Pros and Cons of Firefox Critically Evaluated?

A Dafa Disciple writes "Fred Langa of Information Week has written an article claiming to discuss the 'Pros and Cons of Firefox'. At first I was excited because I thought I was going to get to finally read an enlightening, in-depth article that critically examined the browser. I should have known better. Aside from the usual criticism of open source software, it contains a reference to a Symantec Internet Security Report which claims that more security vulnerabilities in the last six months of 2004 were found in Firefox than IE. I'll leave it to you to analyze Mr. Langa's opinion and scrutinize Symantec's study and reputation as a security software developer."

The biggest downside to Firefox

[DeadSea]

Is all the plugins, extensions, chrome, files, and settings that have to be configured after you have the Firefox browser up and running [ostermiller.org]. It would be really nifty to be able to bundle all the things that I do when I install firefox into one mega "extension bundle" or some such that I could install with one click.

Re:The biggest downside to Firefox

[Blaskowicz]

this extension should be useful :
http://mozilla.doslash.org/infolister/
InfoLister is an extension for Mozilla Firefox, Mozilla Thunderbird and Nvu that collects various information about Firefox/Thunderbird and saves it to a file. Currently it prints the list of installed extensions, themes and plugins.

Re:The biggest downside to Firefox

[AdamWeeden]

Indeed, I would love to see something where you could choose out of a few different profiles (Minimal, Power User, Everything, etc.) which would add certain extensions preinstalled with the browser. Another idea would be to be able to select what packages to add on before you download and install it. This raises a serious issue though. This then puts the burden of support on the Firefox team to support any bundled software, which I'm sure they have no interest in doing so. Granted they could put in some disclaimer before download about third-party support, but I doubt "Joe User" is going to read it, and if something breaks will still attempt to contact the Firefox team for help.

Re:GPO Control

[numbski]

http://www.frontmotion.com/Firefox/

Have you tried this by chance?

I haven't personally, but I keep hearing good things about it.

Re:The biggest downside to Firefox

[Zocalo]

Perhaps some kind of "shopping basket" download system on the Mozilla update site would be a good way to go. Personally, I quite like the "Download Basket" that Microsoft uses on its Windows Update site when you do a manual update. Something like a standard shopping cart to choose the plugins that you are interested in, followed by a Windows Update style confirmation and install process would be ideal. If you could also save the baskets and reuse them on multiple PCs that would make widescale deployment of Firefox sooo much easier...

there's no cure-all

[QQoicu2]

Maybe Firefox is a more stable, more secure browser than IE, but everything is gonna have its flaws. And the more people use it, the more it's gonna get targeted. This sounds kinda selfish, but I almost wish the geek crowd would have "hoarded" Firefox and kept it as their own. It's nice to give Microsoft the shaft, sure, but the more Firefox creeps into the mainstream, the more it's gonna inherently open itself up to exploits.

Con: You can't use autocomplete

[GigsVT]

Since the article concentrated on security, but didn't mention this:

If you leave autocomplete on, Firefox will save your credit card numbers in plaintext on your hard disk.

This bug has been known about for years. They won't fix it.

This just in...

[00squirrel]

All software has bugs, security and otherwise.

Let me put forward a little statistic of my own, gathered from what I've seen over the last few years as a network admin.

Number of computers compromised as a result of IE usage: 8 this year. Number of computers compromised as a result of Firefox usage: 0 (ever)

Issues with numbers

[ppz003]

<rant>

I have an issue with people who quote numbers of security notices and the like. They always seem to fail to mention the average severity of these notices or even the account for duplicates.

We see a large number of nitpick vulerabilities for open source because everyone can look at the source code and try to break it every which way. OTOH, finding exploits in IE is done by testers and hackers.

Regarding dupes, visiting Secunia shows many vulnerabilies for linux distros, but you see the same ones over and over again for each distrobution.

So while I agree that no software is perfect, and Firefox does have problems that arise from time to time, as does any software, I'll still be using the fox for my net browsing.

As for those testimonies in the article from people who can't get Firefox or Thunderbird working properly, wow. I've switched people's grandparents with no computer literacy with no problem. All I can say is that their system must be jacked up.

</rant>

The switch from ie is worth it, but...

[Sprotch]

Before everyone starts flaming me, I'll state that Firefox has become indispensable to me now. Mostly because the RSS bookmarks, tabbed browsing, and best of all, the extensions. Dictionary search, ad-block and the spell checker have all become indispensable to me now. However explorer remains the superior browser with regard to resources and stability. If I want a fast and simple stable browser, explorer is the way I go. While Firefox is loaded with useful options, I find it interesting that I stayed not because it was technically superior to ie, but provided better and actually useful features.

Mr. Langa is a conversational terrorist

[rsborg]

It's enlightening until it's critical. I see.

You missed the point of the poster. He wasn't unhappy about the article being critical, but being very BIASED and critical. You know, it'd be like saying that Democrats/Liberals should listen to Bill O'Riley... as if he listens to the other side.

What I hate the worst is not those who are biased, but those who claim to be things like "Fair and Balanced" when it's clear they're not.

Take for example this nice strawman argument that Mr. Langa puts forth:

It's a very appealing concept, and has become part of computing's conventional wisdom: Non-Microsoft = More Secure.

Which he then cuts down systematically, as if his misposed argument had any value:

Trouble is, that's a falsehood based on a common error: Failure to adjust for the effects of the installed base.

I can tell when people use Conversational Terrorism [vandruff.com], and I know then that they're highly partial and unreasonable to argue with.

Oh yeah...

[jim_v2000]

A lot of other security/AV companies get definitions out MUCH faster than Symantec. I remember occasionally using Sophos's and other AV sites to solve virus issues becuase we didn't have the info.

Re:More exploits?

[jschottm]

Security by obscurity is no security.

No, security by obscurity provides a fairly good amount of security assuming you can keep your code secure. The benefit of open source is that you [hopefully] write better code and/or have better testing that eliminates that major security problems before it goes into production. There's been a bunch of escalation of priviledge flaws discovered in Linux in the past few months that use obscure race conditions and the like. Those would have been extremely unlikely to have been found without the source code. Read the detailed changelogs of the kernel updates - there's tons of little security flaws fixed all the time.

It's a tossup - Open source finds and fixes the little tiny bugs but you have to stay on top of the patches.

Re:symantec

[rizzo420]

i used to favor symantec over mcafee, royally...

now i've seen reason to doubt their products. the main one i've seen come up many times is a trojan. i don't know the name off-hand. and it's with even the latest versions and definitions. you can update it today and i will almost guarantee it won't find it.

also, my other issue with their home product is that by default, it's set to try to clean the infected file. today's viruses can't be cleaned because the file is the virus. so if it can't clean it, it takes no action. that's the most absurd setting i've ever seen. they should have it set to try to clean adn then quarantine if unsuccessful. i dread looking at computers that have norton installed, you know they're infected the minute they come in.

Re:The biggest downside to Firefox

[steeleye_brad]

Urg...I know people will hate me for posting this...but look at Opera. Without Java, the install file is about 4MB. This includes a mail reader, IRC client, newsgroup reader, mouse gestures, and highly configurable tabbed browsing. I see no reason for Firefox to toss in a few basic features. While I think Firefox is great, and I love the "feel" to it, I dislike downloading plugins for mouse gestures, tabbed browsing configuration, etc. Hell, basic plugins like this aren't large at all, it wouldn't hurt Firefox to put that in. Most people here aren't asking for hundreds of pre-installed plugins and a ton of themes, just some of the simpler things.

I like the ideas posted by others, have a shopping cart or checkbox system, allowing you to sort of preinstall various plugins. Maybe create some standardized basic functionality plugins that one may choose to download, and have an option for popular, more advanced plugins as well. You'll still have a small initial download, and will still have the option to have a very small browser.

Re:Critical? Pfft... i've seen better.

[rainman_bc]

Just to point out though, for the most part when any site that reads the http_user_agent header and rejects me, I just change my user agent using the user agent switcher extension, and most of those sites look quite fine.

Even www.quicktaxweb.ca rejected my firefox on Linux install, but accepted firefox on Windows. Just change the user agent to appear like FF on Win and it was almost perfect.

What pisses me off most about FF is that there still appears to be a memory leak if you leave it running for a while. I frequently leave my PC on overnight, and when I get it in the morning it takes a ltime for FF to maximize in XP. Both work and home PC's show the same symptoms. That doesn't occur on my Linux boxen though.

And no, I didn't RTFA ;)

easy to detect cc numbers

[gad_zuki!]

Easy.

1. Dont do autocomplete (or make this a default off option) on ssl forms.

2. Credit card #'s are 16 digits with known prefixes. [beachnet.com] Detecting them isnt a difficult problem. Same with social security numbers.

Silly argument

[Daedala]

He makes the argument that people who think Firefox is better believe so because of the smaller installed user base. IEusers = stupid, FFusers = smart. Therefore, of course Firefox comes off better. If Firefox had as many stupid users as IE, it would be considered as bad as IE.

I call bullshit. His own argument doesn't make sense, because then he argues that IE might have the same percentage of problems as Firefox. He's begging the question of whether the percentage of problem users is the same with each browser. What do you want to bet that someone is going to quote this article saying that "5% of Firefox users have problems! That's the same percentage of IE users that have problems!" Those are made-up numbers. He's using them as an example. He hasn't proven that they're equivalent

He also digresses, severely, into "Linux isn't really more secure." Well, actually, it is. To my mind, the worst vulnerability out there is one that allows an attacker to remotely execute arbitrary code without user intervention and without personal intervention by the attacker, either. Getting someone to type in a password is a cross-platform vulnerability. Spending a few hours individually targetting that Linux server with old updates happens (just ask me about my friend's goddam mail server). Reading email in an email client with IE-HTML-rendering -- a proven way to do this -- is pretty specific to IE.

After all, it's Windows that has spawned the Sargasso Sea of worms, viruses, Trojans, etc. etc. etc. ad infitum ad nauseum. There is a self-sustaining ecosystem of malicious code that infects and reinfects Windows. UNIX doesn't have that. Of course, UNIX is such a newcomer to the Internet that it hasn't had time to develop that ecosystem -- sorry, what did you say? I'm sure UNIX must be brand new, that's why there are so few automatic exploits, right?

Third, he thinks the raw numbers for vulnerabilities mean anything. They mean nothing, especially when you compare the different philosophies of Microsoft vs. most Linux distributions. Microsoft = admit a problem only if we have to, and then only before it's patched, and if you don't give us 6 months to patch it you're an irresponsible extortionist creep. Linux = full disclosure of every nitpicky bug anyone can think up, like the one where someone with physical access to your box can open the case and copy the hard drive! Claiming that CERT is a wonderful impartial catalogue of vulnerabilities -- when they roll over for vendors, and without mentioning their recommendation to avoid IE -- is disingenuous at best.

The real question for these security vulnerabilities is: do they matter? You can tell by identifying the following: Are they remote? How much user intervention is needed? What can happen if the vulnerability is exploited? DoS is sad but not, frankly, that big a deal. Arbitrary code execution is bad. Priviledge escalation is bad. Sniffing passwords is bad. Does the attacker need to sit there and think about your computer or can he just turn loose an automatic exploit? It might even be that IE is better than FireFox on that at the moment -- I doubt it, but it's possible. However, Langa doesn't examine the real question. It's easier to count beans than to identify them, or know how to make use of them.

His argument seems to be that since Firefox isn't perfectly secure, it's as insecure as Internet Explorer. This is a fallacy. I can't remember which one. The stupid one, I guess.

Ok, now I feel better.

Poster bias: I loathe and despise Microsoft. I think Symantic is a parasite. I like Open Software but "free as in beer" means nothing to me because I also loathe and despise beer. I think Firefox is fine on Windows but it is lousy on Macintosh. My personal favorite browser is Safari.

Re:The biggest downside to Firefox

[Hard2Grok]

The problem lies in that not all users know anything beyond point and click. For these users, getting to a site that says "You will need the flash plug in to view this site correctly" is a deal breaker. Even more so when all they see is just some inocous little image that doesnt explain to them why it isn't working. (Ala the little jigsaw piece)

I wholeheartedly agree that firefox needs to have two rollouts. One with and without extensions. The idea of having an application, with an appropriate disclaimer which says mozilla is not responsible for anything the third party extensions do or dont do, that lets you choose which extension you want installed along with firefox is amazing!

I currently sit on a standards committee for the school district I work in and we shot down firefox, even though many of the admins use it on thier machines themselves, because of several problems we saw as user issues with the browser.

Some of the other things we saw problems with were:

No Active X support (many of our online applications use active X)

Not as user friendly as other browsers (ease of use and clarity issues)

Lack of a real centralized support center (The forums are a rich resource..if you have time to run searches or wait for someone to answer your post, which in a real world environment, is not conducive)

Potential for abuse by students of all age ranges (The tabbed browsing is an exceptional idea! however, most teachers are too sued to window browsing and wouldn't even notice the extra three or four tabs that are in the background hiding god knows what kind of sites from her view.)

We really REALLY wanted firefox, but these issues just couldn't be countered. Everytime we tried to see if there were possible solutions, we were either met with hostility on the forums for daring to suggest that firefox was lacking in any area or we got silence.

The vulnerability timeline...

[Anonymous Coward]

A fully patched Internet Explorer were known to be unsafe for 98 percent of the time during 2004, while Firefox -- were "unsafe" only 15 percent of last year according to ScanIT:

http://bcheck.scanit.be/bcheck/page.php?name=STATS 2004&page=3/ [scanit.be]

Fred Langa...

[HerculesMO]

Fred Langa, a former Chief Editor of Byte and Windows Magazine, has been covering computers since the days when 640K was more RAM than anyone could possibly need.

Wow, a chief editor for two Windows magazines. Go figure where the bias would lie.

I guess if I wrote for Linux Weekly, and published an article why Windows sucked ass, everybody should take me with great consideration because I would inherently be unbiased.

Bah.

Re:The biggest downside to Firefox

[tofucubes]

I personally used maxthon, because there were a lot of things that firefox had in extensions that maxthon had bundled in (so that it was just a matter of turning the feature on under the options)...

To give firefox some credit...it's a lot more clean

the fact that maxthon is used over IE...makes it very compatible...it also has many extensions just like firefox, but lots of the stuff has been integrated and runs very smooth

I also liked so minor features...like highlighting text and dropping to open all the highlighted links. I felt it was easier for me to operate the way things were setup

forum [maxthon.com]the community is pretty fast and requests often get a good quick reply a lot of the stuff is run by Tara, who's extremely responsive

here's a linky Maxthon [maxthon.com], try it out if you want

From TFA

[ABaumann]

"It should be no surprise that alternate browsers--or alternate operating systems, for that matter--contain flaws."

This is right after the line that says, "Six vulnerabilities were reported in Opera and none in Safari." So it basically says, "The default OS X browser didn't have flaws, but anything that isn't M$ or IE has flaws." I just don't follow this train of thought.

I also noticed that if you add an 'i' to fred, you get "fired". I hope his bosses notice the connection.

Re:The biggest downside to Firefox

[the unbeliever]

Plugins/Extensions/Themes are third party software, and Mozilla cannot be responsible for their code/stability.

And if you'd even bothered to do a little checking, you would know you can always open the install.rdf file in notepad/texturizer and change the "MaxVersion" to 1.0+ and it will work.

Bug/Features - Accountability

[They_Call_Me_Spanky]

We consider IE's problem with "autodownloaders, backdoor spyware" and such, but Microsoft considers these 'bugs' as features.

If you design an application to autodownload, autoconfigure and autorun... no matter how annoying it is to everyone, it's a feature, not a bug. So, by the facts, according to Microsoft, these arn't security holes. Right?

Re:Mr. Langa is a conversational terrorist

[Khuffie]

All he's saying is that just like IE and other programs, Firefox has security flaws and bugs. And that just switching to it because "its more secure" without knowing how or why is a bit foolish. He says that Firefox isn't a magic cure; I could run a perfectly secure system using Maxthon (IE) with a combination of a firewall and anti-spyware. Firefox doesn't automatically make your system more secure, you're browsing habits do. And he goes out of his way to state that Firefox is good: "Firefox is free, open source, cross-platform, and multilingual; and it also brings some much-needed competition to the browser market." Also, he also brings up the security bulletins by the US-CERT office, and not just Symantic as the poster mentioned. Isn't that Bias on the end of the poster?

Re:The biggest downside to Firefox

[4of12]

Would you prefer a 50Mb download

I think I speak for most users when I say they'd prefer they didn't have to download anything.

If a working version of Firefox came with their PC, just as Internet Explorer comes with their PC, then most people would be happy and would probably just use it in the default configuration.

System builders could provide a reasonable version of Firefox with only enough features that could reasonably be supported; the less-used and more fragile features could be loaded onto the harddrive and left to the user if they wanted to change things themselves. Again, without requiring a download.

Of course, all attempts to provide a reasonable improvement that buck the status quo are futile.

Re:The biggest downside to Firefox

[NanoGator]

"Gamestop doesn't do that, for whatever (presumably political) reasons."

Hi. Opera is 4 megs and is quite complete.

Re:The biggest downside to Firefox

[cicho]

"Plugins/Extensions/Themes are third party software, and Mozilla cannot be responsible for their code/stability"

No, but Mozilla is responsible for the interfaces. If an extension doesn't work anymore or creashes the browser, it's because the browser's extension interface has changed. By now this should be happening rarely, not with every new release (almost).

That's a good idea actually

[KalvinB]

If you want visitors to not block your ads you have to come up with a way to cripple the site if the ads are not displayed. Unfortunatly ad blocks are client side and can't always be detected by the server.

Ads indirectly cover costs (large sites get paid because they can claim X amount of people see the ads per month, not per click or per sale) and images are a very big bandwidth hog. So if a visitor doesn't want to look at ads then Yahoo saves some money by not showing images either. And as a possible bonus the web-site looks so terrible that the user stops blocking their ads just so the images load.

I havn't needed to implement it on my site yet but checking whether or not Javascript is enabled on the client side is quite trivial.

Server Side Javascript Check [icarusindie.com]

Once the server knows if Javascript is disabled on the client side the possibilities are pretty endless. Most ads (like AdSense) rely on Javscript so knowing javascript is enabled is important.

Comparing Security

[stretch0611]

Wow you can actually compare a product that has not even been out for a year, and IE6 which has been over for over 3 years...

Actually IE6 has now been out for 4 years. And a person should hope that a 4 year old product that is used by millions of people everday should have the bugs worked out if it by now.

Now as far as how to compare them check out this article. [theinquirer.net] It compares security on a very sound premise: If you keep up-to-date with updates how long are you vulnerable. The answer: IE: 51 weeks during 2004, Firefox: 8 Weeks during 2004.

Lets rephrase that; using firefox I was safe from known exploits 10 months last year. If I was an idiot and used IE, I was only safe from known exploits 1 lousy week during the whole year.

Which are you going to choose? Get FireFox! [spreadfirefox.com]

Re:Critical? Pfft... i've seen better.

[fean]

the difference in usage is the Gecko engine that is loaded by Firefox.

The IE engine is loaded as a system resource, hence doesn't take time to swap in and out (the kernel can keep it from being paged out). This also keeps the memory from being reported in Task Manager.

Right now, I have the same 3 pages open in FF and IE, and FF is reporting 76MB, and IE is reporting 44MB. I have quite a bit more of browsing history in this FF session, which could account for some of the difference. I also don't have ANY plugins installed for IE, as I never actually use it.

I'm guessing that the special items in FF cause higher memory usage. Try turning off smooth scrolling (they may use a large off-screen buffer to render more page than needed)... and other non-essentials if you don't want all of the memory used.

Re:The biggest downside to Firefox

[Plug]

Check out FrontMotion's Firefox MSI page [frontmotion.com] for an excellent 3rd party MSI for Firefox (currently at 1.0.2 but regularly updated).

Otherwise, it's a stated goal for 1.1 to have an official MSI installer.

Re:The biggest downside to Firefox

[cheekyboy]

what is wrong with a bit of healthy critism, why is it opensource people are so anal and testy when someone makes a valid suggestion, "oh piss off, why should we enhance add this to xyz, we are king dicks here"

Wake up developers, if 50% of people have to install a WMV plugin, or SWF, then damn well either have it pre-packaged, or have a sleak auto install method that works, (and doesnt just go to another website)

Oh and fix the 250meg memory usages, how about a setting in Firefox that says - Do not use more than 90meg of ram. So then it can free crap it doesnt really need, or how about a real real real real smart cache, like a list of websites to keep as higher priority to cache.