The..(ahem)… Browser Security Test… (cough)
While reading an article posted by Mary Jo Foley on Microsoft-Watch, I noticed a link to Bruce Schneier’s blog to a post called “Internet Explorer Sucks”. I was, again, surprised to find out that people still don’t seem to get it.
On his blog, Schneier links to a webpage containing a study on browser security. If you go over to that website, you’ll notice the statistics about Internet Explorer on this page, and the statistics about Mozilla Browsers such as FireFox on this page.
According to the claims made in the study, Internet Explorer was known to be unsafe 98% of the time, and the Mozilla Browsers were known to be unsafe 15% of the time. Assuming their data is correct, this is ofcourse, true. However, I’m sure you’ve just noticed that I put part of a sentence in bold. Known to be unsafe.
You see, while the claim seems to be factually true, it sends out the wrong message. The wrong message which Schneier and Mary Jo Foley have immediately held onto, namely, that Internet Explorer sucks.
What I got out of the same data on those pages is this: Internet Explorer was not known to be unsafe 2% of the time, while the Mozilla Browsers were not known to be unsafe for 85% of the time.
Question: Would you rather KNOW most of the time that the browser you’re using has certain vulnerabilities and be extra cautious, or, would you choose to NOT know this and think the browser has virtually no vulnerabilities, while it actually does, and browse the Internet with a false sense of security?
Because that’s what it comes down to. If you look at the data on both those pages and compare them, what is immediately clear is that both browsers have had security vulnerabilities practically all year long. The only difference is that the vulnerabilities for the Mozilla Browsers were NOT publicly known. THIS IS VERY DANGEROUS. Why? Because it gave everyone using FireFox, for example, a false sense of security. People thought the browser had no vulnerabilities, while they clearly existed but were just not publicly known, and people were all switching from IE to FireFox. And while the public did not know about these vulnerabilities in the Mozilla Browsers, I’m sure the people who would want to exploit them, did. And they probably know about even more vulnerabilities which are, at the moment, not (yet) publicly known.
The point I’m trying to make is that people still don’t get that security issues on the Internet and with software in general, are a common problem that everyone and every product is dealing with, or is going to have to deal with. It’s not just Internet Explorer, people. As soon as FireFox gets popular, you’re going to see more exploits being published for it. Heck, the vulnerabilities ARE present, people just don’t feel like using them. Yet.
But hey, nobody pays any attention to that. Let’s just bash Internet Explorer and Microsoft for the lack of security.
I wrote about this earlier in the year. Just go overhere and start reading at the “Security” heading. Also note the link to this article.
And call me crazy, but I’d rather use Internet Explorer and actually know that I have to be cautious for anything suspicious while I browse the Internet, instead of blindly relying on the incredible security people seem to think that FireFox has.
December 31st, 2005 at 4:01 am
quite frankly thats a complete load of old tosh, i was a IE apologist (there the bigest people always pick on them, etc) but having had spyaxe install itself straight through my fully patched, ms anti spyware loaded, avg protected system. i must concur IE SUCKS!!!!
December 31st, 2005 at 4:22 am
Tony: “but having had spyaxe install itself straight through my fully patched, ms anti spyware loaded, avg protected system.”
I’m not trying to explain away those issues. That is a terrible problem. However, bashing IE like it’s just Microsoft’s fault is the wrong thing to do. As I’ve said, FireFox could have the same problem as well. The vulnerabilities EXIST. Spyware writers just don’t use them yet, most likely because FireFox’s installed base is not very interesting yet.
So it’s not a question of whether FireFox has better security than IE, because they both have vulnerabilities. People need to understand this.
December 31st, 2005 at 6:22 am
Okay, I agree, but I think the main problem is, that most users don’t know how to behave in using the internet. Wether they use IE, FireFox or any other browser doesn’t matter because they provocate vulnerabilities as long as they don’t know how to deal with possible lack of security.
January 2nd, 2006 at 3:53 pm
So, using your logic, the best web-browser is full of backdoors, security holes and late-patched vulnerabilities. In fact, it doesn’t even have any security. And the best system is one that doesn’t have any anti-spyware or virus scanners, nor should you ever, in a million years, update your operating system.
Why not? Well, because, as you so clearly explained, it is better to be cautious than to believe that your system can’t be attacked. In fact, you should be sure your system will be attacked, the more regularly the better. Oh, and any security holes you do find out, well, they should be published and known publically for as long as possible before patching, just to make sure every last hacker get’s a chance to test how cautious you can be.
Yeah, right, that’s the moral of this story. Not that Microsoft are too slow when it comes to developing IE and should patch the KNOWN vunerabilities quicker than they currently do, let alone providing additional protection against those we don’t yet know about.
January 2nd, 2006 at 4:25 pm
Hi Nick,
The best browser is whatever you prefer. As long as you know its strengths and weaknesses and don’t believe in things that are questionable (i.e. FireFox is more secure).
I agree that MS should patch vulnerabilities faster. But so should Mozilla. Also, consider your definition of KNOWN vulnerabilities. While you may think that a lot of vulnerabilities in Mozilla browsers are not publicly known, people who’d want to take advantage of them most likely know about them.
January 9th, 2006 at 11:20 am
Don’t forget that the underlying OS’ security architecture is responsible for a lot of the security. Firefox on Linux is not vulnerable to any Firefox-Windows or Firefox-Mac specific holes. Each OS may have their own flaws, but for the most part, the more generally secure the OS (architecture-wise, not vulnerability-wise — for instance, Linux vulnerabilities are fewer and farther between, and affect fewer machines per vulnerability, due mostly to the differentiation between user-level and administrator-level operations, the lack of necessity to have administrator privileges to run what one would normally consider user-space programs the way Windows sometimes does, and the lack of a monoculture in distributions and software used), the more secure every browser will be on it.
October 2nd, 2006 at 9:28 am
[...] Actually, FireFox security probably isn’t getting worse, but what may be happening is that people are now beginning to wake up to, and find, the security vulnerabilities in the software. When FireFox first became available, everyone seemed to believe the hype that it was the most secure browser available. As a result, many people started using it, thinking all of a sudden they were much safer while surfing the web. A false sense of security. [...]