Internet Explorer vs Firefox (Security)
I have been meeting several claims that Firefox is more secure than Internet Explorer and viceversa. But none of them actually support their claim by evidence. I decided to ask in here because people here are more technical and the distribution is pretty random.
So here I am asking
Why is One more secure than the other ?
So here I am asking
Why is One more secure than the other ?
Being Firefox an active Open Source program, is easier that security bugs get fixed really soon
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html
http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html
Please define "more secure".
Number of vulnerabilities found per week? Approx. number of vulnerabilities still present? Severance of the found vulnerabilities? Average time from announcement to bug fix? Average time from announcement to actually wide-spread install? Number of real abuse issues? Amount of money successfully stoled from credit cards which accounted for security faults in browsers using online banking? Included less-harmfull security vulnerabilities that e.g. lead to spying out personal information of the user? etc....
The list can be go on indefinetely. Depending on your definition, things like "how many people are actually trying to break this and that browser?" affect your score and it might turn out that using "elinks" is most secure :-P.
The point I want to make is that I don't think good of statements like "foo is more secure than bar" if its not clear what scale you are measure against. For some things it usually very well-defined what are meant, e.g. if you would have asked: "What is more secure, MD5 or SHA-1?" then I could give a clear answer, as there usually "time/money to find a collision" is the measurement criteria.
But for browsers? Really.. no clue what you asking about here.. ;-)
Ciao, Imi.
Number of vulnerabilities found per week? Approx. number of vulnerabilities still present? Severance of the found vulnerabilities? Average time from announcement to bug fix? Average time from announcement to actually wide-spread install? Number of real abuse issues? Amount of money successfully stoled from credit cards which accounted for security faults in browsers using online banking? Included less-harmfull security vulnerabilities that e.g. lead to spying out personal information of the user? etc....
The list can be go on indefinetely. Depending on your definition, things like "how many people are actually trying to break this and that browser?" affect your score and it might turn out that using "elinks" is most secure :-P.
The point I want to make is that I don't think good of statements like "foo is more secure than bar" if its not clear what scale you are measure against. For some things it usually very well-defined what are meant, e.g. if you would have asked: "What is more secure, MD5 or SHA-1?" then I could give a clear answer, as there usually "time/money to find a collision" is the measurement criteria.
But for browsers? Really.. no clue what you asking about here.. ;-)
Ciao, Imi.
closed account (1yR4jE8b)
Internet Explorer and Active X are so tightly integrated with the windows kernel that any exploits found through either could lead to system wide vaulnerabilities. Microsoft can also slip any kind of root-kit, usage monitoring like windows service into Internet Explorer and nobody but them would know about it because the browser is closed source.
Firefox (and Google Chrome too) on the other hand, is Open Source so the chance that any kind of malicious code in the browser itself is practially nil, and because plugins aren't so tightly coupled with the Windows Kernel so while there are vulnerabilities that could arise the chance that a System Killing hack slips in through a plugin is lower. Mozilla also has robust digital signing for plugins so to help you decide if the developper is trusted or not.
Firefox (and Google Chrome too) on the other hand, is Open Source so the chance that any kind of malicious code in the browser itself is practially nil, and because plugins aren't so tightly coupled with the Windows Kernel so while there are vulnerabilities that could arise the chance that a System Killing hack slips in through a plugin is lower. Mozilla also has robust digital signing for plugins so to help you decide if the developper is trusted or not.
| Approx. number of vulnerabilities still present? |
| "What is more secure, MD5 or SHA-1?" then I could give a clear answer, as there usually "time/money to find a collision" is the measurement criteria. |
| That's unmeasurable. That is, unless you're only counting known vulnerabilities. |
Well, that's why I put the "approx." ;-). You can always approximate, the guessing doesn't have to be exact. In fact, I think that this is what most people have in mind when they think about "what's more secure?"
At least I got that feeling when talking with people about the amount of already found bugs: "So what? Isn't that a good sign as it means that now there are no bugs left?" :-D. (To be clear: I think that's not correct. I think if there are a lot bugs found, its a better thing to assume that there are many more left.)
| I don't know the details, but MD5 has actually already been proven to be vulnerable to a particular type of attack that no longer makes it suitable for cryptography. |
Published collisions exist for MD5. Also, schemes for some group of collisions exist. Then, some applications use MD5 in a way where you can construct other collisions in higher level protocols out of existing MD5 collisions. (For example if you have a program like tripwire that assume code is valid and behaving if it matches a published MD5 sum, then a mallicious program could behave different depending on some part of the code - if value1 is present, it behaves nice to get the trust-certificate and if the colliding value2 is present it executes its mallicious code)
MD5 is still "somewhat" secure against choosen collisions (means: I choose a value and the attacker has to find a collision to this specific value). But anyone uses MD5 today for cryptographic applications has to be extremely careful.
Btw: SHA-1 is not that much better. There are no published collisions yet, but the algorithm is "broken" in the way that the complexity to find a collision is reduced (from 2^80 down to 2^69, which is pretty almost what is manageable today). SHA-2 is still considered secure but works with the same principle than MD5 and SHA-1.
Ciao, Imi.
So, in other words, most people understand "secure" as meaning "they say they say [not a typo] they think it has few unknown vulnerabilities"? Actually, that sounds quite believable. I'll make sure to put that in the blurb on the back of the box of the first program I sell.
Duh. There's always more bugs left. If every program has bugs and every program can be optimized for size, then every program can be reduced to a one line bug.
| I think if there are a lot bugs found, its a better thing to assume that there are many more left. |
Thanks for the replies. I've seen some comments just rely on the fact that bugs are fixed much earlier/ Open source... doesn't add to the software security per se. I am more inclined on security mechanisms provided within the browser. Such as input sanitization etc.
Also I would like to draw the following fact
I have to say that sometimes the internet comunity's behavior varies depending to which company caused the Vulnerability.
In many articles people point fingers at micro$oft for installing the extension/plug-in and it was vulnerable and the fuss about it was made was incredible.
http://threatpost.com/en_us/blogs/microsoft-net-plug-exposes-firefox-users-malware-attacks-101609
But lets face it all other distributors that have a plug-in sneaked the installation in the plug-in folder. Eg: Adobe Reader, Realtime, Quicktime, Java, Flash
Adobe and Quicktime had their fair share of exposing the user to vulnerabilities from these addons why was Micro$oft flamed that much ? Isn't it the same thing ? (I am by no means siding anyone I just want to know what the community thinks)
I know some of you may say "but we all know that Adobe installs the plugin" yes we do but... was this always the case ? or we learned that through experience ? "Cool now PDF opens in the browser" time passed by and it became like an obvious part of Adobe product (replace adobe with any other software that does this)
Speaking of Plug-ins
ActiveX is a major threat we all know it that can expose user to various vulnerabilities. In my opinion NPAPI isn't more secure than ActiveX, actually quite of the same level of problems. An unchecked buffer in ActiveX is as much as exploitable an unchecked buffer in NPAPI Plug-ins. If anyone has evidence to disprove my statement, I encourage you to do so because I am interested in learning.
Comments
to: moorecm:
will your competitor say nice things about you?
to: imi: yes I like your reasoning, this is what I am talking about. Just because the browser has a high ammount of successful attacks does not make it less secure. Might be the case that its more used at large. might be its the target of the moment from attackers.
to: darkestfright
how is it so ? when you can sneak a plugin by just any installation in the plug-in folder and is readily available with next Firefox reload ?
I have my doubts, I asked about the plug-in sample sourcecode they provide that doesnt compile in irc Mozilla server their reply leaved me shocked "the person who wrote the mechanism is not with us anymore and really few know what is really going on in there" ( and that was enough for me to know why there are several unanswered questions about Firefox plug-in development ) Samples in mozilla trunk date back to 2003-2007
http://mxr.mozilla.org/seamonkey/source/modules/plugin/tools/sdk/samples/
http://mxr.mozilla.org/seamonkey/source/modules/plugin/samples/
Refs
http://groups.google.com/group/mozilla.dev.tech.plugins/browse_thread/thread/b9e2fbd7eabd6413/6e7d6b7a84d58174
http://osdir.com/ml/mozilla.devel.plugins/2008-05/msg00006.html
I'm still open for more :D
Also I would like to draw the following fact
I have to say that sometimes the internet comunity's behavior varies depending to which company caused the Vulnerability.
In many articles people point fingers at micro$oft for installing the extension/plug-in and it was vulnerable and the fuss about it was made was incredible.
http://threatpost.com/en_us/blogs/microsoft-net-plug-exposes-firefox-users-malware-attacks-101609
But lets face it all other distributors that have a plug-in sneaked the installation in the plug-in folder. Eg: Adobe Reader, Realtime, Quicktime, Java, Flash
Adobe and Quicktime had their fair share of exposing the user to vulnerabilities from these addons why was Micro$oft flamed that much ? Isn't it the same thing ? (I am by no means siding anyone I just want to know what the community thinks)
I know some of you may say "but we all know that Adobe installs the plugin" yes we do but... was this always the case ? or we learned that through experience ? "Cool now PDF opens in the browser" time passed by and it became like an obvious part of Adobe product (replace adobe with any other software that does this)
Speaking of Plug-ins
ActiveX is a major threat we all know it that can expose user to various vulnerabilities. In my opinion NPAPI isn't more secure than ActiveX, actually quite of the same level of problems. An unchecked buffer in ActiveX is as much as exploitable an unchecked buffer in NPAPI Plug-ins. If anyone has evidence to disprove my statement, I encourage you to do so because I am interested in learning.
Comments
to: moorecm:
| http://support.mozilla.com/en-US/kb/ActiveX |
to: imi: yes I like your reasoning, this is what I am talking about. Just because the browser has a high ammount of successful attacks does not make it less secure. Might be the case that its more used at large. might be its the target of the moment from attackers.
to: darkestfright
| vulnerabilities that could arise the chance that a System Killing hack slips in through a plugin is lower. Mozilla also has robust digital signing for plugins |
| Firefox (and Google Chrome too) on the other hand, is Open Source so the chance that any kind of malicious code in the browser itself is practially nil |
http://mxr.mozilla.org/seamonkey/source/modules/plugin/tools/sdk/samples/
http://mxr.mozilla.org/seamonkey/source/modules/plugin/samples/
Refs
http://groups.google.com/group/mozilla.dev.tech.plugins/browse_thread/thread/b9e2fbd7eabd6413/6e7d6b7a84d58174
http://osdir.com/ml/mozilla.devel.plugins/2008-05/msg00006.html
I'm still open for more :D
Last edited on
| I have my doubts, I asked about the plug-in sample sourcecode they provide that doesnt compile in irc Mozilla server their reply leaved me shocked "the person who wrote the mechanism is not with us anymore and really few know what is really going on in there" |
At least, people in the Mozilla team are honest that there are mechanisms in Mozilla that noone is maintaining. What would you bet on: that there are no such pieces of code in Internet explorer, or that there are, but you will never learn about it? Wanna bet on the first - I will bet against you on the second! We can bet any sum on it, since we will never know the answer, so neither of us can win (or lose).
An observable fact: on my computer, Mozilla crashed far less than Internet explorer, back at the (very short) time I used Internet explorer.
A second observable fact: Internet explorer wouldn't install on my Ubuntu partition, although it is freeware and I have the Wine compatibility layer installed in Linux.
Last edited on
I think most people think Internet Explorer is better but they don't even look into the security options on Firefox so they presume there aren't any. I think Firefox is better though, I'm using it now!
Topic archived. No new replies allowed.