Linked by Thom Holwerda on Fri 21st Mar 2008 22:21 UTC
Mozilla & Gecko clones A new version of Mozilla's popular Firefox Web browser is ready for download with improved security and memory use as the tiny company takes a stab at Microsoft's dominant Internet Explorer. The program's creators told Reuters on Thursday that the privately-held company's trial version of Firefox 3 browser is ready for the masses to use after months of development.
Thread beginning with comment 306027
To read all comments associated with this story, please click here.
Se-ku-ree-tee
by pysiak on Fri 21st Mar 2008 23:04 UTC
pysiak
Member since:
2008-01-01

Firefox is great and all but all the time we read things like: "Additions boost security..."

As usual, this will have to be proven, not stated. I mean after reading "improved security" in every article about a new browser that has been comming up for a few years now, we'd have to feel so secure we shouldn't be even able to handle it ;-)

And yet, Bruce Schneier still says the state of security isn't getting any better. I guess he doesn't use firefox... or he's right :-D

Reply Score: 2

RE: Se-ku-ree-tee
by lemur2 on Fri 21st Mar 2008 23:27 in reply to "Se-ku-ree-tee"
lemur2 Member since:
2007-02-17

Firefox is great and all but all the time we read things like: "Additions boost security..."

As usual, this will have to be proven, not stated. I mean after reading "improved security" in every article about a new browser that has been comming up for a few years now, we'd have to feel so secure we shouldn't be even able to handle it ;-)

And yet, Bruce Schneier still says the state of security isn't getting any better. I guess he doesn't use firefox... or he's right :-D


This is only partly correct.

It is possible to add a feature that by itself can be said to add to security, compared to the same browser compiled without that feature.

Anti-phishing provisions is one such feature that comes to mind.

Reply Parent Score: 5

RE[2]: Se-ku-ree-tee
by tomcat on Sat 22nd Mar 2008 00:53 in reply to "RE: Se-ku-ree-tee"
tomcat Member since:
2006-01-06

This is only partly correct.

It is possible to add a feature that by itself can be said to add to security, compared to the same browser compiled without that feature.

Anti-phishing provisions is one such feature that comes to mind.


Not true. Every bit of code that you add to a product increases the potential attack surface. The anti-phishing provisions are intended to prevent a particular problem; however, besides addressing that problem, they may open you up to other problems (ie. buffer overflows, privilege escalations, and so on).

Reply Parent Score: 1

RE: Se-ku-ree-tee
by 1c3d0g on Sat 22nd Mar 2008 13:52 in reply to "Se-ku-ree-tee"
1c3d0g Member since:
2005-07-06

Flash news for ya: nothing that's connected to a network is 100% secure, no matter how hard you try. That doesn't mean we shouldn't close the most obvious security holes, but if you want true security, disconnect now.

Reply Parent Score: 1

RE[2]: Se-ku-ree-tee
by pysiak on Sat 22nd Mar 2008 15:10 in reply to "RE: Se-ku-ree-tee"
pysiak Member since:
2008-01-01

Yeah, of course. But just look at how security is treated by columnists:
"... and it's more secure too!"

I mean how can you tell ? Say, we fixed 10 security bugs or loopholes, but how do you know that there isn't a new bug exploitable in a more disastrous way?

Note that security is often more about human behaviour than bugs. Probably people are now more aware of privacy issues that should be handled by themselves, not software. I've seen disputes that social community portal is BAD because you get all the people's data on a platter. But wait, who did post the actual data?

So bragging about security when there's much to be tested and proven seems just like a marketing thing.

Of course if I were a developer I'd say we're more secure, because we've introduced anty-phising, prezeroed allocation, and so on. But you shouldn't blindly belive that: yap, now, i'm secure, coz, dudes on the web say so.

Cheers!

Reply Parent Score: 2

RE[2]: Se-ku-ree-tee
by rmtatum on Sat 22nd Mar 2008 23:54 in reply to "RE: Se-ku-ree-tee"
rmtatum Member since:
2005-07-09

Flash news for ya: nothing that's connected to a network is 100% secure, no matter how hard you try. That doesn't mean we shouldn't close the most obvious security holes, but if you want true security, disconnect now.


Even if it's disconnected, it's still not "100 %" secure. People can still find ways to access the hardware.

Reply Parent Score: 3