G
Gonzo
Toad said:
And IE has so many security problems that leave you vulnerable while on the
web...I guess I will go with the browser that even a MS owned webzine
recommended...anything BUT IE
And IE has so many security problems that leave you vulnerable while on the
web...I guess I will go with the browser that even a MS owned webzine
recommended...anything BUT IE
F
Fuzzy Logic
All browsers have vulnerabilities (some just haven't been found yet). The
number of vulnerabilities is NOT a significant metric by itself. Here is
an excerpt from an interesting article on Linux vs Windows security:
Overall Severity Metric and Interaction Between the Three Key Metrics
One or more of these risk factors can have a profound affect on the
overall severity of a security hole. Assume for a moment that you are the
CIO for a business based on a web eCommerce site. Your security analyst
informs you that someone has found a flaw in the operating system your
servers are running. A malicious hacker could exploit this flaw to erase
every disk on every server on which the company depends.
The damage potential of this flaw is catastrophic.
Worse, he adds that it is trivially easy from a technical perspective to
exploit this flaw. The exploitation potential is critical.
Time to press the panic button, right? Now suppose he then adds this vital
bit of information. Someone can only exploit this flaw with a key to the
server room, because this particular security vulnerability requires
physical access to the machines. This one key metric, if you'll pardon the
pun, makes a dramatic difference in the overall severity of the risk
associated with this particular flaw. The extremely low exposure potential
shifts the needle on the severity meter from "panic" to "imminently
manageable".
Conversely, another security vulnerability might be exposed to every
script kiddy on the Internet, but still be considered of negligible
severity because the damage potential for this flaw is inconsequential.
Perhaps you can begin to appreciate why it is misleading, if not outright
irresponsible to measure security based on a single metric like the number
of security alerts. At the very least, one must also consider these three
risk factors. Would you rather rely on an operating system with a history
of hundreds of flaws of negligible severity, or one with a history of a
dozens of flaws with catastrophic severity? Unless you factor the overall
severity of the flaws into the evaluation, the number of flaws is
irrelevant at best, misleading at worst.
source:
<http://www.theregister.co.uk/security/security_report_windows_vs_linux/>
I've been running Avant (an IE shell) for quite some time and IE before
that and have not had a single security related incident related to my
browser nor has the 500+ users I support. Regardless of the browser you
run it's important that it's properly configured and maintained. This is
likely more important, security wise, than which browser you actually run.
G
Gnome de Plume
Fuzzy said:
several persons have organized the Secunia data into nice pie charts and
tables. Mozilla/Firefox/Opera/K-meleon are clearly ahead of IE in security.
just read Bugtraq, NTBugtraq, and Full Disclosure. Quit quoting from
newspapers.
michael
F
Fuzzy Logic
I've seen them. So the data is now in pie charts and tables...whoopee!
Unfortunately they don't tell the whole story (the point of my post).
Security is a process...not a particular piece of software. What may be
considered very secure today could be just the opposite the next when a new
vulnerability is discovered (and it will). What if a person switches to
Firefox becauase it's "more secure" than IE and then never bothers to update
it when a critical vulnerability is found? Maybe they would have been better
off with IE and Windows Automatic Updates that would have fixed this
vulnerability for them?
We've been running IE for many years and have not had one security related
incident related to the browser in that time. This is with over 600 users.
IE can be very secure if properly configured and maintained. Mozilla and
it's incarnations may be marginally more secure but lack the autoupdate
features and remote management capabilties required in our environment. This
makes it less secure (for us) as we cannot easly insure all users have the
latest version and the proper settings.
Part of my job is computer security. I am quite aware of the various issues
related to the current browsers. I'm not sure what your problem is with a
relevant quote?
The point I was trying to make is that security is a complex process and
there are many factors that must be considered before you can determine what
will give you the best security. The solution that I use may be best for
me/my environment and totally useless for you (and vice versa).
G
Gnome de Plume
Fuzzy said:
well, the article you quoted stated that severity of flaw should be
taken into account. the various analyses floating around the web do
take that into account. Firefox is also patched quicker than IE (less
zero day exploits). Again the various analyses took into account the
massive numbers of unpatched and unpublished vulns.
you can lock anything down. Windows XP is terribly holey until you get
the service packs and patches in place. but it can be patched and
hardened. same with IE (but you need 3rd party patches). a 3 year old
copy of Firefox (Firebird/Phoenix) or 3 year old linux distro would be
holey too.
well what about the differences in scripts handling? what about the
fact that my Mozilla on linux runs at user level, not root. even if
there was hole in Mozilla, it can't compromise the whole box. what
about MCZ on IE, which needs to be hardened with Qwik Fix. Firefox has
no equivalent of MCZ, which is utilized by many IE exploits.
As Firefox gains more market share, it will attract more vuln hunters.
so we shall see soon enough which is more secure.
michael
G
Gnome de Plume
Fuzzy said:
security is indeed complex. no one is saying that you (an enterprise
customer) should dump IE. in fact, maybe you should keep IE since some
sites demand it, and users are comfortable with it.
however, i'd recommend Firefox for some home users. until SP2 came out,
arguably a year old copy of Firefox was more hardened than IE 6 with
full patches. that's due to the MCZ and slowness of patching by MS.
most (if not all) current browser hijackers and droppers attack IE (not
Mozilla).
so the proof is in the pudding. i "fix" a lot of spyware ridden
computers. they were used in home enviroments (i.e. hostile) and not in
a secure enterprise intranet. big difference in users.
the solution is simple though. use IE for trusted sites, and Firefox
for less trusted sites. for dangerous sites, use Dillo, Amaya, or
Firefox at user-level.
michael
A
Aaron
Toad said:
The new RC version as improved this without using extensions. Look under
advanced options
Never experienced this.
Cleaning cookies on exit, can be accomplished simply by setting the
browser to convert all cookies to session cookies. Extensions exist that
allow you to protect a certain cookie, while clearly the others are exist.
F
Fuzzy Logic
Again I am aware of the stats. They don't take into account the
environment you are running in and configurations other than than the
default. Just turning off ActiveX can do a lot to make IE more secure.
Again I don't care about Mozilla on Linux as that's not the enviroment I'm
in and we aren't going to change 500+ desktop computers to Linux to get a
possibly marginal improvement in security in our web browser.
Again 'more secure' is very difficult to determine as there are many other
factors besides which browser and version of it your are running. How is
it configured? What OS are you running? What patches are installed? What
3rd party plug-ins do you use? How is your firewall configured? You get
the idea.
So in conclusion I recommend you get a well supported browser YOU like and
lock it down, keep it patched and practice safe surfing habits and the
likelihood of anything bad happening is extremely low.
PS this ties in to my pet peeve of people asking what is the 'best'. For
example what is the 'best' anti-virus program. Well their is no clear cut
answer as with out specifying more detailed criteria there is no right
answer.
F
Fuzzy Logic
The only people I would recommend anything other than IE to are users who
are smart enough to look for updates on their own. Otherwise they will have
a version of Firefox that will soon have a critical vulnerability discovered
and they haven't bothered to get the update. At least if they are running
Windows XP SP2 they will get updates installed for them automatically.
Yes and no. We support all kinds here at work. Some are very advanced and
some don't have a clue.
The average users doesn't have a clue as to wether or not to trust the site.
Why are you even going to a site you consider dangerous?
A
Aaron
Firefox now autoupdates for both extensions,themes as well as for the
main program. Looks like you can install firefox for everyone now.
?
=?ISO-8859-1?Q?=BBQ=AB?=
Just to be clear, Fx won't install them unattended, so the user will
still have to be "smart enough" to click Yes to get the newer version.
I'd hope this doesn't rule out even the users Fuzzy's talking about.
J
jmatt
Firefox now autoupdates for both extensions,themes as well as for
the main program. Looks like you can install firefox for everyone
now.
I like to open tabs in the background & none of the links in
version 1.0 RC1 found Tabbrowser Preferences automatically .
I found it this way .
Tools > Extensions , click on > Get More Extensions .
On that page , Most Popular > click on Tabbrowser Preferences , on
that page , click on > Extension Home Page .
That gave me >
http://www.pryan.org/mozilla/site/TheOneKEA/tabprefs/
1st item on the page is > TBP 0.9.93 has been released for Firefox
nightlies.
This prerelease is only compatible with Firefox 0.10 20041001 and
higher
* Posted via http://www.sixfiles.com/forum
the main program. Looks like you can install firefox for everyone
now.
I like to open tabs in the background & none of the links in
version 1.0 RC1 found Tabbrowser Preferences automatically .
I found it this way .
Tools > Extensions , click on > Get More Extensions .
On that page , Most Popular > click on Tabbrowser Preferences , on
that page , click on > Extension Home Page .
That gave me >
http://www.pryan.org/mozilla/site/TheOneKEA/tabprefs/
1st item on the page is > TBP 0.9.93 has been released for Firefox
nightlies.
This prerelease is only compatible with Firefox 0.10 20041001 and
higher
* Posted via http://www.sixfiles.com/forum
G
Gnome de Plume
»Q« said:
perhaps those are the users smart enough to know that 99% of client
malware attacks Windows / IE / OE and not open-source apps. other than
some unpublished exploits and PoC for Mozilla floating about, it's all
IE stuff.
unlike Fuzzy, i am coder and hacker, not an admin. i look at things
from a pragmatic and objective viewpoint, not through the haze of
anti-F/OSS fear, uncertainty, doubt.
michael
F
Fuzzy Logic
Sadly if we can't pre-configure it and perform unattended updates it doesn't
get used in our environment. Yes we have users who cannot figure this out:=(
T
Toad
All one has to do is turn off the "vunerable" features such as ActiveX
and client-side scripting, etc. Most of the free IE front-ends make it
real easy in fact with "page control" to turn on and off such stuff.
Toad
?
=?ISO-8859-1?Q?=BBQ=AB?=
Crippling your browser like that shouldn't be necessary. Above, you
erroneously claimed that with Fx, plugins mostly don't work very well
or at all; turn off ActiveX in IE and see how well the Flash plugin
works.
B
Bob Adkins
TRUE!
I set ActiveX to "warn". That way it's easy to reject unwanted ActiveX
controls.
Anyone smart enough to find and use this forum is plenty smart enough to
avoid the vulnerabilities of the IE engine. Win XP SP2 and front ends like
Maxthon make IE security virtually a no-brainer.
-- Bob
A
Aaron
Oh well I personally find the flood of popups irriating.
Using newsgroups is a nobrainer compared to keeping up with the various
exploits released.
?
=?ISO-8859-1?Q?=BBQ=AB?=
I think dialog boxes for each site using Flash would slowly drive me
insane. I think Macromedia could and should provide an IE plugin that
doesn't rely on ActiveX.
I think you misoverestimate the Usenet populace and misunderestimate
the extent to which IE vulnerabilities can bite even those who've
locked it down as well as it can be locked down. But we've had that
discussion before.
XP SP2 is only available to XP users, though. I'm sure Maxthon helps
the 9X users. I have to browse using 98se, XP home, 2000 pro, and
GNU/Linux, and it's nice to have a relatively secure browser that works
the same way under each OS, with the bookmarks synced.
B
Bob Adkins
Dang, I only get 1 or 2 per month. What kind of sites do you go on to get a
bunch of ActiveX controls hurled at you?
We can agree to disagree on that.
-- Bob