lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: frank at knobbe.us (Frank Knobbe)
Subject: [Ring-of-Fire] IE is just as safe as FireFox

On Fri, 2004-11-12 at 09:41, Eric McCarty wrote:
> [...] IE is just
> as secure as Firefox. Why?, because we don't click on fake citibank
> adds, 

It is my understanding that some flaws, for example the recent IFRAME
overflow issue, do not require a user to click on anything. Am I
mistaken?

> [...] Don't sleep with hookers if you don't want AIDS, it's as simple as that.

I agree. But I'd say that IE *is* the hooker.  :)

In all fairness, though, pretty much all the other browsers are
whor^H^H^H^H faulty too. (As Michal Zalewski has shown recently)

The difference between them and IE is that they require a patch for the
browser application, whereas IE often requires fixes that reach far
deeper into the system (thanks to tight integration into the OS). And
that means that sometimes IE fixes and OS fixes step on each others toes
(erm, DLLs?) and creating conflicts or even invalidate each other.
Wasn't there a recent IE flaw that was fixed long ago and then surfaced
again? How did that happen?

The browser-wars are over, and they all lost. The question is how much
impact a faulty browser has on the remainder of the system. The question
that we should be asking ourselves is not "Is IE as safe as Firefox" but
"Does a faulty IE have a larger impact on the system than a faulty
Firefox".

Regards,
Frank

--
* It is easier to fix simple systems than it is to fix complex systems.
* Fixes should modify core components. They should not be bolted onto
core components.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041113/0f5eda83/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ