> I'm not sure if access to the source is at all required for secure software. > It may help, but the real issue is vulnerability to attack - and you don't > need source to detect a vulnerability. > I haven't seen one yet, but I'd like to see how long an exploit goes from being discovered to being patched. My bet would be that the open source exploit lifespan is almost certainly shorter. Thus the vulnerability becomes null and void.
> > I've alse read an article that claims these studies are only > > considering "verified" exploits. At the time of the study, firefox > > had 3 unverified and IE had about 19 or somewhere around that number. > > That's something that could really skew the results. > > It could... but if they're unverified it would be questionable at best to > add them. (If they're unverified... why? Are they so esoteric that it's > that hard to actually prove them?) > Well, if you're a public company, how anxious are you going to be to verify exploits in your code, especially if you can't patch it that quickly. > > Regardless of how much safer they say they are, I "feel" safer using > > firefox because of the extensions that I've been able to install. I > > surf with JavaScript disabled by default. With the noscript > > extension, I can right click on a site that's not working and enable > > JavaScript for individual domains. Ever since installing it, I'm > > amazed at how many sites have scripts that come from multiple domains. > > Well... for what it's worth that feature's encompassed as part of IE > security zones for years. It's a different implementation, of course, but > you can do the same thing. > I've been able to configure javascript on or off for different security zones. True, I could put a bunch of sites in the "trusted zone", but that's a real pita :) Does this also affect scripts on one "trusted" website that originate from a different host (ie. Ebay's trusted, but the script on Ebay's site that feeds advertising from advertising.com is not executed) > I'm also not that comfortable claiming that a core piece of software is > "better" because an add-in offers some security benefit. If so we're on a > slippery slope. I use AvantBrowser, for example, an IE wrapper. It offers > many, many "one-button" security features not present in the core IE... but > can I claim it as an IE "feature" because it's free and easy to add? > You might, I wouldn't. Avant considers itself another browser that uses the IE engine. An extension in firefox still is part of firefox. You still open the firefox browser. > But your main point is valid: a "sense" of security is very important. I > think Firefox has been able to build that while IE has found it very > difficult. > > I do think that MS is addressing this well however. Their focus on security > is admirable and they seem to be spending resources on issues important to > the end-user (phishing for example). > I also feel that they're finally starting to realize the image they have. > If a product or a company makes you feel safe that's very, very important. > But in the end you can't let a company's impression of security sway you > from mistrusting them. I still say you should always mistrust your > software. > > Owning software is like raising kids: you love them and know they don't mean > actual harm, but dammit don't turn your back on them. > > > I think in the end for me it comes down to whether or not you want to > > be in the platoon that wears the bright red uniforms (IE) or the ones > > that used to were camouflage, but just replaced it with dark blue > > (firefox). > > I'm not sure of the metaphor... if it references exposure then Firefox is > definitely moving up in the world - that's the whole point of the original > article. As it gets more use it will be attacked more - this says nothing > about the quality of the product just the ingenuity of the assholes. > What I meant by that is Microsoft has created a lot of animosity against it because of it's past business practices. They are the big target and probably will remain the big target for years to come. That's a big factor in how secure the browser is. Hackers with a beef against the company will find the exploits. Criminals will find a way to use them to scam money. If you don't piss off the hackers, you've helped out your security. > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Discover CFTicket - The leading ColdFusion Help Desk and Trouble Ticket application http://www.houseoffusion.com/banners/view.cfm?bannerid=48 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:174418 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
