lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040702010343.GA2822@comcast.net>
From: st3ng4h at comcast.net (st3ng4h)
Subject: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs

On Wed, Jun 30, 2004 at 01:55:17PM -0700, Drew Copley wrote:
> There has been a great deal of talk about people
> switching to Mozilla because of this recent Internet
> Explorer issue. 
> 
> This is a serious misunderstanding about security
> that comes about because of people's ignorance and
> because they "believe the hype" but do not look at
> the details.
[snip]

Drew,
You made some great points that deserved attention (and echo some 
of my own thoughts).

I have told many people to switch to something, *anything* other
than IE. I often recommend Mozilla. I know full well when I tell 
them this that it's probably not going to make their browsing 
experience any more secure. It is merely going to add them to the 
6% of people that are not vulnerable to what can be done to their 
machines via IE.

The "I'm switching to _whatever_ because what I'm using now has a
bug" and "Program X hasn't suffered from the same problem as
program Y, therefore Y must be better" standpoints/assumptions are
wrongheaded and dangerous, IMO, and only work in practice due to 
factors other than a true assessment of security of the software 
in question.

One of these, as you mentioned, is Microsoft's poor track record
in fixing these issues. I do agree with people who are choosing
other browsers because of this reason, and with regards to Mozilla
specifically there are reasons to believe that the Moz project will
be faster and more diligent in handling these things. OTOH, they are
just that- reasons to believe, not hard evidence proven in the real
world.

Another is that the 94% of IE users, mostly home users, are 
uneducatable, would not want a 'secure' browser if you gave it to 
them, and would remove it if you did. They are too used to the
plethora of nifty features and being able to do anything and 
everything under the sun within their web browser. What's worse,
most of the sites they visit require that they use IE or some other
browser that lets them use the same features, and are nearly useless
without. How many popular sites are completely unusable without
Javascript enabled?

Mozilla is not much better in this regard. Sure, there is no 
ActiveX, less integration with the operating systems- so what? Most 
of these people are still running it with administrator privileges 
on their Windows boxen, and now they have a false sense of security
to go along with it. If a 'switch to Mozilla' campaign is wildly 
successful and convinces perhaps 50% of them to switch, it will not 
be long before bugs are found and exploited, malicious plugins 
developed, and so forth, that put users at the same risk they were 
before.

So why bother? What we really need to do is wean these people off
the ridiculous things they "need" in their browser and use it for.
We need to make corporations understand that continuing to 
spoonfeed users these things on their sites and cater to the people
who want it in order to hawk their products is irresponsible and bad
for security as a whole. We need to make developers understand that 
this ain't what web browsers are for and encourage development of 
simple and standards-compliant browsers, which you touched on, that 
someday could possibly be widely used and considered secure in the 
true sense.

So... who wants to get started on that? ;-)

In lieu of being able to solve these problems immediately *and* 
keep users happy, I think telling them to switch to Mozilla is a 
step in the right direction. But it is just that, a step, not the
end-all be-all solution, and there are many more steps that need to
be taken.

st3ng4h


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ