PDA

View Full Version : So you think Firefox is secure....



Sticks
2005-May-16, 08:04 AM
As being reported on the BBC Website (http://news.bbc.co.uk/1/hi/technology/4541641.stm)

(I must download the latest fix myself, as I use a copy to test web pages I have constructed to see how they perform in a non IE browser)

Laurie
2005-May-16, 08:16 AM
I never expected Firefox to be ironclad to begin with. Nothing ever is anymore. I have it only because a PC game website, I admin for, was hit by a hacker's worm over New Year's along with a whole host of sites using the same IP. Could not use IE to go into the site or else get an "trojan" deposited through an exploit of the ActiveX. Firefox was my alternative until the webtechs could fix the problem.

But it does have it's quirks and for many things, I still prefer IE as it is more versitile.

Maybe someday, Microsoft will finally get their act together. But until then, I will keep my Firefox as a backup.

Moose
2005-May-16, 09:52 AM
It must be noted that the fix was released about 48 hours after the exploit was announced. Firefox's updater web site was the only site with the means to widely exploit that flaw, and that was fixed within 12 hours.

48 hours is a little slow for the Firefox team. 12 hours is considerably more typical.

Over the past year, Microsoft's response time has improved so it could best be measured in weeks (2-8 for patch delivery.) Historically, Microsoft's response time for patching known critical bugs could only be measured in months, and in a few notorious cases, years.

It's interesting that some attempt to claim (or at least imply) that IE is on the same footing as Firefox, but the reality is that Firefox could have announced they were going to leave these bugs entirely unpatched and still remain miles ahead of IE in terms of security.

Yes, IE is (finally) improving, and yes, malware writers are finally starting to notice the other browsers (a little, anyway), but it took the threat of Firefox and/or Opera to make Microsoft even start to take browser security seriously.

So yeah, when Firefox asks to be patched, patch it. (Green arrow in the upper right hand corner of the menu bar.) That's the sensible thing to do. But don't claim that Firefox is any less secure because of it.

Maksutov
2005-May-16, 10:45 AM
Here, here, Moose!

Excellent rebuttal to the not-so-subtle anti-Firefox tone of the Subject of this thread.

Yeah, good old Internet Explorer. Those few times I need to see a web site that only displays properly in IE, then, immediately after, it's time to run the anti-spyware software to clean out the crap that IE let in. Meanwhile the regular anti-spyware scans while using only Firefox come up empty every time.

Let's see, IE has been version 6 for how long now?

Moose
2005-May-16, 10:58 AM
Here, here, Moose!

Excellent rebuttal to the not-so-subtle anti-Firefox tone of the Subject of this thread.

Why thank you. :)


Let's see, IE has been version 6 for how long now?

The beta came out something like seven years ago, by my reconning.

frogesque
2005-May-16, 11:00 AM
Yeah, I also have an issue with MS Antispyware and IE. Each time it runs itself (I wish it would ask first) it detects a browser hijacker about.blank This is my default blank page I use instead of an add strewn bloated homepage. If I let MS go ahead and delete this 'high risk threat' it removes it and adds MSN homepage to my pc as the default page.

To me this makes MS Antispy little better than malware :evil:

Gullible Jones
2005-May-16, 11:04 AM
There is such a thing as the about:blank hijack... IIRC it redirects you from about:blank to some sort of add site though.

Maksutov
2005-May-16, 11:13 AM
Yeah, I also have an issue with MS Antispyware and IE. Each time it runs itself (I wish it would ask first) it detects a browser hijacker about.blank This is my default blank page I use instead of an add strewn bloated homepage. If I let MS go ahead and delete this 'high risk threat' it removes it and adds MSN homepage to my pc as the default page.

To me this makes MS Antispy little better than malware :evil:
You're apparently not the only one thinking about dropping MS "AntiSpyware". I've had it installed for some time now (ever since it came out), per the recommendation of various experts. However, I've noticed that lately it seems to update every day, asking for all sorts of privileges, but, when it runs, it reports having found NO spyware. This has been going on for at least a month and has me suspicious, especially when Ad-Aware, etc., continue to find spyware. I strongly suspect Microsloth is doing more than protecting individual computers from spyware, and is adding to its databases information about individual computers that will be used in future marketing schemes and attacks against stand-alone PCs as well as individually-owned software.

Remember that industry analysts have determined that one of the objectives of MS's ".NET" effort, along with many other initiatives, is the demise of user-owned software, replaced by software leased by MS. Microsloth owns the software, you pay rent to use it.

Ever see "It's A Wonderful Life"? Remember Mr. Potter?



[edit/typos]

frogesque
2005-May-16, 11:14 AM
OK thanks GJ - will investigate that one.

mickal555
2005-May-16, 11:15 AM
I had that... horrible


My web-site doesn't show up properly on IE. for no reason what so ever :x

I thought srew it- I'm using firefox.

It crashed recently and I had to reinstall it- but overall it's good. :D

Captain Kidd
2005-May-16, 11:34 AM
I had that... horrible


My web-site doesn't show up properly on IE. for no reason what so ever :x

I thought srew it- I'm using firefox.


Remember though, over 90% of people still use IE so if you're wanting them to like your site, you're going to have to make concessions.

And yeah, FF has holes, and some of them are glaring, but it's still better than IE.

Although PC World (I think it was them) apparently rated Opera as the best of the three. I tried it, discovered that it's actually a pay to play unless you want an extremely annoying flashing ad banner, and so I dropped it after 3 minutes.

mickal555
2005-May-16, 11:41 AM
I had that... horrible


My web-site doesn't show up properly on IE. for no reason what so ever :x

I thought srew it- I'm using firefox.


Remember though, over 90% of people still use IE so if you're wanting them to like your site, you're going to have to make concessions.
.

Yeah- but I'm at loss as to how- I'll fix it one of thease day's...

Demigrog
2005-May-16, 02:05 PM
So yeah, when Firefox asks to be patched, patch it. (Green arrow in the upper right hand corner of the menu bar.) That's the sensible thing to do. But don't claim that Firefox is any less secure because of it.

Actually its a red arrow for critical updates (like the one I'm downloading right now :) )

I've found IE is pretty safe... if you disable scripting and ActiveX controls completely. However, there is no way to supress the annoying messageboxes that pop up on every site trying to use them... Grrr...

I use Firefox almost exclusively now; I still have to use IE on some sites that are poorly designed (namely, the ones that use Flash-- I keep flash uninstalled on Firefox).

Sticks
2005-May-16, 02:28 PM
Here, here, Moose!
Excellent rebuttal to the not-so-subtle anti-Firefox tone of the Subject of this thread.


I need to point out that I have fire fox installed as well as IE6, as I need to check webpages and html based systems on CD-Roms in IE and other browsers.

For a while people were saying how wonderful and safe firefox is compared to IE, which leads people into a false sense of security. I still await the virus that attacks linux users exclusively, because they keep making the same claim that they are immune.

I just thought I was doing a public service here by letting you know there is a problem and a fix. Maybe I should have rephrased the thread title.

Lianachan
2005-May-16, 03:02 PM
Hardly secure at all - Clint Eastwood flew it right out of there!

Lance
2005-May-16, 03:42 PM
So yeah, when Firefox asks to be patched, patch it. (Green arrow in the upper right hand corner of the menu bar.) That's the sensible thing to do. But don't claim that Firefox is any less secure because of it.

Actually its a red arrow for critical updates (like the one I'm downloading right now :) )

Okay, I give up. I've had FF 1.0 for several months now. I can't find the red or green arrows. So I just installed 1.0.4 and I still don't see the arrows.

I'm assumung from the context of the thread that this is some kind of auto-update feature. Is there something I need to do to activate it?

Sticks
2005-May-16, 04:49 PM
Just for the record, I am posting this message whilst using Fire fox. [-X

Back in March, I was doing a project which involved compiling movie files, sound files and images onto a CD-Rom that would be a Commemorative CD-ROM of a campaign effort. I developed it and did initial testing in IE, but when it came to do the system test in Firefox, a number of issues arose, and I had to produce a list explaining those features that will not work in FireFox such as

Embeded sound on a bgsound would not play, issues over plugins, cute javascript routines for linking buttons, so they would be faded when the mouse was not over them, did not work. A close browser form button did not work.

Mozilla needs to address these issues, and possilbly others, if they want to really compete with Microsoft.

Captain Kidd
2005-May-16, 05:25 PM
Are those "issues" or IE specific code? You have the, uh what's the word, HTML global standards (that ain’t it but will do) that all browsers are to be compatible with. But then you have browser specific code, and some of that might be proprietary coding… (?) So just because it works in IE, doesn't mean it'll work elsewhere because it might be IE only. Wasn't frames originally Netscape/Mozilla specific? And W3 decided to make it... global? (I know the right word's going to pop into my head after I submit.)

Moose
2005-May-16, 07:49 PM
Okay, I give up. I've had FF 1.0 for several months now. I can't find the red or green arrows. So I just installed 1.0.4 and I still don't see the arrows.

FF1.0 didn't autoupdate. That was added, I think, around 1.0.2. (It might have been 1.0.1, but I think I skipped that release.)

1.0.4 is the most recent release, so there's nothing to update. You'll get the red arrow the next time a FF release becomes available. Demigrog is right, btw, green arrows are for extension updates.

Moose
2005-May-16, 07:51 PM
Are those "issues" or IE specific code? You have the, uh what's the word, HTML global standards (that ain’t it but will do) that all browsers are to be compatible with. But then you have browser specific code, and some of that might be proprietary coding… (?) So just because it works in IE, doesn't mean it'll work elsewhere because it might be IE only. Wasn't frames originally Netscape/Mozilla specific? And W3 decided to make it... global? (I know the right word's going to pop into my head after I submit.)

Yes, you're not wrong. IE got some toys added, and so did netscape/mozilla. IE still isn't 100% compliant to the standard, as I understand it.

Gullible Jones
2005-May-16, 07:57 PM
IE will never be standards-compliant so long as MS uses their stupid Trident rendering engine. I suspect they might actually switch to Webcore at some point, if Bill can stomach the idea of using a perfectly good engine developed by Apple... :lol:

Sticks
2005-May-16, 07:57 PM
Are those "issues" or IE specific code? You have the, uh what's the word, HTML global standards (that ain’t it but will do) that all browsers are to be compatible with. But then you have browser specific code, and some of that might be proprietary coding… (?) So just because it works in IE, doesn't mean it'll work elsewhere because it might be IE only. Wasn't frames originally Netscape/Mozilla specific? And W3 decided to make it... global? (I know the right word's going to pop into my head after I submit.)

I am familiar with having to code to a specific standard. Back in 2001, when I was on secondment to the Disease Emergency Control Centre in Newcastle because of the Foot and mouth, I was doing the intranet, and some one told us it had to be compatable with Netscape 3 :o

The fact that nobody had netscape 3 and the minimum browser was IE4 was irrelevant.

Part of the standard was that we could not use framed documents, because the earlier browsers could not handle them. However I got permission from the head of that section to use a framed page for the directory which would have people's picture on, so by clicking on a link their picture was displayed in the top right hand corner. That seemed to work fine. Then after it had been on for a while, some one new at the section which actually migrated my fixes to the server came back demanding to know why frames were being used. :roll:

The problem is with FireFox, is that some of the code I got from say the button fades, made no mention of browser compatability. IE has set the standard that people expect. A browser that is to compete must be able to do the various bells and whistles of IE, or people will return to IE. I for one as a developer found FireFox deeply frustrating when I found that cute stuff I had laboured over was not supported.

As a developer, if you don't get to do cute, you fall behind. (Being an amateur I am enough at a disadvantage already)

Doodler
2005-May-16, 08:39 PM
For those of you who've had MS Antispyware reset your homepage to the MSN homepage after a detected browser hijack, did it ever occur to anyone to simply change the restore settings in the MSAS program?

You can change the website to which it defaults. Kick the software when it screws up, but save a boot for an operator that doesn't explore all the options in a program.

Bilateralrope
2005-May-16, 08:56 PM
So yeah, when Firefox asks to be patched, patch it. (Green arrow in the upper right hand corner of the menu bar.) That's the sensible thing to do. But don't claim that Firefox is any less secure because of it.

Actually its a red arrow for critical updates (like the one I'm downloading right now :) )

I've found IE is pretty safe... if you disable scripting and ActiveX controls completely. However, there is no way to supress the annoying messageboxes that pop up on every site trying to use them... Grrr...

I use Firefox almost exclusively now; I still have to use IE on some sites that are poorly designed (namely, the ones that use Flash-- I keep flash uninstalled on Firefox).

The flashblock extension for firefox will stop flash animations from playing till you click on them. The only site I use IE for is windows update. If the site won't work in firefox, I won't go there

Sticks
2005-May-16, 08:59 PM
I have just checked a copy of a commision I did for someone, where I created multiple wmv movie files, which were linked by a playlist. (I embeded the play list which called the files in sequence) In IE it worked, in FirFox it did not. Fire fox can play single wmv files, just not in playlists, like IE can.

Am I to limit what I can offer people, because a certain browser has not been developed to handle certain plugins?

Laurie
2005-May-16, 09:00 PM
My only big complaint about Firefox is not all of my passwords to forums (like this one) were transferred over from my IE after installing it.

I changed local providers a few years ago and have a new email address. So this means a few passwords cannot be resent through "password lost" option when asked for that older email address.

Oh, I could reregister but a hassle when you have become established after so long.

But I do plan reenstalling the current Firefox into my new computer when it gets here. It will be a HP Pavilion 2 gig with WinXP Home (running an eMachine 600 with Win98se right now) and considering possible IE security problems with this OS. Having a backup browser is a good idea.....even after updating all anti virus/adware/spyware programs
in the new one first thing after getting it.

Stregone
2005-May-16, 10:38 PM
IE will never be standards-compliant so long as MS uses their stupid Trident rendering engine. I suspect they might actually switch to Webcore at some point, if Bill can stomach the idea of using a perfectly good engine developed by Apple... :lol:

Webcore is khtml(from KDE), with some tweaks by Apple. Some people are bitter about this, because Apple is touting that they are cooperating with open source, but in reality the patches that apple does release are so difficult to put back into khtml that the khtml devs just aren't bothering as far as I have heard.

Musashi
2005-May-16, 10:42 PM
What are blue arrows? I got them occasionally, but not recently.

Gullible Jones
2005-May-16, 10:47 PM
IIRC, Webcore is a decent improvement over KHTML, or at least was. At any rate, it is usually recognized as a separate engine, for the reason you stated.

(I will admit that I have not used Webcore, only KHTML. Although many bemoan KHTML's deficiencies compared to Gecko, I found it quite satisfactory.)

Yoshua
2005-May-17, 01:49 PM
I'm probably alone in this, but I miss Lynx. I miss sites that could be viewed with a text based browser so I could skip all the fluff that infects sites today. I find a lot of these "cute" "features" folks write into their pages now just distracts and obscures the actual content. I'd rather have a page load quickly and be easy to navigate than seeing how cleverly someone can manipulate HTML/Java/Flash/etc.