Pwn2Own 2016 Won't Attack Firefox (Because It's Too Easy) (eweek.com) 288
darthcamaro writes: For the last decade, the Pwn2own hacking competition has pitted the world's best hackers against web browsers to try and find zero-day vulnerabilities in a live event. The contest, which is sponsored by HPE and TrendMicro this year, is offering over half a million dollars in prize money, but for the first time, not a penny of that will directed to Mozilla Firefox. While Microsoft Edge, Google Chrome and Apple Safari are targets, Firefox isn't because it's apparently too easy and not keeping up with modern security: "'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."
SubjectsInCommentsAreStupidCauseTheSubjectIsTFA (Score:3, Interesting)
This is a big bitchslap to Mozilla (Score:5, Interesting)
As an avid Firefox user, I have to agree. Firefox is good because it's customizable, but it certainly lacks some inherent security features found in other major browsers. Many of the security risks can probably be averted by configuring the browser for added privacy and disabling certain features, but this is no excuse for lagging behind.
Maybe Mozilla will someday focus on its core competencies again and stop fooling around with nonsense like Firefox OS...
Re: (Score:2)
No being default on spyware? ;)
Re: (Score:2)
A very basic example:
Built into Firefox is "Scratchpad" (an on the fly JS editor). The Scratchpad window is an implementation of CodeMirror. The code itself is utilized across many of the Firefox Dev Tools. Within the Firefox Dev Tools is a "Style Editor". Everything you need to access|change a site's CSS and custom User Css is implemented by Firefox except none of it is exposed, and there is no management gui to do so.
So we need to use Stylish or the mostly-broken-for-the-last-year "User Style Manager". Neither of these addons implement CodeMirror|scratchpad. USM's editor is the thing that breaks constantly and poorly implements some of the features of a Scratchpad window. Neither of these addons allow you to use a cust
Re:This is a big bitchslap to Mozilla (Score:4, Informative)
Google Chrome does not run every tab in a separate process. It's a little more complicated than that. AFAICT from messing around, it creates a process per visited domain.
Re:This is a big bitchslap to Mozilla (Score:5, Interesting)
Re: (Score:3)
Yea, Chrome gets a bad rap for how much resources it uses but, it actually has a good reason and, as you pointed out, if it starts hitting your system's ceiling, it starts scaling back. Personally, I'm torn between Chrome and Firefox as there's things I like on each, except on mobile where Firefox wins due to plugins.
Re: (Score:2)
I'm not aware of any browser that can withstand a determined and resourceful hacker. Browsers are huge beasts that are 80% attack surface. So I'll continue to fault Chrome for its memory use and other bad habits, and keep using Firefox.
I'll go further and point out that Pwn2Own folks obviously like using VMs to provide security when browsing, since they are putting VMware in the mix. And that hypervisor was originally designed for administrative convenience and full utilization of hardware, not security (no
Re:This is a big bitchslap to Mozilla (Score:4, Interesting)
OTOH, Xen has long touted its security focus and has a really tiny attack surface so I'm happy to be using that in Qubes OS as well.
Excuse me? Xen had more than 100 security alerts in 2015, some extremely severe. [xen.org]
And Xen is based on qemu, which has been proved to be fairly insecure in its own right.
Using Qubes OS, which is based on Xen, which is based on qemu is... How to put it mildly? Maybe not the best idea if you are security conscious.
In the words of Theo De Raadt: "You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
I agree with him. It's turtles all the way down.
Re: (Score:2)
A virtualization system is an OS with a strange ABI and an ill-defined API.
Re:This is a big bitchslap to Mozilla (Score:4, Insightful)
Yea, Chrome gets a bad rap for how much resources it uses but, it actually has a good reason and, as you pointed out, if it starts hitting your system's ceiling, it starts scaling back.
That's not acceptable. A web browser isn't the only, or even main thing I use my computer for. I don't want my VM to be unable to start because Chrome has used all the memory it could find, less a small bit.
It's not cooperative. It assumes that all memory available has been made available for it only.
Chrome is like a self-serve cafeteria where some people are gluttons who hog all the food, and latecomers only get crumbs. It might be legal, but it sure isn't playing nice. We shouldn't have to have guards standing at the food stations to prevent greedy bastards from ruining the experience for others. Taking all the biscuits and putting one or two back isn't generosity.
Firefox isn't much better. One of my users forgot to close a browser window on a server before going on vacation, and just periodic auto-refresh had caused it to gobble up a quite a few gigabytes of RAM - a large portion of the server's RAM. The server has extra RAM because of disk caching, to the benefit of all users. I ended up having to implement cgroup memory limiting because of Firefox.
Re: (Score:2)
This is a server on which developers develop web apps. Having access to multiple browsers on the server itself is useful. Not all servers are DMZ servers where reduction of attack surface is the key point. Many are "crash and burn" servers where people can do their job without worrying about causing damage.
Re:This is a big bitchslap to Mozilla (Score:5, Interesting)
"The only advantage Firefox gives is that one can run NoScript to block all scripting completely."
However, that's a pretty significant advantage.
I would love to see how firefox compares with that one addon in place since that's how I run.
Possibly a 'hardened browsers' version of the competition?
Re: (Score:3)
Re: (Score:3)
Using NoScript is pretty easy if you don't try and micro-manage it. Allow (whitelist) your most trusted and frequently visited sites just once. "Temporarily allow all on this page" for trusted sites you don't frequently visit. Don't allow anything you don't completely trust to run JS.
This is why I haven't switched to Chrome.
Re: (Score:2)
Yeah, I use NoScript but I am very attuned to going through every new page I visit and temporarily allowing 1 thing at a time (and sometimes having to resubmit forms over and over) until the page works well enough to use. I don't mind doing this at all.
I know that most people will never do this.
I have tried installing NoScript for some people who liked the idea of being more secure in this way. Then later was horrified that any time they ran into any problem they just permanently allowed all on the page or
Re: (Score:2)
...and Safari. Unfortunately, there are many other plug-ins/extensions which are only available for FireFox.
Re: (Score:3)
uMatrix exists on Chrome and is arguably superior
No, it is inarguably not the same thing. uMatrix does nothing for first-party scripts. (I use both in Firefox!)
Re: (Score:2)
Re: (Score:2)
So you never, ever turn on JavaScript? Or every time you turn it on you read through every line of it to make sure it hasn't changed and isn't doing anything bad?
Sites load lots of resources from other domains, and script blocking is domain based. Right now Slashdot would like me to load scripts from 10 domains. The site is perfectly functional with just two of them whitelisted.
You can't possibly trust every website you run JavaScript on.
The point is that slashdot.org and wellsfargo.com are a lot more trustworthy than a million random ad networks and tracking services. No, they're not "trusted," but it's great that I can view, say, a random blog with just the blog framework's JS and not twenty other weird third-party scripts.
Re: (Score:2)
"The only advantage Firefox gives is that one can run NoScript to block all scripting completely."
One other -- the only reason I use it -- it still has a fully functional separate persistent search box instead of that stupid omnibar.
Re: (Score:2)
I am glad I am not the only one who likes this feature.
Sometimes, when I see a mass transition to a way of doing things across different vendors, I get the impression that some kind of new revelation struck everyone at once. Like "OMG this is so much better and we should have been doing it this way from the beginning! Don't you think? Well? DON'T YOU?!"
I sometimes wonder if I somehow got thrown out of the human continuum and am witnessing the collective dream state / mass delusion from afar.
Re: (Score:2)
ScriptBlock on Chrome does the same thing, or am I missing something vital?
Re: (Score:2, Informative)
ScriptBlock on Chrome does the same thing, or am I missing something vital?
NoScript does quite a bit more than just basic script blocking.
Re: (Score:2)
This will kill NoScript functionality and the functionality of many other extensions as well.
This is just false, maybe it's an honest mistake but the FUD spreading has to stop. The developer of NoScript [hackademix.net] is categorical on the topic.
Wait a mintue (Score:3, Interesting)
Read that again.
Notice serious "security improvements".
So. am I to take it that Firefox was sitting on their asses and just adding bells and whistles?
Or their security was so good before and now that there wasn't much improvement necessary?
Re:Wait a mintue (Score:5, Informative)
This basically means that you just need one arbitrary code execution vulnerability in Firefox and it's game over. In contrast, if you have the same in Chrome, Edge, or Safari, then it's just the first step - you now have an environment where you can run arbitrary exploit code, but you can't make (most) system calls and you have to find another exploit to escape from the sandbox. Typical Chrome compromises are the result of chaining half a dozen vulnerabilities together.
Re: (Score:2)
All modern browsers except Firefox have decomposed their browser into multiple processes,
Mozilla is doing one better than that. Servo is being written to be provably memory correct and thread safe. Ultimately that's the better solution. Of course, firefox doesn't use servo yet.
Re: (Score:2, Interesting)
Firefox used to be multiprocess, in the sense that if you started a new instance a new process would start. But they then heard about threading and decided it must be the solution to everything so now when you kick off a new firefox instance (on linux anyway) when one is already running it checks for some shared memory, and if its there hands over to the current firefox process which kicks off a new thread then the process you started dies. A very complex, inefficient and security poor method of doing thing
Re: (Score:3)
Its not quite how you describe it. Yes, when you start firefox it checks first whether the current profile is currently opened. That's not done because of "parralel" (or "threading", which doesn't have anthying to do with this), but to the contrary, it is meant so that only one instance of firefox has write access to the profile.
If you want to start multiple firefox processes, you'll need multiple profiles. When you start the separate firefox process you must then specify the --no-remote -P command line ar
Re: (Score:2)
Firefox is loosing in both the mobile and desktop markets so they are concentrating on ways to keep and expand their user base else be irrelevant. Chrome on the other hand has been on the rise for some time and is the leader in both markets therefore it's a likely target.
Re: (Score:2)
Chrome on the other hand has been on the rise for some time and is the leader in both markets therefore it's a likely target.
Yeah, wonder why that is? Google was more aggressive about pushing Chrome than MS ever was about pushing Windows 10.
Now that everyone has taken the bait and installed Chrome and see that it works well with their investment in Google services... of course they are going to justify its use.
Re:Wait a mintue (Score:5, Interesting)
Or maybe this is the contest organizers trolling? Because I know for a fact Firefox made serious security improvements in the last year; I reviewed some of those patches.
Mozilla Foundation's press release in response: (Score:5, Funny)
"Yeah, Pwn2own, well.... your MOM is too easy!"
Can't expect Firefox to be secure (Score:5, Insightful)
The FF developers don't have the time for that, they're far too busy destroying the user experience just a little bit more with each release.
It takes a lot of time and effort and great skill to ruin what used to be the best browser you know, it doesn't happen by itself!
(I just wish I were joking. Unfortunately they have the Microsoft disease of "The UI must change with each release to show that we're doing something". It's mind-boggling in its insanity, and it annoys their supporters continually. If they hadn't touched the UI in the last 5 years and devoted all their energy to security and performance instead, FF would still be the leading browser today.)
Re: (Score:3, Insightful)
Removing cookie management features was the last straw for me. That is an essential feature for browsing the modern web. It's simply bewildering they would remove a critical ability while simultaneously adding weird social media things.
Re: (Score:2)
I really don't get this. Did you seriously click through the cookies on every web site, picking which ones should be allowed and which shouldn't?
If anything, the Firefox developers should have included Self Destructing Cookies in the main distribution, but it works well as an addon. Deleting the silly "click to accept cookie" thing made a lot of sense though.
Re: (Score:2)
Re: (Score:2)
Yes? As long as they're first party cookies and die after the session, I don't see the problem.
I obviously don't let third parties set cookies, but that's because I don't let content get loaded from third parties at all.
Re: (Score:3)
Heh, the UI is one thing, but there's also the bit where they went:
Ok, so let's take a bunch of features that by any right should be an external plugin a few people would use and integrate them into the browser.
Then let's take a bunch of basic features out so people have to replicate them in plugin form.
Oh, and then obviously, let's deprecate our plugin API and replace it with Chrome's, so that after the UI changes the only thing differentiating us from Chrome will be how much our browser crashes and leaks
Re: (Score:2)
Maybe give this a rest.
They could change the rules though (Score:2)
We wanted to focus on the browsers that have made serious security improvements in the last year
Rather than giving Mozilla some bad press they could have stated in the rules that exploit A, B and C have already been done last year and don't count for the 2016 edition of the contest. Even if they haven't changed whatever these guys think is "serious" since last year that doesn't mean the whole thing is bad.
Then what's the point? (Score:3)
I thought Pwn2Own was supposed to be all about shaming vendors into cleaning up their act. If Firefox's security is really so poor, then shouldn't these guys be directing more resources toward it, rather than less?
Is this not a large part of how Microsoft was pressured into finally making certain decisions which, while clearly necessary, were very inconvenient from its own perspective? Why are we to believe that it would not work again?
Re: (Score:2)
And also, I noticed that TrendMicro [extremetech.com] is a sponsor... is that their method of making sure that their product is never a focus of the hacker attention?
Re: (Score:2)
Throwing good money after bad. Firefox was the most "shamed" browser last year, and if this guy is correct they have done nothing about it for the last 12 months.
Re: (Score:2)
I thought Pwn2Own was supposed to be all about shaming vendors into cleaning up their act. If Firefox's security is really so poor, then shouldn't these guys be directing more resources toward it, rather than less?
Is this not a large part of how Microsoft was pressured into finally making certain decisions which, while clearly necessary, were very inconvenient from its own perspective? Why are we to believe that it would not work again?
Why would they do that? Firefox is losing market share and has spent a lot of effort in the past year degrading the user experience. It seems they did not make security a priority whatsoever, despite being in last place last year. Why would Pwn2Own offer prize money for Firefox exploits? That only serves to send a message that companies can slash the security budget of their browser and someone else will pick up the tab in identifying exploits.
Re: (Score:2)
Again, though, that misses the point. You offer a prize to hack an insecure browser as a means of shaming the browser's developer. That's how it worked, and more to the point, that's why it worked. Have the Pwn2Own folks perhaps lost sight of that original purpose?
Re: Then what's the point? (Score:5, Informative)
Again, though, that misses the point. You offer a prize to hack an insecure browser as a means of shaming the browser's developer. That's how it worked, and more to the point, that's why it worked. Have the Pwn2Own folks perhaps lost sight of that original purpose?
Obviously Firefox wasn't shamed last year, or they would have tried to improve security. Instead, they made a bunch of useless UI changes, removed features, etc. They didn't get the message. Spending large amounts of money to send them the same message again would be a wasted effort. By ignoring them this year, Pwn2Own is sending an even stronger message that Firefox is a browser to be avoided. And it doesn't cost them any prize money to send that message.
Re: (Score:2)
Obviously Firefox wasn't shamed last year, or they would have tried to improve security.
It is a bit premature to say this. Mozilla has been working on some major security enhancements, it is just not done yet.
Rust is a language with heavy emphasis on security, among other things it guarantees memory safety, and threads without data races, which are 2 of the most common sources of security vulnerabilities in every software. Mozilla is building a new rendering engine called servo [servo.org] in Rust, with an explicit goal of enhancing security.
Re: (Score:2)
Yes, I do agree, most of the CVEs base on C/C++'s insufficient protections. They are simply languages not designed for security. Using non-unsafe rust will let the CVE world dry up, at least most of the parts, or push to the hardware boundary (exploiting stuff in the driver etc). But still I think that non-unsafe rust does have an existing runtime overhead, like the force to initialize all arrays even if you later on fill them with a loop, or the constant array bound checks. Perhaps its a good idea to deman
Re: (Score:2)
Re: (Score:2)
They are trying to fix the security issues, but the users are revolting. The add on system, for example, is very insecure. They want to adopt the Chrome model, but that would break a lot of stuff and users just want it to carry on using their ancient add ons that are no longer maintained. That also prevents many performance improvements going ahead, like per tab processes.
Mozilla are properly fucked now. They pissed everyone off with stupid UI changes, and now can't get support for real improvements.
Re: (Score:2)
Pwn2Own has become a self-congratulatory..
They're being congratulated by corporate sponsors giving them substantial prizes, not by themselves.
... bunch of fucktards
Sure, call the most renowned hackers and security experts on the planet "a bunch of fucktards". I'm sure you know better.
Re: (Score:2)
It Doesn't Say That (Score:2)
Re: (Score:2)
I'd like to hear Mozilla's response (Score:2)
Re: (Score:3)
And Mozilla gives not a shit... (Score:2)
Because they're in the process of becoming yet another Chrome also-ran and basically they're too busy tonguing the Google sphincter to bother stopping the freefall of their flagship product and business.
Let's look at the stats (Score:5, Interesting)
I see a lot of comments about Firefox's security but no references so far. So, let's look at cvedetails code execution counts:
2016:
Edge: 6
Chrome: 0
Safari: 0
Firefox: 3
2015:
Edge: 19 (Nov 12 - Dec 31, a projected rate of 142 per year)
Chrome: 8
Safari: 101
Firefox: 83
2014:
Chrome: 4
Safari: 65
Firefox: 55
So while Firefox is getting a lot of hate here today, I think the unbiased view is that Firefox is clearly more secure than any browser other than Chrome, which has by far the best record. I struggle to imagine an objective reason to exclude Firefox from any evaluation while including Safari. Edge hasn't been out very long, but based on the very small amount of data we have so far, it looks significantly worse than Firefox.
https://www.cvedetails.com/pro... [cvedetails.com]
http://www.cvedetails.com/prod... [cvedetails.com]
http://www.cvedetails.com/prod... [cvedetails.com]
https://www.cvedetails.com/pro... [cvedetails.com]
So what is a Linux user (Score:2)
who wants to run NoScript to use?
Given that Chrome won't run it.
Re:what? (Score:4, Insightful)
correct that to "open source sell out", for that is what firefox is
Re: (Score:3, Insightful)
Re: (Score:2)
Re:what? (Score:4, Insightful)
A true open source project is driven by the community, not by the maintainer alone
Wait, you just make up definitions on the fly, post as AC, and get modded up for it? A true open source project is a project whose code is freely available. That's all.
As for community contribution, firefox looks reasonably healthy to me: https://github.com/mozilla/kit... [github.com]
Compare that to Pale Moon, which you praise: https://github.com/MoonchildPr... [github.com] ...
Pale Moon has fewer contributors and a much higher volume of commits coming from a single dev. Not that this is bad -- they're both true open source projects, and different projects have different numbers of contributors.
Maybe instead of whinging, you could learn to code and contribute too?
Re:what? (Score:5, Insightful)
to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc
Thank-you to Slashdot for posting this! (Score:4, Interesting)
I want to thank the Slashdot editors for putting stories with realistic analyses of Mozilla and Firefox on the front page of Slashdot, and allowing some real discussion of these issues to take place.
This just isn't possible at other discussion forums. Take Hacker News, for example. Many people directly involved with Mozilla and Rust spend their time there. That, combined with Hacker News' broken and easily-abused mod system, means that any frank discussion about Mozilla, Firefox or Rust tends to get suppressed. If you dare to question anything Mozilla has done, or if you dare to point out something that may be construed as negative, you will find yourself mercilessly downvoted. My suspicion is that the downvoting is being done by the very people working on these projects, since there are so many of them on that site and their comments show they don't tolerate anything even just resembling dissent.
Reddit isn't much better. There are a lot of rabid Mozilla and Firefox fanatics there who will actively suppress any comment that doesn't fully support and worship Mozilla or Firefox.
It's a real shame that we can't openly discuss the various problems affecting Mozilla and Firefox at places like Hacker News and Reddit. Maybe if they pulled their fingers out of their ears, so to speak, and stopped downmodding truthful comments the people behind Firefox would begin to see why their product's market share has slid down to only about 7% [caniuse.com], with nearly no (0.04%!) mobile presence. When people say negative things about Firefox, it's because the problems are real, they exist, and they need to be dealt with properly! Silencing such observations doesn't help; it just makes matters worse. It drives more people away from Firefox and Gecko, and typically over to Chrome, which just makes the Blink monoculture stronger and stronger. A Chrome/Blink monoculture is the last thing the web needs!
Re: (Score:3)
Re: (Score:2, Informative)
to add to my above, those who are in charge of firefox no longer interested making its core product better and secure. it is interested market and marketing, bowing to establishment ideology and legalese, etc etc
And making sure that it's not run by some guy who holds the same beliefs on gay marriage as Hillary and Obama did a couple of years ago.
Re:what? (Score:5, Interesting)
Sorry, but I'll still take Firefox over Chrome, IE, or Opera any day. Here is the dialogue I always have on some message board whenever I try to go over to Chrome:
Me: Where is the menu bar?
Them: You don't need a menu bar, the menu button will do everything instead.
Me: Will it let me open a file?
Them: Uhm....well...no.
Can I at least add a stop button and zoom controls to the toolbar?
Them: Sorry, Chrome doesn't allow any customization. You're supposed to do it the way Google tells you to.
Me: Okay. Where are the options to automatically clear my history at close, erase all cookies at close, not remember search form histories, etc.?
Them: Why would you need that?
Me: For privacy.
Them: What's "privacy"?
Me: It's something Google has never, and will never, respect.
Re: (Score:3)
Ctrl+O
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Re:what? (Score:5, Interesting)
Why would the distribution license affect quality and security of the software?
Re: (Score:2)
Praytell, when is the last time Apple admitted a security flaw? January 2016 http://lists.apple.com/archive... [apple.com]
Windows is plagued by bad design decisions. Such as? Taking granted that Windows foundation was based on running on a 16bit PC.
Open source flaws usually tend to be dealt with fairly rapidly once discovered. However what is the fallout for a quick patch update?
I think you're going a little overboard calling people zealots there Chuck. Zealots are not just fans of open source, but ignore the problem
Re: (Score:2)
Praytell, when is the last time Apple admitted a security flaw? Windows is plagued by bad design decisions. Open source flaws usually tend to be dealt with fairly rapidly once discovered. I think you're going a little overboard calling people zealots there Chuck.
Can't say about Windows; but Apple does it regularly, and publicly, after an internal investigation and fix [apple.com] (which is the prudent thing to do, to protect users).
Re:what? (Score:5, Interesting)
They didn't say Firefox isn't secure, they said it hasn't made many recent security improvements; that's not the same thing. Firefox already had superior security, so it has not had to make many improvements in the last year compared to less secure browsers.
Re:what? (Score:5, Interesting)
+5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.
Re:what? (Score:5, Insightful)
+5 funny. Firefox drops every year at Pwn2Own. So that "superior security" doesn't seem to actually amount to much in real life.
All the browsers fail every single year.
Re: (Score:2)
All the browsers fail every single year.
Yes but out of Firefox, Edge, Chrome, and Safari, Firefox fails more often every single year. Actually it's typically up with IE, and we all know that IE is a model browser for internet security. /sarcasm
Re:what? (Score:4, Insightful)
All the browsers fail every single year.
Yes but out of Firefox, Edge, Chrome, and Safari, Firefox fails more often every single year. Actually it's typically up with IE, and we all know that IE is a model browser for internet security. /sarcasm
Safari is the browser the fails the fastest and most regularly. Google Chrome is second.
It is assumed because it is pwn2own, and people attack Safari first to win a MacBook.
Re: (Score:2)
So then the claims that Firefox isn't being included anymore because its "superior security" is just a huge joke. Which was, you know, the whole point me laughing at the person.
Re: (Score:3)
They didn't say Firefox isn't secure
Nope, they just said they haven't made any meaningful improvements. I guess you assume Firefox has perfect security. "Firefox already had superior security" ahh yes, you do. And superior by what metric? FF has had about 3x more critical critical vulnerabilities than Chrome and about 10% more overall. Not a huge difference, but it definitely puts them at "worse" not "superior".
Re: (Score:3)
think they know something other people don't.
I switched back to Firefox because vertical tabs, dynamic loading/unloading of tabs from memory, and NoScript. I don't just think that Firefox has these nice features...it really does have them (yes, add-on features count as browser features).
It would be cool to see how Firefox with NoScript does in pwn2own.
Re: (Score:2)
Re:what? (Score:5, Insightful)
Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.
Re: (Score:2)
Something being open source has never, ever meant that it is more secure. That is a myth propagated by open source zealots. Open source only means that, the source can be viewed, and most likely changed, by anyone. Open source zealots assume that means it is rigorously vetted by security experts to find any flaws and fix them, which is a huge assumption that mostly likely is not true for most projects.
While I agree it is a myth, I don't think it's the zealots that really pushed it, but those that didn't really understand their message that open source has the *potential* to be more secure *because* of the many eyeballs effect. That doesn't mean it *will* be, just that it has the *potential* to be.
Open Source Zealots typically won't talk about security, they'll talk about bug fixes and may be equate that to security since more bugs fixed typically will mean less potential for exploits, which is true un
Re: (Score:2)
You're forgetting the 3rd option:
Horribly insecure code that's too complex (or obfuscated or just plain badly written and possibly poorly commented) for most people to bother looking at, much less fixing & for those that DO bother, they submit a fix/patch which goes ignored or rejected by the maintainer. This, of course, followed by no one bothering to fork the project b/c no one has time for that. This is where most open-source users whine and complain about features, design flaws, and bugs while dev
Re: (Score:2)
You're forgetting the 3rd option:
Horribly insecure code that's too complex (or obfuscated or just plain badly written and possibly poorly commented) for most people to bother looking at, much less fixing & for those that DO bother, they submit a fix/patch which goes ignored or rejected by the maintainer. This, of course, followed by no one bothering to fork the project b/c no one has time for that. This is where most open-source users whine and complain about features, design flaws, and bugs while devs and fanboys tell them "If you don't like it, fork it and do it YOUR way." as if that were a trivial thing just anyone can do in their spare time... b/c we all have such amazing coding skills and free time to take on such an enormous effort by ourselves.
That's the same regardless of whether it's open source or not. So, no - I'm not forgetting. Been there, done that.
Re: (Score:2)
and most likely changed, by anyone
Great story, but then where are my commit privileges for Firefox or the Linux kernel?
Re:Hey hey hey... (Score:5, Informative)
Re:Hey hey hey... (Score:4, Interesting)
Except for the fact that last year it was the most insecure! http://www.extremetech.com/com... [extremetech.com] So, least secure last year, plus the statement "We wanted to focus on the browsers that have made serious security improvements in the last year" clearly indicates they think it is not worth the effort due to the insecure nature of the browser.
Ah, I was looking for something like this when writing my comment. It's rather hard to find an up-to-date review of web browser vulnerabilities, which is curiously strange. Even so though, these results are from beginning of 2014, which was almost two years ago. I'll grant you Firefox doesn't have the same track record, but my point still stands: I think they're mainly doing it because they don't have infinite money and the same web browser again isn't very sexy.
However, if I may bring up a point here: Firefox isn't super outstanding secure out of the box, but it has great support for extensions, and a few of the right ones can vastly improve its security. I don't know if Chrome can do the same (genuinely not sure, the last time I used it at all was ~2012). Also, because these all seem to depend on certain platforms, I wonder if/how many of these browser insecurities target the underlying OS as opposed to the browser itself?
Re: (Score:2)
Well, on linux the focus is more on breaking into stuff like servers or network appliances or so. There it can already be considered a security issue if you can get a dump of the user database. But on windows, still the major desktop OS, the main target is the classical "rogue code execution" stuff. Both are serious in their context, just desktop linux hasn't got any attention.
Re: (Score:2)
Re: (Score:2)
Well, that is the nail in the coffin for me. I've been using Firefox for the past ~4 years due to convenience and, frankly, have been too lazy to switch. Time to switch to Chrome.
Very intelligent move. So you are about to turn to the browser made by a gargantuan surveillance corporation. I can't think of anything smarter that that [rollseyes]
Like Mozilla's survival hasn't been dependent on making money by setting the default search on first installation, first to google, and now yahoo? How many people change defaults?
Re: (Score:2)
Actually that article is from 2014... not exactly last year! :)
In the last year, firefox did improved the internal design and is now partially multi-thread, but being a monolith for all these years can't not be solved that fast without breaking things. Only a complete redesign would help doing this faster... but maintain current engine and design and build a new one is still a huge task and takes years, not something mozilla can do, they don't have the MS, Google and Apple money and size.
servo is THE mozil
Re: (Score:3)
Re: (Score:2)
Keep Reading!
Re: (Score:2)
You flatter the camp commandant.