Its flat out bullshit! My mind is numb at the moment as I have been frantically trying to get caught up with project deliverables and to top it all off I just had to spend the last 3 hours rebuilding my internal network because of a stupid little mistake I had made that caused my router to return to its default settings (which, in essence, makes it think it should be controlling the show instead of my network server.) I finally figured out the problem, fixed it, and then decided my brain needed a break. So I took 10 minutes to catch up on the latest updates in my news reader. Of course the "IE and Firefox are about equally secure" report has had tons of responses, all of which are religous based and generally try to use the fact that because Firefox doesn't natively allow you to run ActiveX controls it is more secure and therefore better. BETTER!!!! What the fuck does less power and capability have to do with better!!!???
It is true that there was a time when IE did a poor job of managing the access and control it allowed to the underlying system. Unfortunately there are to many little fucks running around who can't keep themselves under control and had to build silly little applets that did silly little things like fuck around with your personal information or this, that, and whatever else. That had to stop. And the way to do this was to close off access to anything unless given direct permission from the user to do so. Ok, no problem... a few extra clicks from the user is not all that much to ask in the name of ensuring that these criminals could no longer have their way with your OS without your explicit permission. Spyware is obviously a HUGE piece of all of this "access" that was given and because of this we will continue to see lingering effects until such time as EVERYONE has taken the steps necessary to get their system cleaned-up via MS's new clean-up and protect tools. Thats not to say that there will never be a problem again but the fact of the matter is that now that MS has done this it can be easily stated that IE and Firefox are about equals when it comes to potential security problems. Why? Because they are both requiring the user to provide explicit access before it is alllowed to do ANYTHING that could potentially endanger the users system. Thats it, end of story. This is the plain and simple fact and theres no justifiable argument that can be made anymore.
There are about 500 of you heading straight for the comment area to tell me that because FF is OSS that it therefore can be more easily and quickly patched when security holes are found. Why is that? Because every 14 year old script kiddie can look at the source code and go "look, theres the problem, I'll fix it and submit it and become a world renowned hero." Ummm.... sorry, but if you honestly believe that a band of volunteer software developers who lack both experience and in many cases pubic hair are going to be able to develop a bullet proof browser you really need to rethink your strategies. Now please don't take that as a slam against the Mozilla.org folks... thats not who I am refering to at all. I LOVE Mozilla. These guys are INCREDIBLE and should be given every amount of respect they have rightfully earned. But the problem is that Mozilla.org is a finite group of elite developers and as such have limited resources to tap into when it comes to trying to combat against the increased attacks they have been and will continue to receive. So at what point have we reached critical mass -- the point in which those who are fighting against FF have succeeded in finding enough flaws that it is near impossible for even this elite group of developers to keep up with. It will happen and when it does its going to suck! Mozilla.org doesn't deserve that kind of treatment but do you think the people fighting against them give a shit? If you do you are a flat out fool and theres no getting around that. Wake up to reality my friends... this is the real world of software development where there are people fighting against any and every successful venture: OSS, CSS, half Open, half Closed, and whatever other type of development genre that can be conceived.
Keep this in mind: The fact that anybody can look at the source code does little more that make it A LOT easier to figure out where the flaws are in the first place... Its one of those cyclical paradox situations in which you have a greater chance of finding and fixing flaws while at the same time giving others a chance to find them before you do and exploit them before they are fixed. Has anyone done the metrics on this? I dont know the answer but they sure would be interesting to look at as I believe we would discover that it has nothing to doi with whether something is open or closed and everyting to do with the number of installs it has on a system. It only takes a few milliseconds once your inside a system to get what you want and get out. And you simply cant find and fix a security hole in the same amount of time. The Credit Card has long since been maxed before a problem is even realized (in fact its BECAUSE the credit card has been maxed that will probably be the source of the "enlightenment" that there is a flaw in the first place.)
So this brings me to what is going to have to be my final point for now as I have to get back to work... The point?
IE is more powerful than Firefox.
Give me access to the OS API and I will build you something that is as powerful as the API will allow. Confine me to a restricted list of components that, while lengthy in how many are available, still limits me to what the components are capable of doing and all I can build you is what these components will allow me to build you. There are 10s of 1000s of preexisting components that I can use on top of a Win32-based system. And .NET-enabled components are catching up quick. The components are built by extremely talented developers -- developers just like the ones they have at MS and Mozilla. There is literally nothing that can not be built by scripting together these components to build kick a$$ applications without borders or limits. Does this mean theres a security risk? With power comes risk but also comes capability. Its a balancing act without a doubt but it doesnt change the fact that with more access to the API the more powerful an application I can build. IE has it. Firefox does not. End of story.
My favorite quote in regards to this area of controversy comes from a presentation that was given at TechEd '97 in Nice, France. I had 3 presentations to give during the 5 day event and so had plenty of time to take in a lot of really good presentations. I cant for the life of me remember who it was that was giving this presentation nor can I remember the exact topic. I had only just walked in when an audience member raised there hand and asked a question regarding the security risks that came from using a Win32-based applications and suggested/asked why not instead migrate towards Java. The answer was quick, simple, and straight to the point:
"We give you the 'Format' command and expect that you know when and when not to use it."
Firefox is a nice browser. But lets not let religion blind us to why its a nice browser. Its usable. Its not more powerful, more stable, or in reality more reliable, But they got several usability features spot-on and thats what makes it so cool. Mozilla kicked a$$ on this web browser but thats all it is.... a browser. IE can do anything and everything a Win32 or .NET-based application can be programmed to do. Its no where near as usable. But its a lot more powerful. Does that make it better? It depends... Do you have a need to do more than just browse the web? If no, then probably not. If yes, then yes it does. Oh, and by the way... Do you think that IE7 might take cue from the Mozilla folks and borrow a few of their neat UI ideas in return for Mozilla's use of IE's XMLHTTP ActiveX control (XmlHttpRequest) or the keyboard shortcuts like Alt + D and CTRL + Enter, etc... I'm not sugggesting Mozilla has done anything wrong... not at all! The smartest thing you can do is to take the good pieces (and the things that the user base you are going after are used to) of the competing product and copy them into your own product. I have a feeling MS will probably follow suit and may even add a few things that none of us have even thought. Money buys talent and MS has plenty of both. Be ready. Somethings gonna come from Redmond thats going to make all of us go "GooGoo" and we have the good folks at Mozilla to thank for this. Maybe AOL can ask for another 750 million for all their troubles ;) Isn't that how the system works... If you cant beat 'em, sue 'em?
Anyway...
IE an Firefox both have their place in this world. Can we please move on with our lives now?
TrackBack URL for this entry:
http://www.xsltblog.com/xslt-blog-mt/mt-tb.cgi/756
Listed below are links to weblogs that reference This 'Firefox is more secure' religous war has got to come to and end:
» Health Insurance from Health Insurance
Insurance, Health Insurance is a niceblogers. [Read More]
Tracked on March 13, 2006 11:54 AM
» online poker from online poker
online poker
payday loans payday loans
hoodia hoodia [Read More]
Tracked on March 15, 2006 03:54 PM
» online poker from online poker
cash advance cash advance
online poker online poker [Read More]
Tracked on March 15, 2006 03:55 PM
» party poker from party poker
party poker
casino casino
online poker online poker [Read More]
Tracked on April 4, 2006 08:09 AM
Yeah, you’re right. IE /is/ indeed more secure. But it doesn’t display a single Page correctly due to disabled Javascript and ActiveX and those nice CSS-Bugs we all learned to love…
IMO a browser does not have to be “powerful”. It has to be standards compliant and extensible. Mozilla has full XML-Support, native MathML, SVG and XForms (not full but they’re working on it).
Great Article.
Your trackbacks are broken.
smp
I like a bit of flame bait :)
First, what use is power, if it is abused? The two primary routes for drive-by spyware (that is, not the stuff that sneaks in with apps), is ActiveX and security hole exploit. both browsers are weak on the latter -even firefox seems to like a WinXP reboot (well, on that vmware image anyway) after an update. And both apps are prone to security holes, because they are written in buffer overflow languages (how’s that for flame bait). As Mozilla becomes more popular, it will become more of a target for malware and driveby spyware attacks.
But here is why IE is less secure, today
-Prompted AX download is still enabled in the internet zone. Unless you know how to adjust zone members and security, you cannot disable that without breaking windows update. Which you need, after all.
-IE is embedded everywhere. That isnt usually a bad thing, but it means that the attack surface is so broad. I think the mailers (outlook express especially) are trouble here, as they permit direct exploits of security holes. Mind you, thunderbird has the same problem. hmmm.
-Browser Helper Objects. Somebody thought it was a good idea to let COM components have access to stuff that gets POSTed, even over HTTPS links. Mistake :( . By providing the toeholds for spyware and malware, they provide a source of trouble for end users.
Regarding ‘power’, how relevant is it? Who cares about “more powerful”. None of the friends and family whose boxes I have had to antispyware; they are grateful to be given a copy of mozilla and told it is more secure.
There are some things that’d be nice in mozilla, a good HTML editor component, better XML/XSLT handling another. But then IE could benefit from CSS2 -a bit of power for site designers that IE lacks.
Anyway, its good to have competition again. Would we have popup blocking in IE without Mozilla? I doubt it. Not given that MSN must have made many €€ from popup adds -a bit of conflict of interest there. Would we get IE7? Not a chance. But will IE7 move windows update into its own zone and turn off AX download in Internet Zone? I hope so, but doubt it.
These are all excellent comments.
Pascal, you’re right. As a browser, hands down Firefox is light years beyond IE. The fact that IE7 is under development might bring the playing field a little bit closer but I have a sense that whats most important to MS has less to do with support for the current web standards and more to do with usability and security.
Thinking of things outside of the browser namespace and theres simply no way to contend that IE doesnt kick Mozilla’s A$$… But beating MS in this particular space (providing Win32 API/.NET FCL support) was obviously never a goal of Mozilla, nor should it have been. I believe they are making the right moves in the right direction focusing on SVG/XUL/XBL/XForms/etc… as this is what will help give the development of components based on the core Mozilla foundation a massive jolt and could quite easily give MS a run for its money when considering the fact that XAML, thus far, is the closest MS has come to adopting the standards that are currently driving the salvatory glands of most of the development communities these days.
But its definitely a long road ahead before the strength of this framework in the making can be measured. Will it be in time to force MS into pushing the introduction of WinFS sooner than planned such as to change the entire underlying structure the current WinOS family is built on. If they can do that then they have a chance as MS would have to piss off some hardware vendors and push out a half-baked technology, crossing their fingers that this fact alone doesnt create a hellatious roar of “whatthehellisthisidontunderstandgivemebackwhatihadbeforeplease” resonating across their front door step and right to through the heart of what could easily be seen as an industry defining innovation if given the time necessary to do it well and do it right — the entire reason for pulling it out of Longhorn in the first place (if what they told the press is in fact the true and complete reason for the demosion from the core deliverable list for the next version of Windows.)
Steve,
Youre comments are absolutely spot on and as such I plan to bring them up to the top level in a post by themself as I think people need to be notified of their existence. I will do that now…. in fact you will probably see that first before you see this given that I still havenet finished off this UI and provided XML feeds for the comments section… Yeah, I need to get that done soon, I know 8|
Oh, and Stephen has pointed out (thanks for the reminder Stephen!) I need to fix the Trackback stuff too… AAHHHHHHHHHHHHHHHHHHHHHHHHH!!!! So many little annoying things need so badly to just get done… I’ve got to make this happen… Maybe I can try and get to both of these this evening. Thanks for the reminder!!!!