Reader Comments (rss)

(Flattened / Threaded)

1.  

   

   nonuser, Mar 1st, 2005 @ 11:51am

   
   

   half correct

   Windows XP (many users log in as administrators, all windowing code runs in kernel mode, scriptable media applications are considered non-removable parts of the OS) and IE (think ActiveX) really are architecturally less secure, but it's also true they are the main targets. I expect to see more successful attacks on both Linux and FireFox... and the open source community will start sounding more like MS when they say that responsible users need to download the patches as soon as they become available.

    

   [ reply to this | link to this | view in thread ]

2.  

   

   opo, Mar 1st, 2005 @ 11:57am

   
   

   spyware is not security

   you are confusing the issue of spyware and security. IE has many security problems that are completely unrelated to spyware. The alternate browser crowd is more secure because they do not have these same gaping holes.
   
   Spyware can be avoided by using an antispyware program, security holes in the browsers can only be handled by fixing the security holes.

    

   [ reply to this | link to this | view in thread ]

3.  

   

   Tim, Mar 1st, 2005 @ 12:04pm

   
   

   Jumping the gun

   I've seen this a few times, now: in earlier days, open-source was just plain `more secure'. Then it was `more secure because updates come out faster'. These were days before Firefox, nae even Mozilla, was a glint in a web-surfer's eye. Since then, open-source has had to deal with scalability: the packages we know and love are now *huge*, beyond many a solitary programmer's wit to debug, let alone tweak to integrate with anything else.
   
   So we'll have to see how the Firefox team copes with pushing out an increasing number of fixes, and whether the Internet population actually bothers applying them in a timely enough fashion.
   
   In fact, I'm going to go out on a limb and predict that a return to modularity is going to be required in the near future. The javascript engine *should* be farmed-out to shared libraries for the purpose. So should the UI. Let Firefox be a *minimal* refactored core with lots and lots of semi-optional libraries, preferably that can all be updated from the core itself. The plugin architecture is right, but it's too high-level for the bugs remaining to be discovered.

    

   [ reply to this | link to this | view in thread ]

4.  

   

   Mike (profile), Mar 1st, 2005 @ 12:06pm

   
   

   Re: spyware is not security

   Not really. While you're right that they're two different things, the reason spyware gets in is often because of security holes. So, the amount of spyware getting through is basically a proxy for the security of the browser itself.

    

   [ reply to this | link to this | view in thread ]

5.  

   

   Anonymous Coward, Mar 1st, 2005 @ 12:32pm

   
   

   Re: half correct

   The notable difference is that, so far, the turnaround time for security bug-fixes in large open-source projects is far less than the turnaround time for MS to release security fixes. I'm talking 24 hours vs 6 months as a kind of comparison.
   
   I think that open-source projects are only marginally more secure than closed-source projects by their open nature, and comparing actual security in general isn't possible on that scale; it's a project-by-project thing, because it depends on the number and calibre of people involved vs the project complexity.
   
   Open source projects should have better peer-reviewed fixes that come out in a more timely fashion, and that's the only difference. I think such a difference is a really important one, and that, while OSS stuff can't always be vastly more secure inherently, that the turnaround time makes a very big difference.
   
   

    

   [ reply to this | link to this | view in thread ]

6.  

   

   Ralph, Mar 2nd, 2005 @ 11:06am

   
   

   Re: half correct

   ActiveX Controls not being able to execute is the primary reason for Firefox being able to be more secure. Don't need 'em don't want 'em. Also ads can be eliminated with plugins increasing safety and useability.

    

   [ reply to this | link to this | view in thread ]

Add Your Comment