Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 28

Thread: More secure browser.

  1. #11
    It isn't just about settings, which is what my first post here talked about. Sure, you can alter IE settings to make it as secure as a Mozilla source build. Sure you can add a google bar to block popups. But then again... FireFox, Mozilla, and Netscape already have these features by default.

    But the greatest threat is the base source code within IE itself. That is unchangeable, unpreventable, and unblockable. Settings won't alter a thing in the world when a buffer exploit in URL handling exists. Thus what I said in my first post on this thread. IE still remains insecure for it's natrual codebase exploitation.

  2. #12
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Ok... let's try this again

    Web browsers face two types of attacks:

    1. Arbitrary code execution
    2. spoofing and other contained exploits

    #1 is defeated by running the browser via a less privileged user, such as a guest account. #2 is defeated by by proper configuration, and again simple security math tells us that it is better for a system to be issued in as unhardened of a state as possible so that once it's final configuration has been determined hardening can ensure more complete coverage using the fewest resources.

    Now #1 is completely defeated, #2 is an area that is still likely to effect the browser, any browser in fact, but to a greatly reduced extent if the browser is locked down.

    All this being said there is no advantage to IE over anything else with regard to security, unless you want to make a discussion about development maturity models and I don't think you do.

    Now the weakness, any Windows system is still going to have IE on it, so any local exploits or other non-browsing issues can still target it as well as your new browser of choice. This means that with regard to this type of attack your security is actually less by running a second browser. Consequently using only IE is more secure.

    catch

  3. #13
    Disagreed, from more experience than I care to argue about right now.

  4. #14
    Banned
    Join Date
    May 2003
    Posts
    1,004
    If you are not going to defend or explain why you think something, why should anyone here care?
    Basically you've just replied with "nuh-uh!"

    catch

    PS. "experience" = anecdotal evidence, which really has no place in a technical discussion.

  5. #15
    Fine, you want to get snotty? Let's get snotty. I'll take the trollbait.

    1. Running anything on a guest level still requires systemwide DLL acess for IE to function. Thus, on a guest level system specific DLL's are still called upon in code functions. Their access to read/write is not controlled per system application but by user login. Running IE at guest privleges would not only HINDER everyday usage, but prove uneventuful in halting exploitating of code, URLs, and exploitation of built in IE components.

    2. Settings are settings. If you wanted default secure settings, you should have used a different browser.

    3. If IE is not running (and preloaded DLL's do not count) then IE will not be exploited. If a second browser is installed then the second browser alone is prone to exploits, and not to an exe that is not running. Memory footprint of the dll's loaded for IE are not just IE only DLL's and are thus system wide DLL's. Thus it is not the browser but the DLL's the system uses to tie multiple applications into. Whether you use one browser or two, the risk is not elevated.

    4. Being OpenSource, FireFox has the uncanny ability to learn from the competetors mistakes, namely IE. This means responce time for patches and fixing are incredibly fast for any OS release, including Windows. So while you run a crippled version of IE, Firefox will still be fully functional and secured because of it's default code base.

    5. You can change all the settings you want, but you can not alter embedded code within a closed source project, making IE still vunerable.

  6. #16
    Banned
    Join Date
    May 2003
    Posts
    1,004
    [QUOTE] Originally posted here by pooh sun tzu
    Fine, you want to get snotty? Let's get snotty. I'll take the trollbait.[/qiote]
    Take it however you like, by just stating that you disagree with no reason ads no value to the conversation. I gather by your more complete response my being "snotty" helped you see the light... so it's all good.

    1. Running anything on a guest level still requires systemwide DLL acess for IE to function. Thus, on a guest level system specific DLL's are still called upon in code functions. Their access to read/write is not controlled per system application but by user login. Running IE at guest privleges would not only HINDER everyday usage, but prove uneventuful in halting exploitating of code, URLs, and exploitation of built in IE components.
    I am not sure what you are saying here, how does running IE under the guest user not use the login information? If you find some way to have an application's DLLs not be limited to the user account it is running under... well you should publish that because you will have completely broken Windows security. Outside of that... I cannot think of any functionality issues this would prevent with the possible exception of not being able to save webpages to directories lacking guest access, which is easily dealt with.

    2. Settings are settings. If you wanted default secure settings, you should have used a different browser.
    Why are you hung up on the settings being default? The settings should be such that they fit most appropriately within the system. Locking a system down (hardening) has more easily calculated consequences than disabling security features, this is why high security systems ship in a completely unhardened state and provide a TFM for the system owners/custodians to harden as appropriate. The fact is IE has the functionality to be locked down, default or not is unimportant.

    3. If IE is not running (and preloaded DLL's do not count) then IE will not be exploited. If a second browser is installed then the second browser alone is prone to exploits, and not to an exe that is not running. Memory footprint of the dll's loaded for IE are not just IE only DLL's and are thus system wide DLL's. Thus it is not the browser but the DLL's the system uses to tie multiple applications into. Whether you use one browser or two, the risk is not elevated.
    So... a local attacker or exploit (that perhaps effects another application and then manipulates IE) can't use IE? I am sure you don't think this.

    4. Being OpenSource, FireFox has the uncanny ability to learn from the competetors mistakes, namely IE. This means responce time for patches and fixing are incredibly fast for any OS release, including Windows. So while you run a crippled version of IE, Firefox will still be fully functional and secured because of it's default code base.
    Ah the open source argument... did you know that the average lifespan of a Linux source level bug is nearly 2 years. Woo "incredibly fast"... no doubt. (I'll send you my documentation from the Stanford CSL if you doubt this fact) Open source is an inferior development model, (stage 1 on http://www.sei.cmu.edu/cmm/cmm.html )

    5. You can change all the settings you want, but you can not alter embedded code within a closed source project, making IE still vunerable.
    Ok, you hate closed source, we get it. Also just so you know in a closed source product, the code isn't "embedded" it is just "code." In computer science "embedded" means to put something within something different... like compiled SQL being embedded into a C++ build. Not just C++ embedded within C++.
    There is no reason to alter the IE source, I already explained how the two types of browsing threats it faces can be defeated, the only remaining issue is the effect it has on overall security... wherein the computer security universal truth of simplicity prevails and having two browsers is less secure than one.

    catch

  7. #17
    This is not worth my time. You are not here to discuss, just argue. Good day to you. I throw in my gloves for the sake of this thread. IF you want to continue to be an ass, PM me and we can continue there.

  8. #18
    Senior Member
    Join Date
    Feb 2004
    Posts
    270
    Well there are more replies here then I thougt. I believe that's a good thing right ?

    So far this is it:


    FireFox:

    Opensource
    No directX disbled
    Less targeted
    PopupBlock
    Correct's errors in html and url's ?(thats what i understood)
    More secure codebase(???)
    (you can also disable javascipt and java)
    Slower loading

    IE:

    Closedsource
    DirectX enabled
    Less secure codebase(?????)
    Targeted more
    Strict in formating HTML
    Faster loading

    Warn me if I mis anything.

    Anything other than IE is more secure in theory, because IE is the most common browser and therefore, the most targetted?
    If that is true won't firefox get less secure when it gets more popular ?

    And finally, the way Firefox handles URLs, HTML rendering, and the like is done in such a way that the code base is natrually more secure than IE.
    eeuh.......... I don't really get the part of the codebase.

    I actually like that aspect of IE. It encourages people to write proper HTML code that works instead of half-assed code
    I like that to programming wether it is C++ or HTML or JAVA should be done proper.

    Initial startup of Firefox is slower than IE can't blame it though Most of IE Shared libraries gets loaded in the memory as the Stystem gets Booted.
    That's a good thing right. If all of FireFox's libraries and stuff still have to ge loaded it means that it doesn't use stuff that is intgrated into windows. That makes it more secure.

    The reason why it is more secure than other locked down browsers run as a less privileged user is that since you can't remove IE you've up the system's complexity by adding the second browser. Giving the entire system less assurance, in pracitcal terms it means that many expolits will be able to target the application they wish and this means that your new browser and IE are valid targets. (This however does not include browsing exlpoits, but since comparing those merely comes down to a conversation about bug counts as most browsers offer the same types of security mechanism there really is no point.)
    Does having a second browser installed make my system less secure. Or am i yust reading this wrong. Also when running as a normal user I get the same problems as while running as admin in IE. Or do you wan't me to use the guest account for real because I kind of disabled that.

    3. If IE is not running (and preloaded DLL's do not count) then IE will not be exploited. If a second browser is installed then the second browser alone is prone to exploits, and not to an exe that is not running. Memory footprint of the dll's loaded for IE are not just IE only DLL's and are thus system wide DLL's. Thus it is not the browser but the DLL's the system uses to tie multiple applications into. Whether you use one browser or two, the risk is not elevated.
    And now you are telling me that is not true. Can I yust get facts here.

    Ah the open source argument... did you know that the average lifespan of a Linux source level bug is nearly 2 years. Woo "incredibly fast"... no doubt. (I'll send you my documentation from the Stanford CSL if you doubt this fact) Open source is an inferior development model, (stage 1 on http://www.sei.cmu.edu/cmm/cmm.html )
    I preffer opensource myself it verywell may be inferior but the idea behind is suits me better. And if both could be turned into one then we would have the best method ever

    This is some nice info here and it looks like there are two camps. Is there anyone else with a different opinion around here?
    Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?

  9. #19
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    666
    Uhmm Led me add and Correct a few Things

    FireFox:
    • Opensource
    • ActiveX Disabled (No directX disbled)
    • Less targeted
    • PopupBlock
    • More secure codebase
    • Both can do that (you can also disable javascipt and java)
    • Slower loading Yes one time Starting that is , After that it Considrably Faster then IE

    IE:
    • Closedsource
    • Activa X Enabled Can be disabled by the setting though(DirectX enabled)
    • Less secure codebase
    • Targeted more
    • Strict in formating HTML
    • Faster loading/ You can say that when all the shared libraries are already loded in the memory, By is considrably slower in Surfing than FireFox


    If that is true won't firefox get less secure when it gets more popular ?
    Being Open Source it has the Ability to Gain from the Experiences of a vast amout people.

    eeuh.......... I don't really get the part of the codebase.
    The actual underlying Code(Base/Plateform on which all versons are designed) of Motzilla is nore Stronger than IE. Which has to frequently relese Patches to patch up Vanurelibilites.

    I like that to programming wether it is C++ or HTML or JAVA should be done proper.
    HTML

    That's a good thing right. If all of FireFox's libraries and stuff still have to ge loaded it means that it doesn't use stuff that is intgrated into windows. That makes it more secure.
    Definately is , On the other Hand IE such integrated into the system that Windows cannot live without it, It's always loded in the memry. Only thing is That when oyu start Firefox it has to first load all its libraries into the memory that takes considrable amount time.

    Does having a second browser installed make my system less secure. Or am i yust reading this wrong. Also when running as a normal user I get the same problems as while running as admin in IE. Or do you wan't me to use the guest account for real because I kind of disabled that.
    Windows IE inseprable no sir you cann't Take them apart, So now we cannot get rid of it and it has it's share of Vanurablities, Adding another will definately Bring His Share of Vanurablities, theurycally i would say a fair comment Sue microsoft for that to make it uninstallable . But the Second Browser is Secure enought then i will take the risk.

    Try to use Guest Account as much possible it will reduces the threat level . Consider a Cracker getting a Guest access and him/her getting a Admin Access.

    I preffer opensource myself it verywell may be inferior but the idea behind is suits me
    inferior , you are saying Linux inferior, FireFox Inferior Grrrrrrrr. Open Source is not Inferior Mr. Open Source has the Ability to learn, Gatheg Knowledge from Vast number of People.

  10. #20
    Senior Member
    Join Date
    Feb 2004
    Posts
    270

    Well i think i get it

    I think i get it for the most part. And i'm yust going to continue using FireFox.

    Thanks a lot.

    *activates lurker mode*
    Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •