CIO.COM: Can Mozilla Support Their Security Claims?

re: CIO.COM: Can Mozilla Support Their Security Claims?

Mark Sowul — Thu, 15 Jan 2009 07:29:01 GMT

Protected mode means that Chrome is the only one that can even start on equal footing with IE 7 / 8 on Vista / W7.

re: CIO.COM: Can Mozilla Support Their Security Claims?

glob — Thu, 15 Jan 2009 10:14:35 GMT

lynx is more secure than firefox.

re: CIO.COM: Can Mozilla Support Their Security Claims?

JamesNT — Thu, 15 Jan 2009 23:44:38 GMT

Jeff,

It's about time we heard from you again. I was beginning to worry if you even worked at MS anymore.

As for the claims of how secure firefox is, I do believe they are in for a rude awakening. Although I am certain we will see the occassional quarter where Firefox outpaces IE and the other competitors, I wouldn't hold my breath on their having continuing success on and on.

JamesNT

re: CIO.COM: Can Mozilla Support Their Security Claims?

AntiFUD — Sat, 17 Jan 2009 08:55:00 GMT

Jeff Jones, instead of being a troll, why don't you look at your own insecure browser code? I guess last month's IE zero day security vulnerability which was heavily exploited to require and out of band patch isn't eye opening enough? We don't need your useless, biased analysis, Secunia and other companies does a much better job than MS at being more objective.

In other much more interesting news, EU just announced IE bundling in Windows is illegal. Good luck with them, it will be a great day for the Internet once IE is unbundled from Windows.

re: CIO.COM: Can Mozilla Support Their Security Claims?

mechBgon — Sat, 17 Jan 2009 20:26:09 GMT

I agree regarding Protected Mode and Windows Integrity Control. Where Mozilla's focus seems to be on reducing vulnerability counts, Microsoft sees the bigger picture: despite ever-improving code quality, there will always be vulnerabilities in browsers and their plug-ins, so Microsoft proactively built a cage around them for Vista and 7. The bar has been raised; now let's see the competition come up with a meaningful answer. And let's see them add enterprise manageability while they're at it. Internet Explorer has offered that for close to 10 years now.

For WinXP users, there's always low-rights user accounts, which are advisable for any Web browser regardless.

re: CIO.COM: Can Mozilla Support Their Security Claims?

Barnendu Goswami — Thu, 22 Jan 2009 16:58:59 GMT

I have to confess; the protected mode is one of the biggest draws of IE7 (certainly over IE6, if not Firefox. -it certainly has been for me), but despite this, there have been exploits/vulnerabilities which allowed remote code execution (the worst of all the sins), so the case cannot be won on that ground alone in a comparison of which is most secure.

There are weaknesses in all three of these browsers which have been exploited in the past, but I must confess; to date, there appear to have been fewer windows of opportunity for those exploitations to come to fruition under Firefox. Possibly this is just perception (I base these comments on my experience with all three of these browsers); but if that's the case, Microsoft should take pains to make the public aware of the disparity in the comparison being made.

re: CIO.COM: Can Mozilla Support Their Security Claims?

TT — Fri, 30 Jan 2009 21:24:09 GMT

"... opens those claims to efforts at fact-checking ..."

Still did not get a single proof of those dozens of vulnerabilities you claimed in your infamous "security" "report(s)". You could go ahead with good example instead of "count" like 2+2=5.

Ah, I almost forgot, one shouldn't feed the trolls.

re: CIO.COM: Can Mozilla Support Their Security Claims?

Effe — Fri, 30 Jan 2009 22:19:21 GMT

Hi Jeff.

Don't you think the time has come to realize your comparsion is nothing but rubbish? Yes, you do think so? Good, here we go:

First of all, read Brian's article again, and second TRY (at least) to understand what's written there. It should bring you into the position to understand that comparing apples and oranges isn't appropriate for a guy like you.

Thanks, and greets from ice cold Germany.

re: CIO.COM: Can Mozilla Support Their Security Claims?

Barry F — Thu, 12 Feb 2009 00:35:16 GMT

To those bringing up OS caging techniques: It's great that Microsoft is finally (kind of) getting on the bandwagon with regard to jailing applications.

Phbtbt! They're only a solid decade behind the *nix systems with regard to that.

And comparing an OS function (caging) to browser code is development-braindead. Firefox is a program. Their goal *IS* to reduce vulnerabilities. They can't - under any circumstance - make up for the flaws in the OS they're running on.

No browser will be perfect. All will have flaws. All will have exploits that work against them.

Time to patch matters - Firefox wins there.

Transparency matters - Firefox wins there.

The single feature that makes Firefox heads and tails more safe to run than IE is actually the combination of Noscript and Ad-block.

The two of those add-ons combined will VASTLY improve your security in a way that IE can't easily manage.

Yes, there are ad-blockers for IE. Yes there are ways to block scripts in IE.

However, Firefox created a framework that made them easy to plug in and easy to use and I dare say that they're more reliable and easy to use/upgrade than other IE equivalents (which almost no one uses unless they've been inadvertently dropped on the system).

Microsoft is getting much better at security - to their credit. But they're not at this point yet.

re: CIO.COM: Can Mozilla Support Their Security Claims?

Zevon — Thu, 12 Feb 2009 01:06:02 GMT

Awww, c'mon guys! NOBODY can EVER make that claim!

It's all about market share. The true test would be for Firefox (or any other browser, for that matter) to have their browser installed and used exclusively on 98% of computers in the world, and withstand the barrage of attacks when you have that great a market share.

Security by obscurity is definitely effective, but only if you remain obscure. Firefox is gaining market share (due to the illusion of being "more secure") and, no surprise, it's not proving to be the most secure browser either. They are now having to continuously provide updates to patch vulnerabilities being exposed in the wild.

Use IE and browse smart! You want to help people? Teach them not to be Internet idiots and recklessly click on everything they see. Tell them that they actually need to use a good security software that will catch the web threats BEFORE they install crap on their computer (which means no Symantec products!).

re: CIO.COM: Can Mozilla Support Their Security Claims?

DOUG GONZALES — Thu, 12 Feb 2009 01:25:28 GMT

IF THIS WAS NOT ON MICROSOFT'S E-MAIL IT MIGHT HAVE SOME CREDIBILITY. JUST ANOTHER SIGN THAT MICROSOFT IS IN TROUBLE.

re: CIO.COM: Can Mozilla Support Their Security Claims?

Richard — Thu, 12 Feb 2009 01:45:30 GMT

Interesting, if the EU forces Microsoft to unbundle IE from Windows then if your OEM doesn't include some other browser as part of the initial configuration, what are you going to use to download your browser of choice. I doubt if very many users are willing (or able) to start up a FTP utility, navigate to the appropriate download site and install a browser from scratch. Power users will have no problem but I fear many a phone call from my not so technical relatives if the EU is successful in their jihad against Microsoft.

re: CIO.COM: Can Mozilla Support Their Security Claims?

Chas4 — Thu, 12 Feb 2009 01:52:18 GMT

A browser is only as secure as long as its user keeps it updated and the user knows more than just the basic about security

I go with Opera :)

re: CIO.COM: Can Mozilla Support Their Security Claims?

Paul Yelk — Thu, 12 Feb 2009 03:55:29 GMT

Before attempting to define "secure", one must define what secure means. For example, does it mean number of exploits? Does it mean time from discovery to the time a fix is released?

There was at one time (not sure if it's still out there or not) a website that displayed the "time to fix" vulnerabilities. To me, that's more import than the number of exploits or security holes. As you have pointed out, it is difficult to write secure code. So it's important to get them fixed as quickly as possible.

Firefox has been much quicker to plug many of those holes. IE does it on a quarterly basis unless there is something that requires immediate fixing.

re: CIO.COM: Can Mozilla Support Their Security Claims?

Len Smith — Thu, 12 Feb 2009 04:33:41 GMT

Hi Jeff,

Many adopted Firefox willingly are not solely based on whether or not IE7 is more secure than FF, even though that is a major draw card.

Many adopted this because MS's upgrade policy with respect to IE7:

1) If MS is genuinely keen on making web surfing more secure, why demands IE7 installation passing WGA test? No such check for FF installation.

2) MS has a inconsiderate motive in tricking users to download mega bytes of files only to be told that he/she cannot install IE7 because it does not meet WGA check. Why not check first. This angers many.

3) The smoothness of installing and uninstalling FF is another big benefit. Why, after all a simple program to deal with HTML, requires so complex installation and tight binding to the OS. IE remains the only browser requiring deep root installation; FF, Opera, Safari, etc are not. Version of FF can even operate in portable mode.

4) FF allows many users to mainain the same cross platform experience while IE is a Windows-only.

5) No-ActiveX support is another attraction to these users, many of them may have been victims of ActiveX attack.

6) No radical change of UI. I had to install FF for one user so that she could continue her web surfing experience when she moves to Vista - not by choice.

I welcome more definitive and deep probing analysis from you as any revelation will help all - FF or IE developers, who no doubt are keen to make their respective product more secure.

Len

re: CIO.COM: Can Mozilla Support Their Security Claims?

Doug Spangler — Thu, 12 Feb 2009 05:30:28 GMT

I am not a security expert, so I am not sure I have a valuable opinion on that count.

I just don't understand the Troll references on what appears to be a balanced legitimate article. Jeff's approach is questioning a whopper of a claim. He doesn't dismiss it just suggests some testing and a bit more proof than "I said it is so it is".

Using the logical falacy of attacking the author instead of adressing the facts, is a tactic that I could live without.

So if your argument is not factual and just mud slinging. Please don't ruin a perfectly legitimate analysis for the rest of us.

I look forward to the series, I am sure that I'll learn alot both from the article and the fact based comments.

re: CIO.COM: Can Mozilla Support Their Security Claims?

ilbeda@gmail.com — Thu, 12 Feb 2009 11:26:42 GMT

Dear Jeff,

I can understand that you have your opinion and preferences (as all of us have) and that you write about them in a few rows with filosofic arguments.

It sounds strange to me that link to your post in blog is present in the Microsoft Security Newsletter (February 2009) sent around the world!

Following your article's logic: Microsoft need to forward to all of us your kind of analysis to support his browser, is Microsoft so sure about his product quality against competitors?

Regards from Italy,

Il Beda

re: CIO.COM: Can Mozilla Support Their Security Claims?

Pokey — Thu, 12 Feb 2009 14:14:22 GMT

I believe this is a justified and about time to do an objective comparison. The only reason IE appears to be less secure is because of its majority position in the browser market. People who write malicious code are lazy and play the numbers game that favours them most. Technically IE is already the most secure browser regardless of other vendors claims... Unfortunately for IE it is the most exposed in the market. As firefox gains more market share it will feel more heat and more holes will be exposed. There has already been some Firefox specific malware appearing. Some which are platform independent. There are just so many people on the anti MS / IE bandwagon who will not believe otherwise like AntiFUD above..

re: CIO.COM: Can Mozilla Support Their Security Claims?

Shoaib — Thu, 12 Feb 2009 17:26:52 GMT

Hi Jeff

We have to come to terms that no matter what IE is rubbish, useless and a pain to use. Lacks functions and more.

I have both IE and Firefox installed on all my PC's but let me tell you I always use Firefox, specially when I Internet Bank.

I will never trust IE, NEVER when comes to internet banking. I bet you are using Firefox at home :P

Why dont we ever give credit to great applications? for ONCE lets admit firefox is far better and secure then IE. Just admit it...

re: CIO.COM: Can Mozilla Support Their Security Claims?

Vygantas — Thu, 12 Feb 2009 20:44:32 GMT

There is also Safari and Opera...

re: CIO.COM: Can Mozilla Support Their Security Claims?

Michael Tisdale — Thu, 12 Feb 2009 23:35:14 GMT

Fundamentally, Firefox _can_ be more secure than IE just because of the approach MS has always taken with the browser component, that is, making it part of the operating system rather than as a separate service or application. It's akin to having a bomb in the house or outside of the house; fundamentally, I'm safer with it outside rather than inside. It provides advantages in some places and disadvantages in others.

I have always wished that MS could simply establish the foundation of the OS level of support--via some published API specification--then remove the component to outside of the OS, as a separate assembly and the resultant security around that assembly. Then, if the Gecko team wants to make their claims, they can write to the API. We could have an apples-to-apples comparison.

Until then, the approaches are just too fundamentally different to make a reasonable comparison or claim.

re: CIO.COM: Can Mozilla Support Their Security Claims?

MCSE2 — Fri, 13 Feb 2009 19:51:35 GMT

I have been using Firefox for many years and prefer it over IE.

IE when I did use it always caused a security problem. Firefox's newer versions seem to be more of a snoop threat than earlier versions, but in the years I have used it have never had an attack. I don't even have IE installed on my pc's anymore. All browsers are putting too many features that add vulnerabilities!! I run the portable USB version of Firefox and love it....

re: CIO.COM: Can Mozilla Support Their Security Claims?

Reza — Sat, 14 Feb 2009 11:09:12 GMT

You never could say which browser is the most secure in the world because they have different ways to decode and different ways to protect the user protection. Sometimes problem are cause by OS or toolbar that make browser insecure. For example you may install a toolbar in IE and it did not update against new vulnerability and you even don't have it in Firefox. Also some malware damage to registry which cause to change in IE or Firefox in this case problem is case by insecure OS not browser. The easier example is keylogger, many user when their ID or Credit Card will hack they blame that "Internet Explorer is not safe" but it is nothing to do with IE it cause by user which don't have protection about keylogger. Now lets talk about Security when you use Internet Explorer or Firefox , the both company are responsible for their bug and vulnerability and in Windows it is easy for user , just turn on Windows Update . Security is not something which we could say it is 100% secure so you could not say Firefox is safer. Internet Explorer 8 will come with smart screen filter which protect you against Malware and also protect you against click jacking. I personally don't like User Interface of invalid SSL in Firefox it shows this website is invalid certificate (no trust root) and ask user to ignore it or add it to valid certificate and as long as user add it then no more warning. But in IE it give you a chance to proceed by your own risk and give you warning everytime and if you trust the website then youknow how to add SSL but if you are general user and you don't know about these then you don't have to add it. The most secure browser in the world does not exist at all .

re: CIO.COM: Can Mozilla Support Their Security Claims?

David W. — Mon, 16 Feb 2009 00:16:22 GMT

I use IE at home and still get the odd piece of advertising junk. I think my ISP provider sifts out a lot of it.

However, at work I have tested FF and, while there have been a few of those ads, there are nowhere near as many. I tested it last week and in a short period of time, going to websites that I use all the time, there were six - count them - six unsolicited ads that I received in about an hour using IE.

That would indicate that IE is a target for those unscrupulous people that attache viruses, etc that can cause infection problems and Microsoft cannot seem to address this issue. Is it because IE is the most widely used browser or is it because Microsoft cannot, or will not, address this problem.

re: CIO.COM: Can Mozilla Support Their Security Claims?

Bhasker — Mon, 23 Feb 2009 04:48:50 GMT

Its highly confusing for me why some people comment on threads like these without understanding the full picutre.

I do agree that FF might seem more secure than any other browser (especially IE ) but at the same time its important to remember FF doesn't provides the kind of user experience that IE can provide for many of the MS specific solutions. One thing you can't ignore is the increasing penetration of different MS solutions within any organisation. So, if IE is deeply binded to the OS I don't see anything wrong in there. After all, the reason I have deployed a MS Server (AD and Mailing and Document coloboration) is because end-users have tough time dealing with other solutions.

If FF is greatly secure then why they are having tough time supporting MS based solution... Yes, answer is Active-X... I dare FF to support Active-X and then maintain their security claims...

I am sure they cannot.. and its fine.. They have made the strategy to not to support some solutions and make some claim (which looks rubbish to me)... MS knows the security risks that were present in the previous framework and thats why they are doing all they can to correct the mistake. I wonder why people have tough time letting others accept/correct their mistake...

Its really sad how people are reacting... Especially those who have trouble with the WGA thing.. C'mon man.. first you download/use pirated copied of software... (why not go and use opensource if you love transparency and security so much... and don't want MS's WGA annoyance..) and then when MS is ensuring that you comply to their TOS you want to avoid that... I am sure if one day FF has penetrated enough in market they too will come up with something of this sort... (remember RedHat's installation serial keys to connect to RHN?... was it there at the time of RH7 or 9... ?)

Guys, see the bigger picutre.. and if not help then at least not criticise someone whos trying to correct themselves and project the bigger picture...

And one more thing... Open some nasty sites in FF and click here and there couple of times... I bet you stand equal chance of being exploited as in IE7/8... Theres no escape from user's stupidity... Theres a very thin line between security and usability... Try doing the same in Opera... you won't be even able open the page... So what do you say? Opera is best? But what if I am hell bent on opening the site...? Anyone?

-Bhasker

re: CIO.COM: Can Mozilla Support Their Security Claims?

Lizet — Mon, 02 Mar 2009 19:30:54 GMT

I must confess I'm a FF lover. I have worked with Microsoft technologies for the past 12 years, both as an end user and as a developer but I still remember the malware downloading in the background when the user ran as administrator and so on. The ActiveX code that ran without you noticing. I know this is back from IE 3, but I still don't trust ... Not to mention that the Tools-> Internet Options UI could use some usability redesign, for instance, on the double negative settings...

I use FF most of the time, and only turn to IE when I visit Microsoft based web sites with a very particular javascript code that won't work on FF.

I absolutely like the Add ons and they way you have to turn them on and off. Foxmark is something I couldn't live without now.

I think IE will have to compete really hard with FF to re-gain the internet browsing market and that will take more than these type of studies.

re: CIO.COM: Can Mozilla Support Their Security Claims?

Robert Sr Hempel — Mon, 02 Mar 2009 22:56:03 GMT

Hi Jeff,

Keep up the good work!

It is OK to be criticized. I personally do not condone competition because, rather than winning/better/greater/ etc, I like to help the folks. I understand that you like to help MS users right?

So, I am satisfied with BOTH, IE7 or Firefox. I must say that FF seems easier to use for us less technically inclined than the many fixes rquired for IE.

I also use a ISP installed protection for malware etc.

hempelsr@gmail.com OR hempelsr@msn.com

re: CIO.COM: Can Mozilla Support Their Security Claims?

tachikoma1373 — Wed, 11 Mar 2009 16:07:36 GMT

I'm with Doug Spangler on this one.

If you have nothing but pathetic imature emotionally biased comments to make then please take them elsewhere and allow a constructive debate to take place.