Pros and Cons of Firefox Critically Evaluated? 674
A Dafa Disciple writes "Fred Langa of Information Week has written an article claiming to discuss the 'Pros and Cons of Firefox'. At first I was excited because I thought I was going to get to finally read an enlightening, in-depth article that critically examined the browser. I should have known better. Aside from the usual criticism of open source software, it contains a reference to a Symantec Internet Security Report which claims that more security vulnerabilities in the last six months of 2004 were found in Firefox than IE. I'll leave it to you to analyze Mr. Langa's opinion and scrutinize Symantec's study and reputation as a security software developer."
The biggest downside to Firefox (Score:4, Interesting)
Is all the plugins, extensions, chrome, files, and settings that have to be configured after you have the Firefox browser up and running [ostermiller.org]. It would be really nifty to be able to bundle all the things that I do when I install firefox into one mega "extension bundle" or some such that I could install with one click.
Re:The biggest downside to Firefox (Score:5, Interesting)
http://mozilla.doslash.org/infolister/
InfoLister is an extension for Mozilla Firefox, Mozilla Thunderbird and Nvu that collects various information about Firefox/Thunderbird and saves it to a file. Currently it prints the list of installed extensions, themes and plugins.
Re:The biggest downside to Firefox (Score:2, Interesting)
Re:GPO Control (Score:5, Interesting)
Have you tried this by chance?
I haven't personally, but I keep hearing good things about it.
Re:The biggest downside to Firefox (Score:5, Interesting)
there's no cure-all (Score:3, Interesting)
Con: You can't use autocomplete (Score:3, Interesting)
If you leave autocomplete on, Firefox will save your credit card numbers in plaintext on your hard disk.
This bug has been known about for years. They won't fix it.
This just in... (Score:2, Interesting)
Let me put forward a little statistic of my own, gathered from what I've seen over the last few years as a network admin.
Number of computers compromised as a result of IE usage: 8 this year. Number of computers compromised as a result of Firefox usage: 0 (ever)
Issues with numbers (Score:5, Interesting)
We see a large number of nitpick vulerabilities for open source because everyone can look at the source code and try to break it every which way. OTOH, finding exploits in IE is done by testers and hackers.
Regarding dupes, visiting Secunia shows many vulnerabilies for linux distros, but you see the same ones over and over again for each distrobution.
So while I agree that no software is perfect, and Firefox does have problems that arise from time to time, as does any software, I'll still be using the fox for my net browsing.
As for those testimonies in the article from people who can't get Firefox or Thunderbird working properly, wow. I've switched people's grandparents with no computer literacy with no problem. All I can say is that their system must be jacked up.
The switch from ie is worth it, but... (Score:2, Interesting)
Mr. Langa is a conversational terrorist (Score:4, Interesting)
You missed the point of the poster. He wasn't unhappy about the article being critical, but being very BIASED and critical. You know, it'd be like saying that Democrats/Liberals should listen to Bill O'Riley... as if he listens to the other side.
What I hate the worst is not those who are biased, but those who claim to be things like "Fair and Balanced" when it's clear they're not.
Take for example this nice strawman argument that Mr. Langa puts forth:
Which he then cuts down systematically, as if his misposed argument had any value: I can tell when people use Conversational Terrorism [vandruff.com], and I know then that they're highly partial and unreasonable to argue with.Oh yeah... (Score:5, Interesting)
Re:More exploits? (Score:3, Interesting)
No, security by obscurity provides a fairly good amount of security assuming you can keep your code secure. The benefit of open source is that you [hopefully] write better code and/or have better testing that eliminates that major security problems before it goes into production. There's been a bunch of escalation of priviledge flaws discovered in Linux in the past few months that use obscure race conditions and the like. Those would have been extremely unlikely to have been found without the source code. Read the detailed changelogs of the kernel updates - there's tons of little security flaws fixed all the time.
It's a tossup - Open source finds and fixes the little tiny bugs but you have to stay on top of the patches.
Re:symantec (Score:4, Interesting)
now i've seen reason to doubt their products. the main one i've seen come up many times is a trojan. i don't know the name off-hand. and it's with even the latest versions and definitions. you can update it today and i will almost guarantee it won't find it.
also, my other issue with their home product is that by default, it's set to try to clean the infected file. today's viruses can't be cleaned because the file is the virus. so if it can't clean it, it takes no action. that's the most absurd setting i've ever seen. they should have it set to try to clean adn then quarantine if unsuccessful. i dread looking at computers that have norton installed, you know they're infected the minute they come in.
Re:The biggest downside to Firefox (Score:4, Interesting)
I like the ideas posted by others, have a shopping cart or checkbox system, allowing you to sort of preinstall various plugins. Maybe create some standardized basic functionality plugins that one may choose to download, and have an option for popular, more advanced plugins as well. You'll still have a small initial download, and will still have the option to have a very small browser.
Re:Critical? Pfft... i've seen better. (Score:4, Interesting)
Even www.quicktaxweb.ca rejected my firefox on Linux install, but accepted firefox on Windows. Just change the user agent to appear like FF on Win and it was almost perfect.
What pisses me off most about FF is that there still appears to be a memory leak if you leave it running for a while. I frequently leave my PC on overnight, and when I get it in the morning it takes a ltime for FF to maximize in XP. Both work and home PC's show the same symptoms. That doesn't occur on my Linux boxen though.
And no, I didn't RTFA
easy to detect cc numbers (Score:5, Interesting)
1. Dont do autocomplete (or make this a default off option) on ssl forms.
2. Credit card #'s are 16 digits with known prefixes. [beachnet.com] Detecting them isnt a difficult problem. Same with social security numbers.
Silly argument (Score:2, Interesting)
He makes the argument that people who think Firefox is better believe so because of the smaller installed user base. IEusers = stupid, FFusers = smart. Therefore, of course Firefox comes off better. If Firefox had as many stupid users as IE, it would be considered as bad as IE.
I call bullshit. His own argument doesn't make sense, because then he argues that IE might have the same percentage of problems as Firefox. He's begging the question of whether the percentage of problem users is the same with each browser. What do you want to bet that someone is going to quote this article saying that "5% of Firefox users have problems! That's the same percentage of IE users that have problems!" Those are made-up numbers. He's using them as an example. He hasn't proven that they're equivalent
He also digresses, severely, into "Linux isn't really more secure." Well, actually, it is. To my mind, the worst vulnerability out there is one that allows an attacker to remotely execute arbitrary code without user intervention and without personal intervention by the attacker, either. Getting someone to type in a password is a cross-platform vulnerability. Spending a few hours individually targetting that Linux server with old updates happens (just ask me about my friend's goddam mail server). Reading email in an email client with IE-HTML-rendering -- a proven way to do this -- is pretty specific to IE.
After all, it's Windows that has spawned the Sargasso Sea of worms, viruses, Trojans, etc. etc. etc. ad infitum ad nauseum. There is a self-sustaining ecosystem of malicious code that infects and reinfects Windows. UNIX doesn't have that. Of course, UNIX is such a newcomer to the Internet that it hasn't had time to develop that ecosystem -- sorry, what did you say? I'm sure UNIX must be brand new, that's why there are so few automatic exploits, right?
Third, he thinks the raw numbers for vulnerabilities mean anything. They mean nothing, especially when you compare the different philosophies of Microsoft vs. most Linux distributions. Microsoft = admit a problem only if we have to, and then only before it's patched, and if you don't give us 6 months to patch it you're an irresponsible extortionist creep. Linux = full disclosure of every nitpicky bug anyone can think up, like the one where someone with physical access to your box can open the case and copy the hard drive! Claiming that CERT is a wonderful impartial catalogue of vulnerabilities -- when they roll over for vendors, and without mentioning their recommendation to avoid IE -- is disingenuous at best.
The real question for these security vulnerabilities is: do they matter? You can tell by identifying the following: Are they remote? How much user intervention is needed? What can happen if the vulnerability is exploited? DoS is sad but not, frankly, that big a deal. Arbitrary code execution is bad. Priviledge escalation is bad. Sniffing passwords is bad. Does the attacker need to sit there and think about your computer or can he just turn loose an automatic exploit? It might even be that IE is better than FireFox on that at the moment -- I doubt it, but it's possible. However, Langa doesn't examine the real question. It's easier to count beans than to identify them, or know how to make use of them.
His argument seems to be that since Firefox isn't perfectly secure, it's as insecure as Internet Explorer. This is a fallacy. I can't remember which one. The stupid one, I guess.
Ok, now I feel better.
Poster bias: I loathe and despise Microsoft. I think Symantic is a parasite. I like Open Software but "free as in beer" means nothing to me because I also loathe and despise beer. I think Firefox is fine on Windows but it is lousy on Macintosh. My personal favorite browser is Safari.
Re:The biggest downside to Firefox (Score:3, Interesting)
The problem lies in that not all users know anything beyond point and click. For these users, getting to a site that says "You will need the flash plug in to view this site correctly" is a deal breaker. Even more so when all they see is just some inocous little image that doesnt explain to them why it isn't working. (Ala the little jigsaw piece)
I wholeheartedly agree that firefox needs to have two rollouts. One with and without extensions. The idea of having an application, with an appropriate disclaimer which says mozilla is not responsible for anything the third party extensions do or dont do, that lets you choose which extension you want installed along with firefox is amazing!
I currently sit on a standards committee for the school district I work in and we shot down firefox, even though many of the admins use it on thier machines themselves, because of several problems we saw as user issues with the browser.
Some of the other things we saw problems with were:
No Active X support (many of our online applications use active X)
Not as user friendly as other browsers (ease of use and clarity issues)
Lack of a real centralized support center (The forums are a rich resource..if you have time to run searches or wait for someone to answer your post, which in a real world environment, is not conducive)
Potential for abuse by students of all age ranges (The tabbed browsing is an exceptional idea! however, most teachers are too sued to window browsing and wouldn't even notice the extra three or four tabs that are in the background hiding god knows what kind of sites from her view.)
We really REALLY wanted firefox, but these issues just couldn't be countered. Everytime we tried to see if there were possible solutions, we were either met with hostility on the forums for daring to suggest that firefox was lacking in any area or we got silence.
The vulnerability timeline... (Score:1, Interesting)
http://bcheck.scanit.be/bcheck/page.php?name=STAT
Fred Langa... (Score:2, Interesting)
Wow, a chief editor for two Windows magazines. Go figure where the bias would lie.
I guess if I wrote for Linux Weekly, and published an article why Windows sucked ass, everybody should take me with great consideration because I would inherently be unbiased.
Bah.
Re:The biggest downside to Firefox (Score:2, Interesting)
To give firefox some credit...it's a lot more clean
the fact that maxthon is used over IE...makes it very compatible...it also has many extensions just like firefox, but lots of the stuff has been integrated and runs very smooth
I also liked so minor features...like highlighting text and dropping to open all the highlighted links. I felt it was easier for me to operate the way things were setup
forum [maxthon.com]the community is pretty fast and requests often get a good quick reply a lot of the stuff is run by Tara, who's extremely responsive
here's a linky Maxthon [maxthon.com], try it out if you want
From TFA (Score:2, Interesting)
This is right after the line that says, "Six vulnerabilities were reported in Opera and none in Safari." So it basically says, "The default OS X browser didn't have flaws, but anything that isn't M$ or IE has flaws." I just don't follow this train of thought.
I also noticed that if you add an 'i' to fred, you get "fired". I hope his bosses notice the connection.
Re:The biggest downside to Firefox (Score:3, Interesting)
And if you'd even bothered to do a little checking, you would know you can always open the install.rdf file in notepad/texturizer and change the "MaxVersion" to 1.0+ and it will work.
Bug/Features - Accountability (Score:0, Interesting)
If you design an application to autodownload, autoconfigure and autorun... no matter how annoying it is to everyone, it's a feature, not a bug. So, by the facts, according to Microsoft, these arn't security holes. Right?
Re:Mr. Langa is a conversational terrorist (Score:3, Interesting)
Re:The biggest downside to Firefox (Score:3, Interesting)
Would you prefer a 50Mb download
I think I speak for most users when I say they'd prefer they didn't have to download anything.
If a working version of Firefox came with their PC, just as Internet Explorer comes with their PC, then most people would be happy and would probably just use it in the default configuration.
System builders could provide a reasonable version of Firefox with only enough features that could reasonably be supported; the less-used and more fragile features could be loaded onto the harddrive and left to the user if they wanted to change things themselves. Again, without requiring a download.
Of course, all attempts to provide a reasonable improvement that buck the status quo are futile.
Re:The biggest downside to Firefox (Score:3, Interesting)
Hi. Opera is 4 megs and is quite complete.
Re:The biggest downside to Firefox (Score:3, Interesting)
No, but Mozilla is responsible for the interfaces. If an extension doesn't work anymore or creashes the browser, it's because the browser's extension interface has changed. By now this should be happening rarely, not with every new release (almost).
That's a good idea actually (Score:3, Interesting)
Ads indirectly cover costs (large sites get paid because they can claim X amount of people see the ads per month, not per click or per sale) and images are a very big bandwidth hog. So if a visitor doesn't want to look at ads then Yahoo saves some money by not showing images either. And as a possible bonus the web-site looks so terrible that the user stops blocking their ads just so the images load.
I havn't needed to implement it on my site yet but checking whether or not Javascript is enabled on the client side is quite trivial.
Server Side Javascript Check [icarusindie.com]
Once the server knows if Javascript is disabled on the client side the possibilities are pretty endless. Most ads (like AdSense) rely on Javscript so knowing javascript is enabled is important.
Comparing Security (Score:5, Interesting)
Actually IE6 has now been out for 4 years. And a person should hope that a 4 year old product that is used by millions of people everday should have the bugs worked out if it by now.
Now as far as how to compare them check out this article. [theinquirer.net] It compares security on a very sound premise: If you keep up-to-date with updates how long are you vulnerable. The answer: IE: 51 weeks during 2004, Firefox: 8 Weeks during 2004.
Lets rephrase that; using firefox I was safe from known exploits 10 months last year. If I was an idiot and used IE, I was only safe from known exploits 1 lousy week during the whole year.
Which are you going to choose? Get FireFox! [spreadfirefox.com]
Re:Critical? Pfft... i've seen better. (Score:2, Interesting)
The IE engine is loaded as a system resource, hence doesn't take time to swap in and out (the kernel can keep it from being paged out). This also keeps the memory from being reported in Task Manager.
Right now, I have the same 3 pages open in FF and IE, and FF is reporting 76MB, and IE is reporting 44MB. I have quite a bit more of browsing history in this FF session, which could account for some of the difference. I also don't have ANY plugins installed for IE, as I never actually use it.
I'm guessing that the special items in FF cause higher memory usage. Try turning off smooth scrolling (they may use a large off-screen buffer to render more page than needed)... and other non-essentials if you don't want all of the memory used.
Re:The biggest downside to Firefox (Score:4, Interesting)
Otherwise, it's a stated goal for 1.1 to have an official MSI installer.
Re:The biggest downside to Firefox (Score:3, Interesting)
Wake up developers, if 50% of people have to install a WMV plugin, or SWF, then damn well either have it pre-packaged, or have a sleak auto install method that works, (and doesnt just go to another website)
Oh and fix the 250meg memory usages, how about a setting in Firefox that says - Do not use more than 90meg of ram. So then it can free crap it doesnt really need, or how about a real real real real smart cache, like a list of websites to keep as higher priority to cache.