prevention sense as well: Guests will likely be compromised by risky tasks, but attacks are still prevented from succeeding against the isolated parts. The fact that Qubes automates and GUIs some of the advanced hardware features in doing so doesn't alter that fact. You will get as much GUI convenience as security will bear, which is why cut-paste has an extra step and drag-and-drop (between guests) is unsupported. They even made file copy less convenient in some cases when the slight possibility of an exploit popped up; that is a preventative mindset.

Re:This is a big bitchslap to Mozilla

[Burz]

A virtualization system is an OS with a strange ABI and an ill-defined API.

If you define virtualization as Intel style HVMs. Even with that, libvirt exists to create a standard interface. It can be used for HVM and PVM. Qubes takes it further with the Odyssey framework.

Re:This is a big bitchslap to Mozilla

uMatrix blocks first party scripts just fine. It's still worth keeping noscript installed for XSS/CSRF protection, but set it to allow scripts globally and use uMatrix for rules-based blocking.

Re:This is a big bitchslap to Mozilla

[mujadaddy]

Oh neat, thanks!

Re:This is a big bitchslap to Mozilla

[KGIII]

No worries. I had to double check it myself. It's not like I read the manual either. I wasn't actually sure that it would work before I tested it in order to reply. I actually only noticed the option a few months ago, never tested it, and I've been using uMatrix for years now. It was available for Opera much sooner than he made the Firefox version. Opera has no NoScript as it uses the same style extensions as Chrome/Chromium. Hell, as I recall, I only noticed it by accident in the first place.

So, you can configure wildcard (all domains), sub-domain (if applicable), and root domain. At some point, I'll probably get around to reading the manual. :/

Oh, I like to backup my rules. I use multiple computers, sometimes just a Live USB, and being able to just restore my rules is very handy. It might seem like it's not that important but it just kind of sucks when you end up screwing something up and being unable to retrieve them and you lose a year's worth of rule refinements. I have it kind of automated and save to a network share that's accessible from anywhere I go that has internet. It has come in handy many times and I've even shared it with others. I should ask him if he's interested in adding the ability to merge multiple backups together. Or maybe it's in the manual.

Re:This is a big bitchslap to Mozilla

[skids]

It's not for lack of complaining that this feature still has yet to be put back into chrome/opera. The devs just ignore the complaints. SOP these days. If you're lucky someone has made a plugin to emulate whatever feature they arbitrarily decided to exclude that will work for a few months before the core breaks it somehow.

Just Implied

The article didn't directly say that Firefox was insecure, although this is surely implied. It could mean that Firefox is already secure and it the developers just haven't had to implement anything major to keep up.

But rust is supersecure?

But Firefox is using supersecure Rust now?

Re:But rust is supersecure?

[Thiez]

Nope, Rust is being used by Mozilla to develop the experimental layout engine Servo, but there are (as far as I am aware) no plans to completely rewrite Firefox in Rust. There are plans to gradually replace some components in Firefox written in C/C++ with Rust, e.g. a url parser and a mp4 parser, but I don't think these are part of the current Firefox release.

Wait a mintue

One change in the 2016 event is that the Mozilla Firefox Web browser is no longer part of the contest.

"We wanted to focus on the browsers that have made serious security improvements in the last year," Gorenc said.

Read that again.

Notice serious "security improvements".

So. am I to take it that Firefox was sitting on their asses and just adding bells and whistles?

Or their security was so good before and now that there wasn't much improvement necessary?

Re:Wait a mintue

TFA is ambiguous and very poorly written. Which is probably why it's on Slashdot.

Re:Wait a mintue

[TheRaven64]

The former. All modern browsers except Firefox have decomposed their browser into multiple processes, so that a compromise from one site will only gain control over an unprivileged (i.e. isolated from other stuff the user cares about) process. They also run plugins in separate processes and have fairly narrow communication paths between them. Firefox is still a massive monolithic process, including all add-ons, plugins, and so on.

This basically means that you just need one arbitrary code execution vulnerability in Firefox and it's game over. In contrast, if you have the same in Chrome, Edge, or Safari, then it's just the first step - you now have an environment where you can run arbitrary exploit code, but you can't make (most) system calls and you have to find another exploit to escape from the sandbox. Typical Chrome compromises are the result of chaining half a dozen vulnerabilities together.

Re:Wait a mintue

[serviscope_minor]

All modern browsers except Firefox have decomposed their browser into multiple processes,

Mozilla is doing one better than that. Servo is being written to be provably memory correct and thread safe. Ultimately that's the better solution. Of course, firefox doesn't use servo yet.

Re:Wait a mintue

[Viol8]

Firefox used to be multiprocess, in the sense that if you started a new instance a new process would start. But they then heard about threading and decided it must be the solution to everything so now when you kick off a new firefox instance (on linux anyway) when one is already running it checks for some shared memory, and if its there hands over to the current firefox process which kicks off a new thread then the process you started dies. A very complex, inefficient and security poor method of doing things. But probably looked good on some former firefox devs CVs.

Re:Wait a mintue

[BZ]

Or maybe this is the contest organizers trolling? Because I know for a fact Firefox made serious security improvements in the last year; I reviewed some of those patches.

Re:Wait a mintue

Servo is an experiment by people that have almost nothing to do with Firefox. There are no plans to include Servo in Firefox and it would be years before that even became a possibility.

Re:Wait a mintue

[pr0fessor]

Firefox is loosing in both the mobile and desktop markets so they are concentrating on ways to keep and expand their user base else be irrelevant. Chrome on the other hand has been on the rise for some time and is the leader in both markets therefore it's a likely target.

Re:Wait a mintue

[The-Ixian]

Chrome on the other hand has been on the rise for some time and is the leader in both markets therefore it's a likely target.

Yeah, wonder why that is? Google was more aggressive about pushing Chrome than MS ever was about pushing Windows 10.

Now that everyone has taken the bait and installed Chrome and see that it works well with their investment in Google services... of course they are going to justify its use.

Re:Wait a mintue

I know it is a pain in the ass, but I wonder if things wouldn't be better if seccomp (and not seccomp-bpf) usage was more widespread. Sure it requires more discipline and would required breaking up a process into smaller pieces but there would be no RCE vulnerabilities in most of the processes.

Re:Wait a mintue

Serious question: what were they?

All I've seen is incremental improvements on memory safety that everyone does, but none of the big buzzword stuff like sandboxing, multiprocess and much more refined usage of the principle of least privilege.

Re:Wait a mintue

[NotInHere]

Its not quite how you describe it. Yes, when you start firefox it checks first whether the current profile is currently opened. That's not done because of "parralel" (or "threading", which doesn't have anthying to do with this), but to the contrary, it is meant so that only one instance of firefox has write access to the profile.

If you want to start multiple firefox processes, you'll need multiple profiles. When you start the separate firefox process you must then specify the --no-remote -P command line args, where ProfileName is the name of the firefox profile you want to start (you can create profiles with the --ProfileManager param).

Re:Wait a mintue

Did you mean losing, as in the opposite of winning?

Re:Wait a mintue

Google was more aggressive about pushing Chrome than MS ever was about pushing Windows 10.

Funny that. I never was greeted with a popup when I logged in whether I wanted to install Chrome Now or Tonight...

Re:Wait a mintue

That's why they will fail. If they'd concentrate on fixing bugs that have been in their system for more than a decade and are really bugging users they might not be in the handbasket they're in. Unfortunately Mozilla is ruled by egos and ideology rather than meritocracy and practicality.

Re:Wait a mintue

Yep, and the oh so fun sting in the tail was that if you had a linux setup running multiple displays that weren't setup as a single virtual desktop (as I did at one point - at the time it was the only setup I could do with my particular combo of graphics cards and displays that would support more than one display) you could only have firefox open on one display. I can't recall the error message when you tried to run a second instance on a different display, but it was truly fucking annoying.

I did put in a bug report at the time, and the bug was confirmed by a bunch of others, but I have no idea if this was ever fixed. Nothing much happened for a while and then updates in Ubuntu fixed the problems that made me have such an obscure setup in the first place, at which point I stopped caring.

Re:Wait a mintue

Did all of those browsers do that in the past year, though? Did Safari add anything in 2015 to justify being on this list when Firefox is not? Edge I can understand, and I can at least presume that Chrome has fiddled with some knobs here and there, but if Pwn2Own was just not willing to test unsandboxed browsers, they should have just said so. This sounds very much like they're just singling Firefox out.

Re:Wait a mintue

Security patches on unwanted DRM spyware doesn't count. Also, making it so that the interface is built for retards and forcing people to use signed extensions doesn't count.

Fuck your contributions. Your shit browser is going nowhere, fast. How about focusing on core competencies again.

Signed,
A former contributor and former donor.

Re:Wait a mintue

[legRoom]

Servo is being written to be provably memory correct and thread safe.

While I think it is true that Rust is a major step forward in this area, Servo is emphatically not "provably correct" - it just encapsulates the unverified stuff in "unsafe" blocks. Yes, this matters in practice: the first Ariane 5 rocket launch failed catastrophically because Ada's default protection against numerical overflow had been manually disabled in a critical piece of code.

Also, since the "proof" system (the Rust language standard and compiler) has not itself been proven correct, even "safe" code is not "proven" to really be safe. Yes, this matters in practice: for years, the Java standard library (among many others) contained a "formally verified" sorting algorithm that would fail due to integer overflow, because the formal verification had been performed without giving consideration to overflow.

No one in the world today has the tools necessary to prove any program correct on real non-trivial hardware, because the execution environment is too complex and buggy to model fully and correctly. Formal "proofs" are, in practice, just another means of finding some problems that were missed by other methods of quality assurance.

Re:Wait a mintue

But firefox run plugins in separated process since some years ago:

In Firefox 4 and above on Windows and Linux, the preference dom.ipc.plugins.enabled is set to true by default and the OOPP crash protection feature is enabled for all plugins,

Re:Wait a mintue

[Blaskowicz]

I'm on linux and when I launch a new instance, I get a new process - new instance meaning you launch it with a separate profile and -no-remote.

Re:Wait a mintue

[RebelWebmaster]

A former contributor and former donor.

Wow, brave enough to attach your name too.

Re:Wait a mintue

[Viol8]

No remote doesn't work for me and a new profile rather defeats the point of having a browser with all your settings doesn't it.

Re:Wait a mintue

[TheRaven64]

This is a reliability measure, not a security measure. The process that plugins run with is not sandboxed and runs with ambient authority. It can read every file in the user's home directory and can open arbitrary network connections. If Flash crashes, then it won't crash Firefox (which is a good thing), but if Flash is compromised then it's exactly the same as if Firefox were compromised. In contrast, if Flash is compromised in Safari or Chrome, the attacker has access to a process running with very restricted privileges and an IPC channel to the browser. To do anything useful, the attacker must use the IPC channel to compromise the sandboxed renderer process, then do the same thing again (though likely with a different vulnerability) to compromise the main browser process (the one that runs with ambient authority). You need, at a minimum, three exploits: one in Flash and two in the browser, to get from a malicious Flash app to a user-level compromise in Chrome or Safari. With Firefox, you need just the first one to do the same amount of damage.

Re:Wait a mintue

[TheRaven64]

No, but that's not really the point (actually, all of the others have added additional security features, but they all had sandboxing last year). The point is that Firefox does not implement the core mechanisms for security that the others all had last year (and, mostly, the year before and the year before that too). This makes is uninteresting as a target.

Re:Wait a mintue

As I sit here using my Developer Edition of Firefox using e10s and segregated plugins, I don't have to wonder about you keeping up with firefox news. It's clear that you don't ... All of this stuff you mentioned, specifically:

>All modern browsers except Firefox have decomposed their browser into multiple processes, so that a compromise from one site will only gain control over an unprivileged (i.e. isolated from other stuff the user cares about) process. They also run plugins in separate processes and have fairly narrow communication paths between them. Firefox is still a massive monolithic process,

Is basically wrong, now. I've been using the dev edition, which is at version 46 now as my daily driver for months now, and I have no stability issues to speak of. It all works fine, and it's terribly fast. The normal users will receive these updates in due time.

Hey hey hey...

[EmeraldBot]

I don't think the article ever says anywhere that they're not doing it because it's too easy. They're not doing it because all the other browsers introduced sexy new features and they want to focus their efforts on securing these first - since Firefox hasn't changed much under the hood, it's not very different from the last time they used it. It's one thing to add a little comment here and there, but try not to put words in other people's writing. After all, if they were worried it'd be too easy, they would have attempted exploits on a secured Linux distro or on a *BSD - which I don't see mentioned anywhere here at all.

Re:Hey hey hey...

[timritzer]

Except for the fact that last year it was the most insecure! http://www.extremetech.com/com... So, least secure last year, plus the statement "We wanted to focus on the browsers that have made serious security improvements in the last year" clearly indicates they think it is not worth the effort due to the insecure nature of the browser.

Re:Hey hey hey...

[EmeraldBot]

Except for the fact that last year it was the most insecure! http://www.extremetech.com/com... So, least secure last year, plus the statement "We wanted to focus on the browsers that have made serious security improvements in the last year" clearly indicates they think it is not worth the effort due to the insecure nature of the browser.

Ah, I was looking for something like this when writing my comment. It's rather hard to find an up-to-date review of web browser vulnerabilities, which is curiously strange. Even so though, these results are from beginning of 2014, which was almost two years ago. I'll grant you Firefox doesn't have the same track record, but my point still stands: I think they're mainly doing it because they don't have infinite money and the same web browser again isn't very sexy.

However, if I may bring up a point here: Firefox isn't super outstanding secure out of the box, but it has great support for extensions, and a few of the right ones can vastly improve its security. I don't know if Chrome can do the same (genuinely not sure, the last time I used it at all was ~2012). Also, because these all seem to depend on certain platforms, I wonder if/how many of these browser insecurities target the underlying OS as opposed to the browser itself?

Re:Hey hey hey...

In most cases, the OS is not going to make a difference as long as it's recent. Most of them have the except same protections with different names. Vulnerability wise, in 2014 we have http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/ (many versions of Windows are reported, and summed they have the most, but you have to keep in mind almost all of them are duplicates.) Not an appreciable difference, certainly not one in favor of Linux.

Re:Hey hey hey...

[thermopile]

Well, that is the nail in the coffin for me. I've been using Firefox for the past ~4 years due to convenience and, frankly, have been too lazy to switch. Time to switch to Chrome.

Re:Hey hey hey...

Time to switch to Chrome.

At least the UI will be familiar :-).

Re:Hey hey hey...

Well, that is the nail in the coffin for me. I've been using Firefox for the past ~4 years due to convenience and, frankly, have been too lazy to switch. Time to switch to Chrome.

Very intelligent move. So you are about to turn to the browser made by a gargantuan surveillance corporation. I can't think of anything smarter that that [rollseyes]

Re:Hey hey hey...

Did you actually read the article and more importantly, the insightful comments that trashed it? Look up the severity level of the vulnerabilities...Windows 10 has 12 at 9.0 or higher, while the Linux kernel only has 3 at 8.0 or higher. Big difference. There is a HUGE difference between operating systems in terms of security.

Re:Hey hey hey...

[NotInHere]

Well, on linux the focus is more on breaking into stuff like servers or network appliances or so. There it can already be considered a security issue if you can get a dump of the user database. But on windows, still the major desktop OS, the main target is the classical "rogue code execution" stuff. Both are serious in their context, just desktop linux hasn't got any attention.

Re:Hey hey hey...

[higuita]

Actually that article is from 2014... not exactly last year! :)

In the last year, firefox did improved the internal design and is now partially multi-thread, but being a monolith for all these years can't not be solved that fast without breaking things. Only a complete redesign would help doing this faster... but maintain current engine and design and build a new one is still a huge task and takes years, not something mozilla can do, they don't have the MS, Google and Apple money and size.

servo is THE mozilla redesign, it will solve all the current problems... but it required a design of a new language and all the tools around it. If it works as planned, it will make firefox leapfrog all the current browsers tech... lets wait

For me, noscript+request policy (continued)+noredirect and without flash installed, makes firefox perfect, chrome used way too much resources

Re:Hey hey hey...

[BarbaraHudson]

Well, that is the nail in the coffin for me. I've been using Firefox for the past ~4 years due to convenience and, frankly, have been too lazy to switch. Time to switch to Chrome.

Very intelligent move. So you are about to turn to the browser made by a gargantuan surveillance corporation. I can't think of anything smarter that that [rollseyes]

Like Mozilla's survival hasn't been dependent on making money by setting the default search on first installation, first to google, and now yahoo? How many people change defaults?

Mozilla Foundation's press release in response:

"Yeah, Pwn2own, well.... your MOM is too easy!"

Can't expect Firefox to be secure

The FF developers don't have the time for that, they're far too busy destroying the user experience just a little bit more with each release.

It takes a lot of time and effort and great skill to ruin what used to be the best browser you know, it doesn't happen by itself!

(I just wish I were joking. Unfortunately they have the Microsoft disease of "The UI must change with each release to show that we're doing something". It's mind-boggling in its insanity, and it annoys their supporters continually. If they hadn't touched the UI in the last 5 years and devoted all their energy to security and performance instead, FF would still be the leading browser today.)

Re:Can't expect Firefox to be secure

You bitches are like a broken record. Maybe give it a rest?

Re:Can't expect Firefox to be secure

Removing cookie management features was the last straw for me. That is an essential feature for browsing the modern web. It's simply bewildering they would remove a critical ability while simultaneously adding weird social media things.

Re:Can't expect Firefox to be secure

palemoon, a fork from ff before it went to shit

Re:Can't expect Firefox to be secure

[secretsquirel]

Eh, I can live with the changes to free up screen space, and the rest were just kind of annoying at first but not showstoppers.

Re:Can't expect Firefox to be secure

Given the bugs they've fixed over the past year and their roadmap, I'm pretty sure you're just sensationalizing. I know that people love to do that when their pet features are lost (because who wants to use addons, amirite), but it's pretty sad to see how much people dump on the Firefox devs because they want to see Firefox magically improve without "destroying" anything. The state of its codebase was downright pathetic a few years ago, and now it's finally starting to see the improvements we've been asking for, but nobody cares anymore. It's just easier to blame everything on Mozilla, because that's the party line.

Re:Can't expect Firefox to be secure

[Falos]

>The UI must change with each release
Maybe give this a rest.

Re:Can't expect Firefox to be secure

Yes agreed, the final nail in its coffin. The very bloated and inefficient coffin. The very time an upgrade comes in, it works less well coffin.
The cook your laptop on youtube coffin.
Its coffin needs to be cremated, PLEASE!

Re:Can't expect Firefox to be secure

[Cyberpunk+Reality]

Thank the gods for Palemoon. Without it (and with NoScript, Ghostery, and an ad-blocker running) I find the web is mostly un-useable.

Re:Can't expect Firefox to be secure

[EnsilZah]

Heh, the UI is one thing, but there's also the bit where they went:
Ok, so let's take a bunch of features that by any right should be an external plugin a few people would use and integrate them into the browser.
Then let's take a bunch of basic features out so people have to replicate them in plugin form.
Oh, and then obviously, let's deprecate our plugin API and replace it with Chrome's, so that after the UI changes the only thing differentiating us from Chrome will be how much our browser crashes and leaks memory.

Re:Can't expect Firefox to be secure

Oh man, the memory... It's not even the amount of memory as best I can tell, it's that the UI becomes sluggish and unresponsive after a while. People attribute it to memory problems, and the FF team keeps saying that there is no problem. It's like they have never tried to stress test their own fucking product.

Re:Can't expect Firefox to be secure

Given the bugs they've fixed over the past year and their roadmap, I'm pretty sure you're just sensationalizing.

When your product is "a web browser" and you announce you are removing HTTP protocol support, again removing HTTP support in your web browser, it's pretty hard to repeat that title word-for-word from Mozilla without it sounding like "sensationalizing"
Perhaps Mozilla shouldn't have made such sensational claims in the first place?

I know that people love to do that when their pet features are lost (because who wants to use addons, amirite), but it's pretty sad to see how much people dump on the Firefox devs because they want to see Firefox magically improve without "destroying" anything.

Removing HTTP protocol support is hardly a pet feature, it's the sole feature for this software to even exist let alone what it does.

Besides Mozilla has deprecated most of their entire addon API already, and they haven't even locked down the addon store yet.
There is no way they are going to be putting over a year of work into removing HTTP protocol support only to allow someone to add it back in with an addon.

Not to mention requiring an addon be installed in your web browser before it can web browse is about as stupid as it gets.

It's just easier to blame everything on Mozilla, because that's the party line.

Then the Mozilla devs should stop publicly announcing shit they don't want repeated.
https://blog.mozilla.org/secur...

Re:Can't expect Firefox to be secure

[amorsen]

I really don't get this. Did you seriously click through the cookies on every web site, picking which ones should be allowed and which shouldn't?

If anything, the Firefox developers should have included Self Destructing Cookies in the main distribution, but it works well as an addon. Deleting the silly "click to accept cookie" thing made a lot of sense though.

Re:Can't expect Firefox to be secure

Did you seriously let web sites load any cookie they want? And no addon replaces that functionality! Not a damn one. Tools keep saying so, but can't prove it.

Re:Can't expect Firefox to be secure

[amorsen]

Yes? As long as they're first party cookies and die after the session, I don't see the problem.

I obviously don't let third parties set cookies, but that's because I don't let content get loaded from third parties at all.

Re:Can't expect Firefox to be secure

[BarbaraHudson]

You kind of have to to know which cookies to block.

Re:Can't expect Firefox to be secure

[BarbaraHudson]

They're running test builds. They probably have to restart every once in a while, so it's not like they would have that much memory eaten up before something else cause a problem. And we're the testers of the final product.

Re:Can't expect Firefox to be secure

[KGIII]

I read your link. I'm not sure that it says what you think it says. Did you read your link? Some functionality will be disabled on HTTP while in place on secure sites. Unless I'm reading it wrong, that's all your link actually says.

Re:Can't expect Firefox to be secure

[yuvcifjt]

is palemoon multi-process?
if not, then it's just another crappy clone of firefox, and heavily dependent upon the firefox devs on improving gecko to inherit changes.

Use firefox with "classic theme" and it's superior to palemoon in every way.

Does palemoon have a team of 500 devs improving and constantly adding new html5/css3/es6 features?
No, didn't think so.

So fed up of retards talking about palemoon like it's a different browser.

Re:Can't expect Firefox to be secure

palemoon, a fork from ff before it went to shit

Palemoon is slower and way less secure than Firefox.

Re:Can't expect Firefox to be secure

[RogerWilco]

Yes. I live on NoScript, ABP, BetterPrivacy and

Classic Theme Restorer.

I really do not like what Firefox has done with the UI. I still lament the loss of the Qute icons and I want a browser with Home, Reload, Stop, Back, Forward, an URL bar and a Search bar.

Maybe I'm getting old. I stared on Mosaic, then all versions of Netscape and Phoenix/Firefox.

Re:Can't expect Firefox to be secure

And lets keep removing features from Firefox and claim that the features can be implemented in a add-on so that is the reason to remove the feature but then add features like pocket that could also be done in a add-on but force it onto everyone instead of just creating a add-on for it.

I would hate to be a add-on developer for Firefox, the API changes far too often that add-ons are constantly breaking and require constant updating. At least with the old release cycle, for the most part a add-on didn't have to be updated until a major release, but now the add-on API can be changed with any release.

Re:Can't expect Firefox to be secure

[toddestan]

Actually Palemoon uses Goanna now, which is a fork of Gecko. It really doesn't matter what Mozilla does with Firefox and Gecko now, as Palemoon is its own entity.

I do agree that it does feel like Palemoon is struggling to keep up as it just doesn't have the resources and unlike most of the other 'clones' it's not just repackaging Firefox.

Though maybe Mozilla should get those 500 developers working on things that people actually want. It really amazes me given the resources that put into Firefox that it isn't a much better browser than it is.

Re:stop fooling around with .... Firefox OS

Oh you mean like they already decided to?

http://techcrunch.com/2015/12/08/mozilla-will-stop-developing-and-selling-firefox-os-smartphones/

Firefox to merge with SystemD.

Giving security holes integrated into the boot process.

Can see the headline now

Pwn2own hacking competition finds flaws in leading browsers.
Firefox not listed indicating how much better it is.

Sick burn, bruh!

Gnarly!

9__9

This reeks of corporate shillary...

One HPE managers comment does not a compelling argument make. Even if Firefox IS less secure, dropping it from the competition is STILL pure bullshit and marketing. Who do they think they are helping by NOT trying to fix the second most popular web browser on the internet? I mean, you know, besides Trend Micros bottom line.

Firefox does focus on security

The electrolysis (e10s) separates each tab into a process to further isolate tabs from each other.

Parts of Firefox are being ported from C/C++ to Rust.
They are working on their new experimental engine Servo, but they are still using Gecko.

Regardless of the summary

The truth is that Firefox began to slip a few years ago, and it continues to slip. It is not the browser that it was; it does not have the charisma that it used to have, has been displaced by Chrome and its all-open instantiation (Chromium) and, quite frankly, its future is beginning to be very much in doubt.

They could change the rules though

[bazorg]

We wanted to focus on the browsers that have made serious security improvements in the last year

Rather than giving Mozilla some bad press they could have stated in the rules that exploit A, B and C have already been done last year and don't count for the 2016 edition of the contest. Even if they haven't changed whatever these guys think is "serious" since last year that doesn't mean the whole thing is bad.

Re:They could change the rules though

Mozilla deserves what they get.

Sponsored by

Is the TrendMicro sponsor the same as in the nasty security hole allowing any site to run commands:

https://code.google.com/p/google-security-research/issues/detail?id=693

Nice security company!

Then what's the point?

[Millennium]

I thought Pwn2Own was supposed to be all about shaming vendors into cleaning up their act. If Firefox's security is really so poor, then shouldn't these guys be directing more resources toward it, rather than less?

Is this not a large part of how Microsoft was pressured into finally making certain decisions which, while clearly necessary, were very inconvenient from its own perspective? Why are we to believe that it would not work again?

Re: Then what's the point?

Maybe they means it's not worth giving the money for the already insecure broswser

Re:Then what's the point?

Firefox is on a path to have its guts replaced with Chrome's. So, really, there is no point in testing it anymore. It would be redundant.

Re:Then what's the point?

The idea is finding exploits in browsers you believe are secure. Where finding exploits is considered hard.

If you are convinced a browser is insecure and is full on unpublicized exploits, who would want to part with their money to find out what you already knew?

The bigger shame is in not being included in the first place, not in seeing money be given to recipients for breaking something "easy" to break

Re: Then what's the point?

[Millennium]

Again, though, that misses the point. You offer a prize to hack an insecure browser as a means of shaming the browser's developer. That's how it worked, and more to the point, that's why it worked. Have the Pwn2Own folks perhaps lost sight of that original purpose?

Re:Then what's the point?

[The-Ixian]

And also, I noticed that TrendMicro is a sponsor... is that their method of making sure that their product is never a focus of the hacker attention?

Re:Then what's the point?

[Khyber]

Pwn2Own has become a self-congratulatory bunch of fucktards who no longer care about making things safe for people, they're only out to stroke their own egos. This announcement pretty much clinches that.

Re:Then what's the point?

I thought Pwn2Own was supposed to be all about shaming vendors into cleaning up their act. If Firefox's security is really so poor, then shouldn't these guys be directing more resources toward it, rather than less?

If all the hacks that were coded for FireFox last year are still valid, it is clear that Mozilla has no interest in security. Such a shameless response to attempted public shaming means a more drastic measure must be taken.

Some kind of announcement that until FireFox patches the old vulnerabilities, they've already lost to every other competitor and it would not be sporting to waste time and effort digging for new vulnerabilities in an already dangerous browser. Much like what the title of this discussion indicates (not going to read the linked articles, already forgot the summary)

Re:Then what's the point?

[wisnoskij]

Throwing good money after bad. Firefox was the most "shamed" browser last year, and if this guy is correct they have done nothing about it for the last 12 months.

Re:Then what's the point?

[dj245]

I thought Pwn2Own was supposed to be all about shaming vendors into cleaning up their act. If Firefox's security is really so poor, then shouldn't these guys be directing more resources toward it, rather than less?

Is this not a large part of how Microsoft was pressured into finally making certain decisions which, while clearly necessary, were very inconvenient from its own perspective? Why are we to believe that it would not work again?

Why would they do that? Firefox is losing market share and has spent a lot of effort in the past year degrading the user experience. It seems they did not make security a priority whatsoever, despite being in last place last year. Why would Pwn2Own offer prize money for Firefox exploits? That only serves to send a message that companies can slash the security budget of their browser and someone else will pick up the tab in identifying exploits.

Re: Then what's the point?

[dj245]

Again, though, that misses the point. You offer a prize to hack an insecure browser as a means of shaming the browser's developer. That's how it worked, and more to the point, that's why it worked. Have the Pwn2Own folks perhaps lost sight of that original purpose?

Obviously Firefox wasn't shamed last year, or they would have tried to improve security. Instead, they made a bunch of useless UI changes, removed features, etc. They didn't get the message. Spending large amounts of money to send them the same message again would be a wasted effort. By ignoring them this year, Pwn2Own is sending an even stronger message that Firefox is a browser to be avoided. And it doesn't cost them any prize money to send that message.

Re:Then what's the point?

[nuckfuts]

Pwn2Own has become a self-congratulatory..

They're being congratulated by corporate sponsors giving them substantial prizes, not by themselves.

... bunch of fucktards

Sure, call the most renowned hackers and security experts on the planet "a bunch of fucktards". I'm sure you know better.

Re:Then what's the point?

Let me take this one...its actually a security strategy on behalf of Firefox. You've heard of "security through obscurity" right? This is a new paradigm: "Security through we're just not kewl enough to be a target, because we're so lamely insecure and to hack us would be the equivalent of writing Hello World in Visual Basic on the kewlness scale". Its like the web security industry has gone full hipster.

Re:Then what's the point?

[nuckfuts]

You do realize that the point of Pwn2Own is to exploit default installations, right? It has nothing to do with compromising your oh-so-brilliantly hardened WINDOWS (OMG ALL CAPS) machine.

Re:Then what's the point?

Aw, doesn't he look cute when he gets angry... nothing more manly that internet rage...

Re: Then what's the point?

[paulpach]

Obviously Firefox wasn't shamed last year, or they would have tried to improve security.

It is a bit premature to say this. Mozilla has been working on some major security enhancements, it is just not done yet.

Rust is a language with heavy emphasis on security, among other things it guarantees memory safety, and threads without data races, which are 2 of the most common sources of security vulnerabilities in every software. Mozilla is building a new rendering engine called servo in Rust, with an explicit goal of enhancing security.

Re:Then what's the point?

Don't mess with Alex... he's an internet badass

https://www.linkedin.com/in/alex-mcquown-b63b74ba

Re: Then what's the point?

Instead of one big prize, like with the other browsers, maybe they should provide 1 point, $100 or whatever per exploit with some kind of cap. That way, the organizers don't have to, from their point of view, waste the money and more people would be interested in how many they find. People can get the accolades from finding the most distinct vulnerabilities. Firefox will get a kick in their ass to secure stuff from the embarrassment of people finding so many bugs, both from people finding the same one over and over and number of distinct ones.

Re: Then what's the point?

Yes, absolutely. By removing features Mozilla makes sure that user will move away from Firefox to some other browser, therefore making internet over all more secure.

Re: Then what's the point?

[NotInHere]

Yes, I do agree, most of the CVEs base on C/C++'s insufficient protections. They are simply languages not designed for security. Using non-unsafe rust will let the CVE world dry up, at least most of the parts, or push to the hardware boundary (exploiting stuff in the driver etc). But still I think that non-unsafe rust does have an existing runtime overhead, like the force to initialize all arrays even if you later on fill them with a loop, or the constant array bound checks. Perhaps its a good idea to demand hardware vendors to implement some trap-on-out-of-bounds stuff (There are discussions inside the rust community to do it), but until then it is a real non-zero overhead. So Rust will mean problems for most if not all hotpath code. But stuff that's required but not too performance critical (like some font parsing library, it runs only at load time) is the ideal target for rust.

Re: Then what's the point?

[AmiMoJo]

They are trying to fix the security issues, but the users are revolting. The add on system, for example, is very insecure. They want to adopt the Chrome model, but that would break a lot of stuff and users just want it to carry on using their ancient add ons that are no longer maintained. That also prevents many performance improvements going ahead, like per tab processes.

Mozilla are properly fucked now. They pissed everyone off with stupid UI changes, and now can't get support for real improvements.

Re: Then what's the point?

[Thiez]

LLVM is pretty smart, it will probably be able to remove dead stores most of the time. Using iterators in Rust will avoid bounds checks. I think the benchmarks game shows that Rust need not be slower than C or C++.

Re: Then what's the point?

Mozilla is building a new rendering engine called servo in Rust, with an explicit goal of enhancing security.

Some Mozilla people are jointly working on that research project, but it is by no means an effort to create a new rendering engine for Firefox. It may end up being used for that eventually, but that's not the goal, and they're years away.

Rust is a language with heavy emphasis on security, among other things it guarantees memory safety, and threads without data races

Rust is a language with devs that claim all these things, but that hasn't proven itself on any of those things. It's a bold statement to make for a language that wasn't even stable until a few months ago. Sure, it implements some nifty ideas, but whether that makes it a good language to write a rendering engine in, is anyone's guess.

I'm not saying that Rust is inherently bad (though it currently lacks proper standard modules/libraries), but I am saying that it has no proven track record yet.

Re: Then what's the point?

I'm not sure I follow how removing support for no-script and adblock among others and replacing them with neutered chrome based versions, is going to improve security in any positive way. It looks considerably more like Mozilla are trying to please the advertising crowd than trying to improve security..

Re: Then what's the point?

"Rust" as a name for anything related to Mozilla has to be the best case of unintentional irony I've heard of in a long time.

Re: Then what's the point?

Oh look, another person on Slashdot who's willfully ignoring all of the good things Mozilla did in the past year. And wow, they're modded up to 5 informative. What a lovely bubble of misinformation we have here.

Re: Then what's the point?

Although maybe a little faster (not much) it definitely has a major cost, 10% speed increase cost 200% memory.

Firefox is Dying

[slashdice]

It is official; Netcraft now confirms: FireFox is dying One more crippling bombshell hit the already beleaguered FireFox community when IDC confirmed that FireFox market share has dropped yet again, now down to less than a fraction of 1 percent of all browsers. Coming close on the heels of a recent Netcraft survey which plainly states that FireFox has lost more market share, this news serves to reinforce what we've known all along. Firefox is collapsing in complete disarray, as fittingly exemplified by failing first in the recent Pwn2Own security challenge. You don't need to be a Kreskin to predict FireFox's future. The hand writing is on the wall: FireFox faces a bleak future. In fact there won't be any future at all for FireFox because FireFox is dying. Things are looking very bad for FireFox. As many of us are already aware, FireFox continues to lose market share. Red ink flows like a river of blood. Mozilla FireFox is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departure of long time Mozilla CTO Brendan Eich only serve to underscore the point more clearly. There can no longer be any doubt: FireFox is dying. Due to the troubles of Walnut Creek, abysmal sales and so on, FireFox OS went out of business and was taken over by PalmOS who sell another troubled OS. Now ThunderBird is also dead, its corpse turned over to yet another charnel house. All major surveys show that FireFox has steadily declined in market share. FireFox is very sick and its long term survival prospects are very dim. If FireFox is to survive at all it will be among retro browser dilettante dabblers. FireFox continues to decay. Nothing short of a cockeyed miracle could save FireFix from its fate at this point in time. For all practical purposes, FireFox is dead. Fact: FireFox is dying

Re:Firefox is Dying

So what you are saying essentially is firefox is dying? It was kinda long I didnt read it all.

Re:Firefox is Dying

[Sir_Eptishous]

There is a point in there somewhere...
Keep Reading!

Re:Firefox is Dying

Ahhh... it's only MOSTLY dead. As we all know, mostly dead... is slightly alive!

Re:Firefox is Dying

Did you learn English in a Chinese concentration camp?

Re:Firefox is Dying

[hyades1]

You flatter the camp commandant.

Re:Firefox is Dying

[BarbaraHudson]

Same as the Norwegian Blue parrot pining for the fjords.

It Doesn't Say That

[Luthair]

They don't say it would be too easy, they just say Firefox hasn't made significant security changes (e.g. in architecture). Probably doesn't hurt that they can hit Google, Apple and Microsoft for more money than they could get from Mozilla.

Re:It Doesn't Say That

I just saw that too. This /. article's subject line is misleading. -1 rating for whoever posted this article.

Re:It Doesn't Say That

[jbmartin6]

parent needs mods up. This summary is almost entirely a fabrication. The only thing the article says is that FF isn't included since it hasn't made any major security related changes in the last year. i.e. it is not significantly different from the version targeted at the last pwn2own

That's because they're LUDDITES!

Modern Mozilla appers know that ONLY apps can app apps, and Firefox OS only apps apps written in AppScript!

Apps!

Re:That's because they're LUDDITES!

How do you like them APPles?

Not buying it

Why should security take priority over GUI design? Give me one good reason.

Re: Not buying it

Good reason. Good reason. I gave you two. Your turn.

Re:Not buying it

[Zaowulf]

Well I can't speak for everybody but I'd rather have an ugly but functional system than a pretty infested one.

Re:Not buying it

[F.Ultra]

You say that as if not all browsers will leave Pwn2Own 2016 broken by at least one team.

Re:Not buying it

[Zaowulf]

No, I'm just saying we shouldn't sacrifice security for a pretty UI as the above AC suggested.

Thank-you to Slashdot for posting this!

I want to thank the Slashdot editors for putting stories with realistic analyses of Mozilla and Firefox on the front page of Slashdot, and allowing some real discussion of these issues to take place.

This just isn't possible at other discussion forums. Take Hacker News, for example. Many people directly involved with Mozilla and Rust spend their time there. That, combined with Hacker News' broken and easily-abused mod system, means that any frank discussion about Mozilla, Firefox or Rust tends to get suppressed. If you dare to question anything Mozilla has done, or if you dare to point out something that may be construed as negative, you will find yourself mercilessly downvoted. My suspicion is that the downvoting is being done by the very people working on these projects, since there are so many of them on that site and their comments show they don't tolerate anything even just resembling dissent.

Reddit isn't much better. There are a lot of rabid Mozilla and Firefox fanatics there who will actively suppress any comment that doesn't fully support and worship Mozilla or Firefox.

It's a real shame that we can't openly discuss the various problems affecting Mozilla and Firefox at places like Hacker News and Reddit. Maybe if they pulled their fingers out of their ears, so to speak, and stopped downmodding truthful comments the people behind Firefox would begin to see why their product's market share has slid down to only about 7%, with nearly no (0.04%!) mobile presence. When people say negative things about Firefox, it's because the problems are real, they exist, and they need to be dealt with properly! Silencing such observations doesn't help; it just makes matters worse. It drives more people away from Firefox and Gecko, and typically over to Chrome, which just makes the Blink monoculture stronger and stronger. A Chrome/Blink monoculture is the last thing the web needs!

Re:Thank-you to Slashdot for posting this!

[Verdatum]

I suspect you'll start to see the mob of Mozilla/Firefox fans start getting quieter and quieter on Reddit over the next year or so, and I think it's been declining for awhile now. That said, I've yet to find any sort of decent news-for-nerds type subreddit. I'm a big fan of Reddit for all sorts of other matters, but on pretty much any news-focused sub, the vote system has a nasty habit of pushing the more sensationalist stories to the top. That's why I continue to stick around Slashdot & SoylentNews, even though both have their own well-discussed issues.

Re:Thank-you to Slashdot for posting this!

/r/tech is pretty good, although its traffic is relatively low. It's where a lot of people went when /r/technology got embroiled in a censorship scandal. Aside from that, you might have to seek out and subscribe to several different subreddits in order to get the "flavor" of news-for-nerds you're after.

• /r/privacy is good for YRO type news
• If you're a Linux person there's /r/linux, and a dozen or so distro-centric ones like /r/centos
• /r/sysadmin has topics of interest to both Windows and Linux admins
• Someone created a bot that posts new CVEs to /r/cvewatch so you can keep up on vulnerabilities

Lots of good stuff there, it just takes some time to customize your experience.

Re:Thank-you to Slashdot for posting this!

I can't imagine why, there are still boat loads of sites that only work reliably with Firefox. Edge is a joke for compatibility and locks you out of a lot of functionality. I can't manage Netscalers from it anymore although I still can with Firefox. ASDM? Mostly just Firefox these days. So many tools that require plug-ins and they only work in Firefox because the other browsers have chosen to stop supporting useful functionality. The does make things less secure but it also makes things a whole lot more useful.

Re:Thank-you to Slashdot for posting this!

[firewrought]

For technology and software development, I've found Hacker News to be pretty decent. It tends to get the big stories before slashdot, and there are more philosophical/reflective articles in the mix then just the bitcoin-news-of-the-day stuff. The lack of article summaries is a blessing and a curse though... you actually have to RTFA or at least skim it.

Re: Thank-you to Slashdot for posting this!

[Kishin]

Maybe reduced odds of submissions but your comment seems false in general. I post as nickpsecurity on HN. I started by taking on their top commenter, tptacek, in INFOSEC discussions where fanboys maxed out at -4 downvoting. I called bullshit on claims of Rust team, esp pcwalton the compiler guy, plenty of times. We're still civil as it's a great project/community but they get overzealous with claims. Being from high assurance, anti-fads, anti-cloud... I'd be long gone if your HN claims were true. Instead, I mostly get upvotes with posts that have sound analysis esp with references. Sometimes kind emails to grateful for a different perspective. So, no, your problem was probably from how you said it or backed it up. HN has biases & moderation but no censorship. Even Paul Graham took tons of shit on the inequality thing with all messages plain to read on front page. Feel free to come back and try a different style of dissent.

Re:Thank-you to Slashdot for posting this!

Reddit

Fuck that platform of censorship. Help us make stronger tech communities on open forums:

www.voat.co
www.soylentnews.org
www.gnusocial.no

I'd like to hear Mozilla's response

[LichtSpektren]

I'm a certified hater of Firefox, but I'd like to hear what Mozilla has to say about this. Firefox's security is reviewed by not only their security team, but also Debian, the Tor Project, Red Hat, and many others. I have a hard time believing the situation is really so bad.

Re:I'd like to hear Mozilla's response

[greggman]

Mozilla's response is to build a browser that has the same protections as other browsers.

https://wiki.mozilla.org/Electrolysis

They're doing that because they know their current tech isn't up to it. It's funny how their fans keep defending their current tech when Firefox themselves are abandoning it as soon as possible.

That explains

[naris]

Why our corporate security department has banned chrome and only allows Intenet Exploder and firefox -- because of "Security"!

// They also insist on McAfee, Altiris and other crappy software, so Firefox fits right in!

And Mozilla gives not a shit...

[Chas]

Because they're in the process of becoming yet another Chrome also-ran and basically they're too busy tonguing the Google sphincter to bother stopping the freefall of their flagship product and business.

Downloads

Just recently switched back to Firefox because Chrome would not download the FreeBSD DVD ISO. And that same code is in chromium.
    "The download was taking too long and was stopped by the network".
If Opera has an ad blocker and a no-script perhaps I'll try it out one day.

Re:Downloads

Time to crawl out from under your rock, buddy, Opera was bought by a chinese company with a bad reputation for making spyware and malware. Opera comes from chromium.

Let's look at the stats

[MSG]

I see a lot of comments about Firefox's security but no references so far. So, let's look at cvedetails code execution counts:

2016:
Edge: 6
Chrome: 0
Safari: 0
Firefox: 3

2015:
Edge: 19 (Nov 12 - Dec 31, a projected rate of 142 per year)
Chrome: 8
Safari: 101
Firefox: 83

2014:
Chrome: 4
Safari: 65
Firefox: 55

So while Firefox is getting a lot of hate here today, I think the unbiased view is that Firefox is clearly more secure than any browser other than Chrome, which has by far the best record. I struggle to imagine an objective reason to exclude Firefox from any evaluation while including Safari. Edge hasn't been out very long, but based on the very small amount of data we have so far, it looks significantly worse than Firefox.

https://www.cvedetails.com/pro...
http://www.cvedetails.com/prod...
http://www.cvedetails.com/prod...
https://www.cvedetails.com/pro...

Re:Let's look at the stats

Your comment "I struggle to imagine an objective reason to exclude Firefox from any evaluation while including Safari.", you never know what is going on in the background of these events, for all you know Apple could be bank rolling to have Safari included, Google could be bank rolling for Chrome and Microsoft could be bankrolling Edge. Perhaps no one wants to bank roll for Firefox to be included.

Re:Let's look at the stats

[MacDork]

I think the unbiased view is that Firefox is clearly more secure than any browser other than Chrome

Doesn't Chrome ship pre-installed with Adobe Flash?

SJW Mozilla sucks

What's the matter, Mozilla? Aren't all those grrl-coders and sjw bad asses just as good as evil white male patriarchy bro-grammers? Self-righteous bullshit doesn't make a good browser.

Pass this on to the panty waist whiners over on the kernel mailing list while you're at it.

WTF is proof reading ?

" not a penny of that will directed to Mozilla Firefox. "

Seriously...

Gaaaaaaaaaay!

So incredibly gay

So what is a Linux user

[MouseTheLuckyDog]

who wants to run NoScript to use?
Given that Chrome won't run it.

Re:So what is a Linux user

Keep using Firefox. Firefox with the appropriate about:config fixes and security enhancing plugins is probably still better than most of its competitors anyway. Not to mention that this "competition"/trendmicro publicity stunt is about default installations, and thus not very relevant for a lot of Firefox users anyway.

Re:So what is a Linux user

[AHuxley]

A nice list of all the useful add-ons would be good.
Firefox should have been included just for what was used as with every other year.

Re:So what is a Linux user

[RogerWilco]

I use NoScript, AddBlockPlus, BetterPrivacy, Classic Theme Restorer.

I used to run various variants of Qute, but after many years there is no compatible addon any more.

Re:So what is a Linux user

[AHuxley]

Thanks RW, I have also used Disconnect, HTTPS everywhere, Ghostery, Privacy Badger :)

I'm a little skeptical of the FireFox critics

I do think Mozilla has gone and done some really stupid stuff, but whose benefiting from the criticisms? Google and it's entourage have a strong motivation to attack FireFox. Chrome isn't free and comes with proprietary code that in and of itself should be considered malware. I'm sorry- FireFox is behind in certain areas although I'm not convinced sandboxing is *the* security feature we need anyway. Having it isn't bad necessarily, but it's not the end all. Real security comes from shrinking code bases, peer reviewing code, writing in languages and adopting standards which keep the number of bugs to a minimum, etc. And at the end of the day FireFox is working on better solutions to security anyway. Servo for instance. It might not be here yet- but sometimes good stuff takes longer.

Chromium

Where do you get your chromium builds from? Is chromium.woolyss.com any good?

What I'm looking for is chrome without the tracking.

Re:Chromium

[toddestan]

You could try Opera. There's also Comodo Dragon and SWIron, though not everyone trusts those versions either.

What?

[cppmonkey]

Aluminum:~ redacted$ ps -ef | grep Firefox
    502 290 1 0 Wed09AM ?? 85:15.56 /Applications/Firefox.app/Contents/MacOS/firefox -psn_0_36873
    502 2036 290 0 7:54PM ?? 0:11.86 /Applications/Firefox.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container /Library/Internet Plug-Ins/Flash Player.plugin -greomni /Applications/Firefox.app/Contents/Resources/omni.ja -appomni /Applications/Firefox.app/Contents/Resources/browser/omni.ja -appdir /Applications/Firefox.app/Contents/Resources/browser 290 gecko-crash-server-pipe.290 org.mozilla.machname.1962407656 plugin
    502 2747 1905 0 4:16PM ttys000 0:00.00 grep Firefox

Does not look to me like plugins are running in the main process.

Mozilla

Mozilla has far better things to do with their time than worry about security. They're making the world safer by getting rid of "discriminatory" language in code. :^)

Mozilla cut all funding to the Pwn2Own group

What a coincidence that soon after Mozilla cut all funding to the Pwn2Own group they claim that Firefox is "easy to crack".

Sure, but...

[tsotha]

Sure, they didn't put any effort into Firefox security last year, but at least Mozilla was taking care of the important things. I mean, they sent Brendan Eich packing for a small political contribution, didn't they?

Extend that advantage with this

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

-

FREE, not 'souled-out' to advertisers, adds speed, security & reliability.

Does far more w/ far less more efficiently vs. addons (clarityray blockable, redundant + RAM/CPU wasteful & 'souled-out' crippled by default) & local DNS servers @ home.

Fixes DNS' security issues & stops tracking @ webpage + DNS levels via 1 file you NATIVELY have!

(Firewalls do rest on FAR less used IP address trackers/threats vs. host-domain names).

-

Obtains data vs. online threats & ads via 10 reputable security community sites - easily edited by you using my program.

-

SPEEDS YOU UP 2 ways:

Adblocking ALL ads + local RAM cached favorite sites @ TOP of hosts for faster resolution vs. remote DNS (for reliability + speed) vs. other "so-called security 'solutions'" SLOWING YOU!

-

All via what you already have vs. illogically "bolting on browser addons 'MOAR'" (clarityray detected/blockable + usermode slow & increased messagepassing, cpu + ram overheads)

-

MalwareBytes' hpHosts Admin (MalwareBytes employee verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl...

&

MalwareBytes = BEST antivirus per a VERY recent testing of them all http://www.av-test.org/en/news...

&

It's safe proven by 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...

+

32-bit model https://www.virustotal.com/en/...

&

Installer-> http://f.virscan.org/APKHostsF...

-

* "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

"The image this title brings to mind is a mighty military commander who can at a mere word summon rank upon rank of protective power" -> https://answers.yahoo.com/ques... & THE WORD = hosts!

(Accept NO substitutes)

...apk

Give Firefox A Little More Time

[bigboy678]

One of the main reasons Firefox failed so hard at pwn2own in 2014 was that they didnt and still dont (yet) have a way to sandbox tabs. They are working on it now and it sadly wont be in the stable channel til after pwn2own. I would be very interested how firefox compares to security in 2017 to chrome when it has had a chance to develop e10 some more

The Plan is working!

Mozillas plan to slowly fade into obscurity works perfectly, so far.