Spyware Makers Noticing Firefox
from the what-else-can-we-switch-to? dept
Many people have pointed out recently that the reason “alternative” browsers like Safari, Firefox and Opera seemed to be more secure than IE was because no one was using them. That is, they aren’t any more secure in reality, but the people who exploit security holes saw no reason to target them. With the recent growth (and related attention) of Firefox, however, some now expect spyware makers to start targeting that browser as well. The question, really, is how well Firefox/Mozilla will be able to fend off these attacks compared to IE. That might show how secure Firefox really is in comparison to IE.
Comments on “Spyware Makers Noticing Firefox”
half correct
Windows XP (many users log in as administrators, all windowing code runs in kernel mode, scriptable media applications are considered non-removable parts of the OS) and IE (think ActiveX) really are architecturally less secure, but it’s also true they are the main targets. I expect to see more successful attacks on both Linux and FireFox… and the open source community will start sounding more like MS when they say that responsible users need to download the patches as soon as they become available.
Re: half correct
The notable difference is that, so far, the turnaround time for security bug-fixes in large open-source projects is far less than the turnaround time for MS to release security fixes. I’m talking 24 hours vs 6 months as a kind of comparison.
I think that open-source projects are only marginally more secure than closed-source projects by their open nature, and comparing actual security in general isn’t possible on that scale; it’s a project-by-project thing, because it depends on the number and calibre of people involved vs the project complexity.
Open source projects should have better peer-reviewed fixes that come out in a more timely fashion, and that’s the only difference. I think such a difference is a really important one, and that, while OSS stuff can’t always be vastly more secure inherently, that the turnaround time makes a very big difference.
Re: Re: half correct
ActiveX Controls not being able to execute is the primary reason for Firefox being able to be more secure. Don’t need ’em don’t want ’em. Also ads can be eliminated with plugins increasing safety and useability.
spyware is not security
you are confusing the issue of spyware and security. IE has many security problems that are completely unrelated to spyware. The alternate browser crowd is more secure because they do not have these same gaping holes.
Spyware can be avoided by using an antispyware program, security holes in the browsers can only be handled by fixing the security holes.
Re: spyware is not security
Not really. While you’re right that they’re two different things, the reason spyware gets in is often because of security holes. So, the amount of spyware getting through is basically a proxy for the security of the browser itself.
Jumping the gun
I’ve seen this a few times, now: in earlier days, open-source was just plain `more secure’. Then it was `more secure because updates come out faster’. These were days before Firefox, nae even Mozilla, was a glint in a web-surfer’s eye. Since then, open-source has had to deal with scalability: the packages we know and love are now *huge*, beyond many a solitary programmer’s wit to debug, let alone tweak to integrate with anything else.
So we’ll have to see how the Firefox team copes with pushing out an increasing number of fixes, and whether the Internet population actually bothers applying them in a timely enough fashion.
In fact, I’m going to go out on a limb and predict that a return to modularity is going to be required in the near future. The javascript engine *should* be farmed-out to shared libraries for the purpose. So should the UI. Let Firefox be a *minimal* refactored core with lots and lots of semi-optional libraries, preferably that can all be updated from the core itself. The plugin architecture is right, but it’s too high-level for the bugs remaining to be discovered.