> -----Original Message----- > From: Marlon Moyer [mailto:[EMAIL PROTECTED] > Sent: Tuesday, September 20, 2005 12:30 PM > To: CF-Community > Subject: Re: firefox honeymoon over? > > > > I've alse read an article that claims these studies are only > > > considering "verified" exploits. At the time of the study, firefox > > > had 3 unverified and IE had about 19 or somewhere around that number. > > > That's something that could really skew the results. > > > > It could... but if they're unverified it would be questionable at best > to > > add them. (If they're unverified... why? Are they so esoteric that > it's > > that hard to actually prove them?) > > > > Well, if you're a public company, how anxious are you going to be to > verify exploits in your code, especially if you can't patch it that > quickly.
Is the verification done by the company? I didn't think so... I thought in this case it was done by Securia. > I've been able to configure javascript on or off for different > security zones. True, I could put a bunch of sites in the "trusted > zone", but that's a real pita :) Does this also affect scripts on one > "trusted" website that originate from a different host (ie. Ebay's > trusted, but the script on Ebay's site that feeds advertising from > advertising.com is not executed) Yes - the zones are for the source of the request not the "page" (the page is a collection of requests... it's the requests that matter). So you might place "doubleclick" in the restricted zone while still visiting sites that use doubleclick ads. > You might, I wouldn't. Avant considers itself another browser that > uses the IE engine. An extension in firefox still is part of firefox. > You still open the firefox browser. True... but it is semantics. I've heard people use the same argument for XP SP2 additions... considering them "non core". In the end I'm all for doing whatever you can to secure your experience... but I just don't see one browser as being "better" than the other when it comes to possible configurations. I DO think that Firefox is better than IE at default configuration when it comes to security however. I consider the default configuration to be generally more important than the possible ones. > What I meant by that is Microsoft has created a lot of animosity > against it because of it's past business practices. They are the big > target and probably will remain the big target for years to come. > That's a big factor in how secure the browser is. Hackers with a beef > against the company will find the exploits. Criminals will find a way > to use them to scam money. If you don't piss off the hackers, you've > helped out your security. I suppose that may be true... but I'm not sure how practical it is. If you're going to trust to moral outrage the hacker community may not be the best to look at. ;^) It may have an affect... but I doubt it's very large in that (criminal) community. You might say that Firefox has made itself a target simply by claiming that it's so much more secure. In the hacker community it would seem to be a bigger reputation boost to hack such "secure" software. It's like hunting or collecting: the rarer the object the more it's valued. However we must also remember that hackers aren't the only ones looking for exploits... most are found by legitimate security consultants. (This is exactly the reason that the vast majority of exploits never see actual use "in the wild"). These people, as a community, might have a larger segment of "Microsoft haters" than the hacker community. But at the same time those people that hate MS might also examine Firefox to "prove" that it's safe - so animosity towards MS can work in both directions. But in the end all that really means is that IE is being made stronger. More people looking for exploits, whatever their reason for looking here rather than there, means more exploits found. This, of course means more exploits fixed but more importantly it means that "classes" of exploits are addressed - it allows the company to quietly look for other code with similar potential. Now whether that's "right" or "wrong" (I've no opinion on the matter) it does mean a more secure product. However the opposite isn't true: more people looking for (and finding) exploits can make the target product stronger. However LESS people looking at Firefox doesn't make it weaker... but neither does it make it stronger. Jim Davis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:174421 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
