[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040702010343.GA2822@comcast.net>
From: st3ng4h at comcast.net (st3ng4h)
Subject: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
On Wed, Jun 30, 2004 at 01:55:17PM -0700, Drew Copley wrote:
> There has been a great deal of talk about people
> switching to Mozilla because of this recent Internet
> Explorer issue.
>
> This is a serious misunderstanding about security
> that comes about because of people's ignorance and
> because they "believe the hype" but do not look at
> the details.
[snip]
Drew,
You made some great points that deserved attention (and echo some
of my own thoughts).
I have told many people to switch to something, *anything* other
than IE. I often recommend Mozilla. I know full well when I tell
them this that it's probably not going to make their browsing
experience any more secure. It is merely going to add them to the
6% of people that are not vulnerable to what can be done to their
machines via IE.
The "I'm switching to _whatever_ because what I'm using now has a
bug" and "Program X hasn't suffered from the same problem as
program Y, therefore Y must be better" standpoints/assumptions are
wrongheaded and dangerous, IMO, and only work in practice due to
factors other than a true assessment of security of the software
in question.
One of these, as you mentioned, is Microsoft's poor track record
in fixing these issues. I do agree with people who are choosing
other browsers because of this reason, and with regards to Mozilla
specifically there are reasons to believe that the Moz project will
be faster and more diligent in handling these things. OTOH, they are
just that- reasons to believe, not hard evidence proven in the real
world.
Another is that the 94% of IE users, mostly home users, are
uneducatable, would not want a 'secure' browser if you gave it to
them, and would remove it if you did. They are too used to the
plethora of nifty features and being able to do anything and
everything under the sun within their web browser. What's worse,
most of the sites they visit require that they use IE or some other
browser that lets them use the same features, and are nearly useless
without. How many popular sites are completely unusable without
Javascript enabled?
Mozilla is not much better in this regard. Sure, there is no
ActiveX, less integration with the operating systems- so what? Most
of these people are still running it with administrator privileges
on their Windows boxen, and now they have a false sense of security
to go along with it. If a 'switch to Mozilla' campaign is wildly
successful and convinces perhaps 50% of them to switch, it will not
be long before bugs are found and exploited, malicious plugins
developed, and so forth, that put users at the same risk they were
before.
So why bother? What we really need to do is wean these people off
the ridiculous things they "need" in their browser and use it for.
We need to make corporations understand that continuing to
spoonfeed users these things on their sites and cater to the people
who want it in order to hawk their products is irresponsible and bad
for security as a whole. We need to make developers understand that
this ain't what web browsers are for and encourage development of
simple and standards-compliant browsers, which you touched on, that
someday could possibly be widely used and considered secure in the
true sense.
So... who wants to get started on that? ;-)
In lieu of being able to solve these problems immediately *and*
keep users happy, I think telling them to switch to Mozilla is a
step in the right direction. But it is just that, a step, not the
end-all be-all solution, and there are many more steps that need to
be taken.
st3ng4h
Powered by blists - more mailing lists