FireFox, et al unsafe

[Ron]

When you no longer have just 1% of the market, people start looking at ways of exploiting your weaknesses, I guess.

http://news.netcraft.com/archives/20...ng_flaw .html

[mattsiegman]

there is a fix that takes 5, maybe 10 seconds...

go to the address about:config search for network.enableIDN and double click it to set it to false

[Zacrifice]

Now if that had been IE everyone would be screaming..

Firefox isn't as secure as everyone says, its just no one has bothered attacking it yet!

[Galen]

Precisely, Zac! It's not that Firefox is really anymore secure than IE, it's just that the bad guys don't waste their time on a browser that the vast majority of people aren't using. The more popular Firefox gets, the more weaknesses will be unveiled and exploited.

Lucky for Firefox users, this was a pretty easy fix. But, you're right, if this had been IE, the masses would be screaming about yet another example of how insecure and unreliable it is and let the anti-Microsoft propoganda roll on....

Personally, I can't wait for Firefox to become the dominant browser. When it is, it'll be just as hated and ridiculed as IE is now. That's just the way things work. The big dog is always the first and easiest target, while everyone cheers for the little guy.

[Zacrifice]

heh, firefox wont become dominant at all.
All "netscape" backed browsers have never really taken off.
People use IE and see how fast it is specially when loading and I haven't seen any browser be even anywhere near accetably fast enough (Photoshop cs loads faster then firefox)

They also have the issue of stability.
Functionality is great and I'm all for it, however, when that sacrifices stability. Firefox developers are more concerened about getting lots of features with suffering stability (FF has crashed more in the year I have used it then windows WinMe other 4 years)

People may complain about IE but there are many ways to have your computer more secure using firewalls, filters, virus scanners and what not.

The only thing that keps me coming back to firefox is because of the adhearance to the HTML/CSS/XHTML standerds!

[Galen]

That's all? C'mon, Zac, you know those standards are just gonna change the next time the W3C shakes their magic 8-ball asking "should we screw up the standards now?" and it says "Yes, definately!" The W3C can't even decide what "standards" are from week to week. They're more indecisive than Congress, lol!

And even if that weren't true (who knows, maybe they've stopped being wishy-washy in the time I've been ignoring what they have to say...) there's still the fact that, in reality, the W3C doesn't set standards, the top browser maker does. W3C can cry about compliancy all they want, but if Microsoft wants to add a <blahblahblahblah> tag to the next update of IE, then ppl will start using it and they won't care how much the W3C whines about it not being "real" html. MS sets the standards, like it or not; the W3C only tries to set standards.

"Web standards" are, frankly, a big joke. I stopped "compying" a long time ago and my sites all render perfectly fine in IE, Netscape, Opera, and Firefox, so I must be doing something right.

(warning, my site contains profane content, click at your own risk)
http://www.snipeme.com/main.php?loc=w3c

That sums up my feelings on them nicely

[Spathiphyllum]

Sure, MSIE remains the big dog, receives the most attention from users and hackers alike, and can thumb its nose at W3C standards. The thing is, security is still more of a problem with IE because of its continued and increasing integration with the OS.

The powers that be in development at MS opt to package the browser with the OS for many reasons, and one consequence of this is to make the entire OS more vulnerable to external packets of data that are fast-tracked through the system for the purpose of end-user convenience. All of those unchecked ActiveX and other scripts just invite trouble and simplify the task of crackers. I don't believe Mozilla renderers or others have been designed with such inherent flaws for both philosophical reasons and because they do not have access to the Windows source code. Whatever the reason, MSIE will remain more vulnerable to security flaws until MS alters its philosophy and/or code direction.

As far as standards, I'm of the "Go W3C" variety. I would like for them to succeed and continue to support their guides over those of MS because W3C is more open to contributions from all comers. Some consensus is desired on their part which is anathema to MS. I'm not comfortable with one company dictating the flow of data and how it's rendered; further, and surprisingly, MS is typically slow to adopt new technologies. If a new tool comes along, Mozilla usually gets it first. Consider tabbed browsing and alpha-channel PNG support as two examples that I use constantly.

Maybe MSIE is actually getting more secure but I'm yet to be convinced. I'll stick with Mozilla/Opera for the bulk of my work and play.

[Zacrifice]

Galen, on regards to web standerds.
I used to agree with you.
However about a year ago I begun a personal site (ie. blog) using standerds.
Firstly it was very simple to maintain, easy to write for (the css file was all over the place but I could work with it) and the best thing was.
about 3 months ago I got an email from a blind guy who thanked me for making my site work for screen reading software stuff (I personally don't fully understand how these things work) that was quiet a shock to say the least because I didn't even relize that the visually impared had troubles with regular sites (ie, tables through text, browser specific code and so forth).

Anywho it was nice to know that I had made someone happy.

Spath, on the security issue
agreed IE is very intergrated into windows which is a primery reason for its speed. however it can be secure. Unsigned ActiveX can be disabled and you can be promted for signed ones anything else is also just rejected outright.
Running a firewall prevents many problems as does using upto date antivirus software.

You see, I have a problem with all of these people who constantly complain of all of these problems they have with security in IE
I have been using IE since I was 16 (I'm now 22) I of course relize that I am not the most advanced computer user, however I do take precautions with my computer use online.
I have two firewalls, one hardware the second software
I have two antivirus packages that check for virus definitions twice a day
I daily check for new IE security updates
All files that have sensitive information in them are encripted (IE, credit cards, banking details and what not)
I try to stay away from the shady sites like wares and "cheap porn" I don't use P2P software
plus a few other things.
and it doesn't matter what browser I'm using, I always maintain that same measures of protection.
Oh and with all of that I haven't had spyware on my computer in over a year...

So I don't believe that IE is insecure people just don't want to bother with making things secure.

Would you blame the builder for not installing a security system in your house after someone broke in? of course not, you have the security system installed for you!!

[Spathiphyllum]

Zacrifice,

You bring up good points and I must say that you operate in more of a paranoia mode than I do.

On to security - I've never had spyware (as far as I know, maybe it's hiding) reach the safe area of my network (~7+ years on 5+ nodes) or PC (>10+ years) and have had a virus-infected email reach any client but twice, both times of which were detected by AV software. Maybe I'm just lucky. Fortunately, I don't need to go through quite the hoops that you do to protect my net. I know I've already disclosed my minimal use of IE over the years so that may be one of the reasons I've remained relatively clean. Firewalling helps a bit too.

Maybe this proves my point. You seem to be taking quite a bit of time to protect your system, something very few people do and most certainly not at the work environment since employees expect IT to handle all that security mumbo jumbo.

Also, operating IE without enabling some ActiveX and VBScript compromises the integrity of those sites that are coded to MSIE proprietary standards. Yes, you'll be safer disabling unsigned code, but the site may not function. Next, if you request prompting for code runs, the pop up window typically appears interminably and repeatedly - a total pain that, while great for finger calisthenics, tests patience. It is that frustration that initially moved me back to Mozilla. Mozilla's fine product has since kept me there.

I guess the upshot is that user convenience and system stability need strike a balance, and I've found that, for me, Mozilla hits the right point without my needed exercise of excessive interventionist oversight.

[mattsiegman]

The nice thing about firefox is that it runs on Linux...

Also, microsoft fixes are patches and come a week or two late. this was a simple configuration thing and was immediatly fixable

[Ron]

I can make IE safer by disabling functions, too. Don't be so defensive, Matt. Firefox has security vulnerabilities, and I opredict we'll see more and more of them.

I don't use FireFox, and I don't advocate that others use FireFox for security reasons -- I would advocate it's use if you require it's functionality, or even as punishment to M$ for the dreadful way they put Netscape out of business, and created a 5 year+ gap in browser improvemnt because of their predatory practices. But not for security.

The same open source argument, "It's safe because the code is open and any vulnerabilities will be found and fixed" can be the basis for "It's unsafe because the code is open and any vulnerabilities can be found".

But I still use IE all day long.

[Connie]

heh, firefox wont become dominant at all.

FireFox is steadily growing in popularity. Goggle has recently hired the head of FireFox deployment team, and one of the team. The interesting thing about that (too me) is that they are going to continue with there duties with FireFox. A couple of conclusions. Either Google is going to throw their weight behind FireFox, or the development of the Google browser which was put on hold, will be developed around FireFox. In other words just a few minor changes. The same kind of changes that ISPs make to IE so IE has a little of their branding on it.

Either way with Google involved this will promote FireFox to more of the masses. Will it ever over take IE? probably not. But it will have a dominate place in the browser market.

If your a Webmaster or developer FireFox has some plug ins available that are really helpful.

That's all? C'mon, Zac, you know those standards are just gonna change the next time the W3C shakes their magic 8-ball asking "should we screw up the standards now?" and it says "Yes, definately!" The W3C can't even decide what "standards" are from week to week. They're more indecisive than Congress, lol!

In regard to standards. I don't see them changing that often. I haven't been able to completely escape tables, but I have no problems making a site compliant, with HTML and CSS that render properly with Netscape 4.7 and I know very little HTML or CSS to some of the rest of you.

By the way. What was the topic of this thread? Oh yes. About the recent vurnability in FireFox. Fixes will always be faster than fixes in IE. The developers are right on top of things. MS takes weeks to do a patch and I can never download it because it's so large I can't stay connected to the Internet long enough most of the time to download the patch.

In reality I'm not worried about using IE or FireFox for security reason. I have come to prefer FireFox, because it is not as bloated as IE and is a faster browser on my slow a*** dial up connection.

[Spathiphyllum]

Ron "as punishment to M$" 40%-more-slack,

That's another good reason.

(Sorry but I didn't know your last name.)

clssam,

When are you getting DSL or broadband? Honestly, I don't see how you manage with dialup. I have lots of patience but not for crawling bits. Maybe you've answered this before and I've since forgotten.

[Brandon]

Ron,

Real good initial post, keep 'em coming.... and the discussion was just the kind of discussions we should have more of around here. I didn't have any value to add, but I enjoyed all of your inputs.

[Spathiphyllum]

Brandon,

What we really want to know is who you supported for President, what you think about U.S. intervention in Iraq, should the U.N. be blown up or moved 100 nautical miles to the right, and paper or plastic.

Except for paper or plastic, we already know Ron's position.