$0.02 Regarding Firefox Security
Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: $0.02 Regarding Firefox Security

  1. #1
    Member
    Join Date
    Jan 2005
    Posts
    73

    $0.02 Regarding Firefox Security

    For those who haven't heard, Symantec recently decided to fire a shot over Mozilla's bow regarding the security of their Firefox browser.

    Read the ZDNews Story

    After looking over Symantec's position, I've started to wonder if they're in Bill Gates' pocket.

    Yes, Firefox has flaws. Show me a piece of software that doesn't! Have they had a fair number in the last 6 months? Absolutely! Is Symantec's analysis flawed? Very possibly.

    I would be interested in comparing the first year of IE 6 vs the first year of Firefox 1.0. I suspect that there would be far more necessary patches, and far more of those would be critical, with IE. As well, I think it would be fair to compare the average amount of time for each browser's developer to release a patch once the vulnerability has been identified. However, Symantec didn't find/gather these stats, making their results questionable.

    I guess some people figured that Firefox was a magic bullet for security. They're finding out now that there is no such thing as a truly SAFE browser, only ones that are less insecure. I still believe Firefox to be a safER and superior browser than IE.

    Read Mozilla's Comeback on ZDNews
    \"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
    Phillip Toshio Sudo, Zen Computer
    Have faith, but lock your door.

  2. #2
    Banned
    Join Date
    Nov 2003
    Posts
    1,161
    Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems.

    http://www.nsa.gov/selinux/papers/inevit-abs.cfm

    Until the masses understand that security must be accomplished at the OS level you'll see this pattern in pop security (people being sheep).....if you want more security buy an OS that offers more assurance.

    XP on a limited account is the shiznyte. Too bad the masses, including the majority on this site pretermit the Run-As feature and will NEVER understand the depths of XP security that was provided before the first faggy service pack was released.

  3. #3
    Member
    Join Date
    Jan 2005
    Posts
    73
    I agree that the O/S is the place to implement the strongest security, but even a well locked-down Windows XP or Linux box is bound to be vulnerable to SOMETHING. It is the nature of humankind's creations to have flaws, and some of humankind to exploit those flaws.
    \"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
    Phillip Toshio Sudo, Zen Computer
    Have faith, but lock your door.

  4. #4
    Banned
    Join Date
    Nov 2003
    Posts
    1,161
    I'm sorry, that statement needs elucidation.

  5. #5
    Member
    Join Date
    Jan 2005
    Posts
    73
    I was stating that I agree with you that the O/S is where strong security should be implemented, but that relying on ANY software (and an O/S is ultimately software) is a mistake because even a well-secured O/S has flaws in its code and thus could be vulnerable to attack.
    \"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
    Phillip Toshio Sudo, Zen Computer
    Have faith, but lock your door.

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    So we should go back to banging rocks together, eh?

    This is an oft rehashed topic in many guises. We participate in a technical culture of 'Permit All'. That is forever going to be the root problem, until such a time as we switch to 'Deny All' as our default behavior. It won't happen, I believe. Microsoft and Apple are always talking about the new features, how fast and easy something is to use, and why it is so much better than all the previous versions.

    The point is a 'Deny All' system is not really all that functional, in the way we identify 'functionality'...what, you mean I can't read my email, surf the net, and write code on the same system?!?

    Let's add something meaningful to this old rhetoric or let it rest in peace.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    Member
    Join Date
    Jan 2005
    Posts
    73
    So we should go back to banging rocks together, eh?
    Nope, I'd be screwed without my various and sundry electric gizmos. I just don't think we should assume/rely on ANY technology to keep us completely safe - every time we make a better mousetrap, nature builds a better mouse.

    Unfortunately, since I have no way to improve the root of the problem (i.e. people out to harm other people), there's not much more I can contribute.
    \"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
    Phillip Toshio Sudo, Zen Computer
    Have faith, but lock your door.

  8. #8
    Banned
    Join Date
    Nov 2003
    Posts
    1,161
    I just noticed something hilarious.....zencoder you claim to have a CISSP but you have a get firefox sig. lol

    Did you come away with any knowledge about application level security and its value?


    That's the second person with a CISSP to openly do this.

  9. #9
    Senior Member
    Join Date
    Jun 2003
    Posts
    188
    I agree with !mitationRust OS level security must come first, how many windows applications
    suggest not to run as *administrator*, this is normal with other OS like Linux and OpenBSD.

    Bieng vulnerable to SOMETHING does not neccessary employ to be vulnerable to
    everything. I haven't heard or seen a single case of linux or a bsd box being compromised
    by a web browser, and it is common with microsoft's IE ( Insecure Explorer).

  10. #10
    Banned
    Join Date
    Nov 2003
    Posts
    1,161
    Seriously what is smarter? :
    a) Configuring to your very important TFM (if your system has one)?

    b) Or masking poor configuration with applications and blaming the OS when something goes wrong?

    As long as you understand what real security is and what pop security is you have a head start in my book....... I mean you could seriously market another application and call it a lightning wall and the masses would flock to it. Why? Because people feel safe knowing "this is what everybody’s doing now to keep safe".

    IE ships in a loose state just like a SOHO router...... and is extremely configurable...... which translates into: over your head to most.

    The manual is pretty clear:
    Originally posted here by Microsoft TFM
    Use separate accounts for administrative activity and general user activity. Individuals who do administrative work on the computer should each have two user accounts on the system: one for administrative tasks, and one for general activity.
    Table 4.1 C2 Configuration Checklist
    God did he just say checklist?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •