Mitchell Stoltz wrote:
>
> You can currently block JS execution per-site, there's no UI for it yet
> but this is (hopefully) going to be in Moz 0.9 or 0.9.1.
>
It's your code; you can set priorities any way you want. You just have to
accept responsibilty if you're wrong. I hope you're not.
> Mr. Thumbs, on what evidence do you base your claim that "Mozilla
> currently treats security as a low priority item?" I can tell you in no
> uncertain terms that you are wrong. The security work that goes on for
> Mozilla is not often visible to the end user. UI and customization
> features for security have taken a back seat to improving the actual
> security mechanisms of the browser (keeping your data private,
> preventing easy virus propagation, etc) and I believe this was the right
> choice. UI is coming soon.
> -Mitch
>
Thanks for asking so nicely.
I generally run Linux because I like the way it separates user data from
system data. Since mozilla purports to support Linux one would think
that it would understand this simple concept. Yet just look at the
long-standing issues with installing mozilla. There are a number of bugs
describing how mozilla assumes that it has privileges it actually
doesn't. It has always surprised me that mozilla doesn't understand a
basic part of the Linux/Unix security model. It surprises me more that
some people questioned why any changes were necessary. It surprises me
the most why this wasn't part of the design specification for a
supported platform.
Then there's PSM. It's designed by a different group yet it also assumes
more than it should. In this case, it assumes that the loopback
interface is lightly used so it can use the interface for its own
needs. It also assumes that it can out file system objects anywhere it
wants with impunity. It's another example of how mozilla doesn't seem to
understand the OS environment.
Yes, I realize these issues are being addresses (although it's taking
far longer than it should), but that's damage control not proper design.
If developers had been paying attention this would have been caught
early on.
Finally, there are file permissions. On any Unix-like system, one should
never set the executable bits unless one really means to. This is
particularly true on Linux where facilities exist for executing files
based on suffix or magic number. Mozilla seems to have a hard time
grasping that concept.
What I see is a mozilla that seems to have not done its research on one
of its supported platforms. This is just a straight forward matter of
attending to details. So I do not think mozilla is particularly secure
nor do I think it cares a whole lot.
--
Saturn
2001-03-11 15:41:09.922 UTC (JD 2451980.153587)
X = 4.323101703, Y = 7.460495016, Z = 2.895367329 (au)
X' = -0.005200992, Y' = 0.002359013, Z' = 0.001198214 (au/d)
