| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: st3ng4h at comcast.net (st3ng4h) Subject: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs On Wed, Jun 30, 2004 at 01:55:17PM -0700, Drew Copley wrote: > There has been a great deal of talk about people > switching to Mozilla because of this recent Internet > Explorer issue. > > This is a serious misunderstanding about security > that comes about because of people's ignorance and > because they "believe the hype" but do not look at > the details. [snip] Drew, You made some great points that deserved attention (and echo some of my own thoughts). I have told many people to switch to something, *anything* other than IE. I often recommend Mozilla. I know full well when I tell them this that it's probably not going to make their browsing experience any more secure. It is merely going to add them to the 6% of people that are not vulnerable to what can be done to their machines via IE. The "I'm switching to _whatever_ because what I'm using now has a bug" and "Program X hasn't suffered from the same problem as program Y, therefore Y must be better" standpoints/assumptions are wrongheaded and dangerous, IMO, and only work in practice due to factors other than a true assessment of security of the software in question. One of these, as you mentioned, is Microsoft's poor track record in fixing these issues. I do agree with people who are choosing other browsers because of this reason, and with regards to Mozilla specifically there are reasons to believe that the Moz project will be faster and more diligent in handling these things. OTOH, they are just that- reasons to believe, not hard evidence proven in the real world. Another is that the 94% of IE users, mostly home users, are uneducatable, would not want a 'secure' browser if you gave it to them, and would remove it if you did. They are too used to the plethora of nifty features and being able to do anything and everything under the sun within their web browser. What's worse, most of the sites they visit require that they use IE or some other browser that lets them use the same features, and are nearly useless without. How many popular sites are completely unusable without Javascript enabled? Mozilla is not much better in this regard. Sure, there is no ActiveX, less integration with the operating systems- so what? Most of these people are still running it with administrator privileges on their Windows boxen, and now they have a false sense of security to go along with it. If a 'switch to Mozilla' campaign is wildly successful and convinces perhaps 50% of them to switch, it will not be long before bugs are found and exploited, malicious plugins developed, and so forth, that put users at the same risk they were before. So why bother? What we really need to do is wean these people off the ridiculous things they "need" in their browser and use it for. We need to make corporations understand that continuing to spoonfeed users these things on their sites and cater to the people who want it in order to hawk their products is irresponsible and bad for security as a whole. We need to make developers understand that this ain't what web browsers are for and encourage development of simple and standards-compliant browsers, which you touched on, that someday could possibly be widely used and considered secure in the true sense. So... who wants to get started on that? ;-) In lieu of being able to solve these problems immediately *and* keep users happy, I think telling them to switch to Mozilla is a step in the right direction. But it is just that, a step, not the end-all be-all solution, and there are many more steps that need to be taken. st3ng4h
Powered by blists - more mailing lists