March 31st, 2005, 10:22 PM
why is firefox more secure?
Could anyone give a concise answer on why is firefox more secure than IE? Or maybe point me to some good articles.
March 31st, 2005, 10:26 PM
Right now, firefox and other browsers are "more secure" because of their lack of being tied so closely to the OS as well as requiring more interaction with the user (in regards to downloads and spyware activity). Additionally, there are few spyware/malware in existence that take advantage of firefox.
This might change since it has become more popular. It is still subject to various phishing exercises and flaws in URLs. You can find info on the various firefox/mozilla flaws here. IMO, it still comes down to how the user uses the product and how aware they are of issues that exist out there in the wilds of the Internet.
Howstuffworks: Firefox Security might also give you some simple insights.
March 31st, 2005, 11:06 PM
Security comes with lack of knowledge. The less people know about something the less people are gonig to try to exploit it. No point in working hard on something if no one is using it. But like MsMittens was saying, anything can be secure if you know what needs to be secured.
*Learn to code and make all your own software : )
March 31st, 2005, 11:10 PM
Normally all applications are of equal security, due to the simple fact that applications cannot contain or isolate themselves. This is entirely upto the OS.
Think about it, if application X has 100 known exploits, but is completely isolated by the OS and application Y has 1 known exploit but is not isolated at all... which application is more secure?
All of that being said, in a network environment IE is "more secure" because it can be configured via the group policy. This allows the admin to enforce a higher level of control, resulting in greater consistancy.
Additionally because IE is bound to the OS, installing an additional browser merely adds to the system and I'm sure by know we all know that the key to high assurance/security is simplicity.
March 31st, 2005, 11:13 PM
How about when working with secure connections / protocols (SSL, IPSEC). I reckon that since those are standards the level of security or encryption will be same on both browsers.
March 31st, 2005, 11:19 PM
Everyone has said it or thought about it, firefox is everything IE was a year ago.
March 31st, 2005, 11:27 PM
Not necessarily. Even on things such as ssl there can be implementation flaws that come with the browser itself. It's usually something that works with ssl that breaks such as the following examples:
There was a flaw in netscape a few years ago i believe with the random number generator used for the crypto as well.
Sometimes the flaws are shared, most time there is an implementation problem in one or the other.
"When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
"There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
"Mischief my ass, you are an unethical moron." - chsh
Blog of X
April 1st, 2005, 12:20 AM
The report shows the Firefox browser was only exposed to a publicly known vulnerability without a patch for 65 days in 2004; IE, on the other hand, was safe for only seven days last year.
Mozilla Community Cashing in on Bug Bounties
April 1st, 2005, 12:48 AM
April 1st, 2005, 01:18 AM
It would seem that many of you don't read... perhaps we can give this another shot:
"Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems."
- The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments ( http://www.nsa.gov/selinux/papers/inevit-abs.cfm )
You see what that says? Adequate security cannot be provided by applications... it must be accomplished at the OS level. What does this mean? Application security DOSE NOT MATTER! Unless your application is PERFECT sooner or later it will be exploited, and all applications get exploited in the same way. A BOF in Firefox is the same as one in LYNX and the same as one in MSIE.
Counting exploits is not a viable measure of security. If an exploit is made public on Jan 1, 2005... that software was vulnerable since its inception, aka 100% of the year not 300 days, not even 358 days. Even though the exploit isn't widely known, it still existed.
So again, I'll say it... the NCSC says it, the NSA says it, the good people at ISO say it, the CISSP exam says it.
APPLICATION LEVEL SECURITY IS MEANINGLESS.
edited for formatting