Re: Two downbeat articles on browser security
Ian G wrote: http://www.ebcvg.com/articles.php?id=673 Mozilla: The Honeymoon is over Well, this time it's the analysis by the expert who's selling antivirus/http filters. Unfortunately, many will fail to his incredibly specious assessments about the recent vulnerabilities in Mozilla without realizing how little objectivity he can have in the case. Some of the common Mozilla exploits ScanSafe is stopping : How long should I laugh ? Can they even tell they were faster at beginning filtering them than mozilla.org was at implementing the fix ? ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Two downbeat articles on browser security
Jean-Marc Desperrier wrote: Ian G wrote: http://www.ebcvg.com/articles.php?id=673 Mozilla: The Honeymoon is over Well, this time it's the analysis by the expert who's selling antivirus/http filters. Unfortunately, many will fail to his incredibly specious assessments about the recent vulnerabilities in Mozilla without realizing how little objectivity he can have in the case. Exactly. The sad fact is that almost all writing on security is biased towards selling some product, and has no foundation in security. Even those that are not selling for money are generally bound up in some model that they've bought into which are then sold as if money depended on it. (E.g., the OpenPGP, SSH, SSL worlds which never ever agree.) In this environment, it means that the ones with the loudest voices and the biggest willingness to tell lies will win. Which means that when Microsoft catches up, you can expect a very aggressive PR campaign to kill Mozilla's rep for security. That battle can't be won, in the public mind, if it is simply going to be played out on a field of security is patches and code audits. Some of the common Mozilla exploits ScanSafe is stopping : How long should I laugh ? Can they even tell they were faster at beginning filtering them than mozilla.org was at implementing the fix ? Sure. It's not those guys who you need to worry about, it's the whole meta-issue of what happens when Microsoft develops sufficient fixes to be able to start shooting. Right now they are keeping mum, simply because they know that they cannot shoot blanks. They have to reload. And they are reloading as we speak. And perhaps they are being helped by some early leading indicators like the honeymoon being over. Gee, if I was microsoft, I'd pay to get a trickle of preparatory articles floating out there. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Two downbeat articles on browser security
The article is essentially correct. From what I've seen, Firefox is only slightly more secure than MSIE, and much of that is due to the fact that it does not support ActiveX components. I've always taken for granted that the browser would not be truly secure, as that would require a rigor in coding and a preoccupation with security that clearly doesn't exist with Firefox. I use Firefox rather than MSIE today mainly because it seems to be slightly more conformant to many standards and because it offers slightly less opportunity to execute foreign code on my machine (and thus is less likely to transmit viruses). There isn't enough granularity in the security controls, though (I should be able to turn things on and off on a site-by-site or category-by-category basis, and I can't), and I expect security to get worse, not better, as features are added to the browser to make it more attractive. (I know that the features will use code that won't be written or tested adequately.) -- Anthony ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Two downbeat articles on browser security
Ian G wrote: http://www.techworld.com/security/news/index.cfm?NewsID=3468 SSL 'security' aiding online fraud Considering the experts giving these claims are trying to sell more expensive certs, I'm going to take it with a grain of salt until more attacks hitting my inbox really do start using SSL, so far the only person that I know to unequivocally to state (that is without a blatantly obvious ulterior motive) an attack used an SSL cert was you. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers In the long run the pessimist may be proved right, but the optimist has a better time on the trip. ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
Re: Two downbeat articles on browser security
Duane wrote: Ian G wrote: http://www.techworld.com/security/news/index.cfm?NewsID=3468 SSL 'security' aiding online fraud Considering the experts giving these claims are trying to sell more expensive certs, I'm going to take it with a grain of salt until more attacks hitting my inbox really do start using SSL, so far the only Yes, I know. And, literally, they confuse the issue by talking about unvalidated security threats without talking about the validated threats. But I found the title quite apropos; the browser doesn't defend against control certs just like it doesn't defend against phishing, and the solution for both threats is the same. person that I know to unequivocally to state (that is without a blatantly obvious ulterior motive) an attack used an SSL cert was you. Blush ;) I wish I'd recorded the evidence now, I didn't think it would be such a rare event at the time, I honestly thought that we were about to see a rash of attacks using false or stolen certs. Oh well, maybe next time. iang -- News and views on what matters in finance+crypto: http://financialcryptography.com/ ___ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security