Reader Comments

Subscribe: RSS

View by: Time | Thread

• 

  nonuser, 1 Mar 2005 @ 11:51am

  
  

  half correct

  Windows XP (many users log in as administrators, all windowing code runs in kernel mode, scriptable media applications are considered non-removable parts of the OS) and IE (think ActiveX) really are architecturally less secure, but it's also true they are the main targets. I expect to see more successful attacks on both Linux and FireFox... and the open source community will start sounding more like MS when they say that responsible users need to download the patches as soon as they become available.

  [ link to this | view in chronology ]

  • 

    Anonymous Coward, 1 Mar 2005 @ 12:32pm

    
    

    Re: half correct

    The notable difference is that, so far, the turnaround time for security bug-fixes in large open-source projects is far less than the turnaround time for MS to release security fixes. I'm talking 24 hours vs 6 months as a kind of comparison.
    
    I think that open-source projects are only marginally more secure than closed-source projects by their open nature, and comparing actual security in general isn't possible on that scale; it's a project-by-project thing, because it depends on the number and calibre of people involved vs the project complexity.
    
    Open source projects should have better peer-reviewed fixes that come out in a more timely fashion, and that's the only difference. I think such a difference is a really important one, and that, while OSS stuff can't always be vastly more secure inherently, that the turnaround time makes a very big difference.
    
    

    [ link to this | view in chronology ]

    • 

      Ralph, 2 Mar 2005 @ 11:06am

      
      

      Re: half correct

      ActiveX Controls not being able to execute is the primary reason for Firefox being able to be more secure. Don't need 'em don't want 'em. Also ads can be eliminated with plugins increasing safety and useability.

      [ link to this | view in chronology ]

• 

  opo, 1 Mar 2005 @ 11:57am

  
  

  spyware is not security

  you are confusing the issue of spyware and security. IE has many security problems that are completely unrelated to spyware. The alternate browser crowd is more secure because they do not have these same gaping holes.
  
  Spyware can be avoided by using an antispyware program, security holes in the browsers can only be handled by fixing the security holes.

  [ link to this | view in chronology ]

  • 

    Mike (profile), 1 Mar 2005 @ 12:06pm

    
    

    Re: spyware is not security

    Not really. While you're right that they're two different things, the reason spyware gets in is often because of security holes. So, the amount of spyware getting through is basically a proxy for the security of the browser itself.

    [ link to this | view in chronology ]

• 

  Tim, 1 Mar 2005 @ 12:04pm

  
  

  Jumping the gun

  I've seen this a few times, now: in earlier days, open-source was just plain `more secure'. Then it was `more secure because updates come out faster'. These were days before Firefox, nae even Mozilla, was a glint in a web-surfer's eye. Since then, open-source has had to deal with scalability: the packages we know and love are now *huge*, beyond many a solitary programmer's wit to debug, let alone tweak to integrate with anything else.
  
  So we'll have to see how the Firefox team copes with pushing out an increasing number of fixes, and whether the Internet population actually bothers applying them in a timely enough fashion.
  
  In fact, I'm going to go out on a limb and predict that a return to modularity is going to be required in the near future. The javascript engine *should* be farmed-out to shared libraries for the purpose. So should the UI. Let Firefox be a *minimal* refactored core with lots and lots of semi-optional libraries, preferably that can all be updated from the core itself. The plugin architecture is right, but it's too high-level for the bugs remaining to be discovered.

  [ link to this | view in chronology ]