JTM1051
Premium,MVM
join:2000-07-08
Moorpark, CA
| M$'s Peter Torr Attacks Firefox Security
mozillaZine.org
Tuesday December 21st, 2004
Microsoft's Peter Torr Attacks Mozilla Firefox Security
A Microsoft Program Manager by the name of Peter Torr has posted a weblog entry about potential problems with security in Mozilla Firefox. Specifically, he singles out the fact that neither the Firefox installer nor most of the available extensions are digitally signed. By contrast, he notes, Microsoft Internet Explorer 6 Service Pack 2 will not install unsigned ActiveX by default. While many will immediately cry, "FUD!", he's actually right. Though the infrastructure is there, the lack of code signing in the vast majority of Firefox extensions has led to an environment in which many users simply install extensions without really knowing if they can trust the people behind them.
... and how many unpatched vulnerabilities does IE still have?  |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
 ·Speakeasy
1 edit | While you are correct that MS still has done nothing about many of their moth holes in IE, this article is kind of like the pot calling the kettle black or more like trying to vindicate themselves for their failure telling about FF and their failure. Neither is correct. On one hand, it does point out that though everyone touts FF, that FF is not as secure as everyone is being led to believe, isn't it? Is that bad? Shouldn't people learn the reality of what they use without doing so blindly with either? |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England | reply to JTM1051
Re: M$'s Peter Torr Attacks Firefox Security
As with so many things, it is a trade off between a richer internet experience with all the bells and whistles and security.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
goalieskates
join:2004-09-12
Knoxville, TN | reply to JTM1051
Some of us are real tired of the browser turf wars. What was it Shakespeare said? "sound and fury, signifying nothing."
Get your own house in order, Mr. Torr, and I'll listen to you. And vice versa. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| reply to JTM1051
I really hope that this isn't going to become a "Mine is bigger then yours" thread.
As I wrote in another thread yesterday, there is NO compulsion to use Microsoft products. If you don't like what they offer for sale, don't buy it. The sky won't fall down if you don't.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
·Speakeasy
| reply to JTM1051
Actually, I am one of those who is real tired of these turf wars...right here on DSLR. Bashing of one thing over another seems to be the big thing to do of late. Everyone should get their houses in order and we here should not take glee that something else is said about our enemy of the moment. |
|
JTM1051
Premium,MVM
join:2000-07-08
Moorpark, CA
| reply to John2g
said by John2g  :I really hope that this isn't going to become a "Mine is bigger then yours" thread. ... I hope not ... was not my intent behind posting.
It's like what jaykaykay noted "... the pot calling the kettle black ...", or those who live in a glass house should not throw rocks. |
|
SUMware
Premium
join:2002-05-21
| reply to JTM1051
Not sparring, not promoting, just showing that...
Under FF tools > options > web features are a couple of handy security features.
You can choose to totally disallow software installation or, allow it on a site-by-site basis. FF prompts for the users choice.
Not perfect, but a good feature. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
·Verizon Online DSL
| reply to JTM1051
said by What Peter Torr is actually thinking:
While were not fixing the problems in Internet Exploiter, I can only dig up lame reasons why you shouldn't run Mozilla Based Browsers. Hey, you can have software installed without any user intervention without your permission with our browser! That is where I get my best gay porn sites!
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| reply to JTM1051
said by JTM1051 : or those who live in a glass house should not throw rocks. I thought the expression was that those that live in glass houses shouldn't undress with the lights on
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
ReverendJasen
join:2004-12-13
Louisville, KY
| reply to JTM1051
Torr's arguments are full of holes too. His biggest one is that Firefox's installer is not "digitally signed". That's right it's not. And neither is about a million other trust-worthy applications. Digital signing is bunk anyway. Anyone can use a stolen credit card, sign up on MS's site for a digital signature, and then sign any ActiveX controls or software they want. MS certainly doesn't verify to see what the application is, or whether it's safe or not. All the signature does is prove that the developer submitted a form to MS. Yeah, sounds safer to me. |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
| reply to John2g
People like Peter shouldn't talk when their product is exploited to infect so many users with unpatched exploits, they can criticize the other all they like, they just look like complete asses for not fixing their software while just badmouthing the competition.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
The biggest error is sitting in front of your keyboard. |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| said by BlitzenZeus :People like Peter shouldn't talk when their product is exploited to infect so many users with unpatched exploits, they can criticize the other all they like, they just look like complete asses for not fixing their software while just badmouthing the competition. We will have to agree to disagree,
I use IE that is well secured, I don't get adware or any malware. Scripting is disabled as is ActiveX and I do not experience any problems in surfing with a setup like this. Occasionally I see a message saying that the site won't display correctly with ActiveX disabled: so be it.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
·Speakeasy
| reply to John2g
Actually, over here i believe that it is "those who live in glass houses shouldn't throw stones", but while we're all muddling around in a quarry, it really doesn't matter if they're rocks, stones, or bare skin! It's all a good image though...especially the bare skin in the glass house.  |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
·Verizon FIOS
·Verizon Online DSL
2 edits | reply to John2g
You do have to agree that users not using XP SP2, and using default/unsecured settings are at risk. Joe and Jane Average have no clue how, or even know they need to defend themselves from IE's exploits....
You are the minority, they are the majority... |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| said by BlitzenZeus :You do have to agree that users not using XP SP2, and using default/unsecured settings are at risk. I have not installed XP SP2 either: I don't see the need
I do understand your point of view. I was helping someone here yesterday with their HJT log when the penny finally dropped that I had missed one salient point: they weren't even running an AV!
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to JTM1051
Re: MozillaZine article
Interesting article, thanks for the post! Since we use both FF and IE it's always good to know the beauty and warts of each. I like the factual nature of the Mozilla article and the absence of defensive or imflammatory language. I hope more faftual information is disseminated sans editorial comments and repetitive "talk-show" style ranting. The MS article, while well written showed me a bit more partisanship in its content.
I think that certificates are valuable. Having installation approved/by site rather than by product does leave a larger possibility of malware infiltrating a server, and signed products from a trusted authenticator is a good idea. However, since anyone can purchase a cert from Verisign, it does not guarantee the integrity of a software provider or the quality/trustworthiness of the product.
Fortunately I have to actually respond and override security settings in FF to install anything, even from Mozilla. Installs that are "Silent but deadly", like f**ts in an elevator, are not a characteristics of FF.
So, guess I'll keep using both browsers and keep my ear to the ground for developments on each - and alternatives to each.
Happy holidays all!
EG
--
N-X-211 ====== N-328KF |
|
lawrence171
Evilly Yours - Evilness
join:2001-12-24
Canada | reply to jaykaykay
Re: M$'s Peter Torr Attacks Firefox Security
I agree that Mozilla should start signing their things.
Other than that, Mozilla is more secure that IE.
--
What I used to be I no longer am... God, why can't you freeze time for my sake? |
|
John2g
Qui Tacet Consentit
Premium
join:2001-08-10
England
| reply to EGeezer
Re: MozillaZine article
said by EGeezer :So, guess I'll keep using both browsers and keep my ear to the ground for developments on each - and alternatives to each. Happy holidays all! EG As long as you don't keep your nose to the grindstone, shoulder to the wheel and ear to the ground, all at the same time.
--
Better to remain silent and be thought a fool, than to speak and remove all doubt. |
|
