OSNews

Guys, take a look at this thing. This article defines browser security as the number of vulnerabilities as reported by Secunia in 2006. Operationalising browser security this way, IE is more secure than Firefox.

What is so difficult about that? You can disagree with the way this article operationalises browser security (in fact, operationalisation is the a common attack vector when critisizing scientific articles), but you can NOT say the guy has his facts wrong. Becuase they are CORRECT.

Like I said, I won't start using IE. But this article uses FACTS to come to its conclusion. Whether you like it or not.

I don't think anyone has said he lied. The issue is that he talks about 1 fact and says it supports Firefox, then talks about another and says it means the IE is more secure. The truth is that both facts are mostly worthless, and the blog makes no attempt to explain why we should care about these stats. The really galling problem is that his conclusion contradicts some really advanced and high quality analyses and is based on pretty much nothing. The only thing at all that is going for this is it's title: "Internet Explorer 6.x More Secure than Firefox 1.x in 2006," which is clearly a controversial stance designed to draw attention.

To be clear, his stats are right, they are just useless. If I wrote an article that said there were 50 states in the US and each of them have 2 senators, and then conclude that each state must be the same size. That is clearly wrong, but would you have linked to that?

Edited 2006-09-09 18:49

Let us not denigrate "scientific articles" by including this blog post in them. If this artcle was submitted for scientific peer-review, it would be rejected for cherry picking data. While I agree with you that the "facts that are used" are correct. And it is silly for people to say "that is not my experience". Also, it is silly to say that "millions of people's experience with Firefox cannot be wrong". For hundreds of millions of people, IE is the Internet, and we all know that they are wrong. SO let us not confuse anecdote and popularity with science either.

However, there is no excuse for incomplete use of available data - especially only using metrics that support your own hypothesis while overlooking other blatantly obvious ones like the speed of patching, severity of unpatched vulnerabilities, severity of all vulnerabilities, etc. (I am not a security expert, these are just the obvious things, I imagine are relevant). It appears the blog post was put out as flamebait (ad revenue?) after a cursory examination of some data that appears to support the author's belief but that does not make it Science.

Anytime you come to a conclusion, ESPECIALLY from a small set of data, you can not say "It's just facts".

Is his article title a fact? No, it is not. It is not just facts. That, my friend, *is* a fact.

This article defines browser security

Now this is my main problem with this linking: the day you start realizing such crap can't be called an article on this planet without a certain type of smile, and stop linking them like certain low quality link-piling sites do, now that day will be the one when maybe you'll see the light at the end of the tunnel.

Those aren't facts. Those are statistics.

Well, it depends on how you want to spin the information; in the case of Firefox, if it has 'more vulnerabilities' the spin could easily be, 'because it is opensource, it is more transparent, thus, enabling more people to analyse the code" - thus giving the spin that they're being proactive in their bug hunting

The same could be said for Internt Explorer, because more people are using it, and it is in higher rates of usage, there are more people able to probe and test for vulnerabilities, its merely a benchmark on how many people use the product, thus they can claim (like they do) that more vulnerabilities are found because more people use it, and thus, the exposure area is greater.

Right. Spin is a good way to describe it. I couldn't put my finger on it.