RB5-Black

as above ... just installed Mozilla Firefox and it seems a lot faster are there any security implications of this browser over Ie

Craig.

Iain Young

Both Ie and Firefox have got security holes.

Microsoft tell you about them and regularly fix them, Mozilla don't. They rely on you visiting their website to get the updates, (when they finish arguing amongst themselves about what they're going to fix and when).

Like you, I think firefox is great. However, don't be fooled into thinking it's more secure than ie, because it isn't. There are just less reports about expolits in mozilla / firefox because the browser is much less used than ie.

I use both

stevencotton

Actually Firefox *is* better than IE security wise (to date), and it's not an intergral part of the OS which is *much* safer to use. The flaw a couple of weeks ago only affected Windows versions of Firefox, what does that tell you?

IE is now no longer being improved upon until the next OS is out, others are. IE will hopefully die as the web evolves and IE doesn't.

Iain Young

That's only because it hasn't been hacked as much as ie (yet). Mainly because so few people are using it compared to the ie user base. Just because it's had less hacks, doesn't mean it's more secure. That's like saying that house over there is safer because it hasn't been burgled as much as that house over here. I suspect that as Firefox becomes more popular, just as many security flaws will be found...

Why? You can easily hack into the system without using a program that's an integral part of the os. In fact in some ways it's easier because you aren't so limited by the built in security contraints of the system, (you can hack round them).

It tells me that there was a bug in the windows version of firefox.

Actually that's not quite true. IE is in maitainence mode, so basically whilst no new features are being added, they are actively seeking out and repairing any reported security holes.

I think Firefox is the better browser, but to say it is more secure is just wrong and IMO generates an unheathly level of trust in an unproven product, (it's not even out of the beta stages yet). I'd rather just assume all browsers are insecure and act accordingly...

Iain

angrynorth

Agree with Steven. Stop using it, its appalling in almost every aspect not just security.

IE is the bane of my life as a web monkey as its just doesn't comply with any of the modern standards. Its a real pain to develop for so the less people use it the better!

Please get rid of it for my sake as well as yours

Iain Young

Actually, I find it just as easy to develop for IE as any other browser. IE, mozilla, opera all do stuff differently so you have to stick in browser detection stuff to handle stuff differently. Adding another browser switch / check doesn't take too much effort.

Don't get me wrong, I'm not defending IE, I just think that security is not a good reason for changing browsers, as firefox is unproven as far as that is concerned, it's in it's infancy as far as the development cycle goes, and because it has such a small user base, it has yet to receive the same level of hacker activity.

I can just see the scenario where everyone switches to the new product only for a huge hole to be discovered and the hackers have all of your bank account numbers. The grass is always greener....

I agree it would be nice if Firefox took over eventually though

Iain

angrynorth

Mozilla, Firefox, Opera and Safari all work with the latest CSS and XHTML standards. All the same code for these browsers.

It's IE that needs the hacks to work CSS properly and seeing as CSS is the present and near future of web design, then its IE that is being restrictive, not the smaller browsers.

For instance, the 2 major sites I work on daily are being held back in the design because we know the majority of our users use IE, and the new technologies that make for more consistent and reliable sites don't work with IE. These are very very big mulitnational sites with millions of users per week, being held back by one cruddy browser

stevencotton

It is unproven that software isn't 'hacked' because it isn't widely used. IE is a constant stream of critical alerts, more so than any other piece of MS software.

Houses are unique, software isn't. It doesn't make sense to correlate units of software in use against the number of bugs in it, it will be scrutinised by those that way inclined just as much as anything else. It's not the general public soak testing these products, it's that core set of people intent on finding ways to break things and they work independently of the masses. You only need one copy of the program to find problems. Any flaw found will be reported just as quickly as anything else - when it's found. Until then, it's a safer bet than IE. If there are flaws that nobody knows about, well that's moot since that goes for everything.

That implies there is decent security around the application. What if the application itself is the cause of the problem, such as the browser help feature in IE that allows one to completely bypass any SSL layer? It's not easier or more difficult than anything else but you're more likely to get more bang for your buck if your app is badly written and part of the internals.

No, it's true I said it was no longer being developed, not patched, but patching holes doesn't mean new or even improved support.

Is there a cut off for 'proven'? All you can do is look at the numbers and the frequency and make up your own mind. Unless you can travel into the future all you can do is make up your own mind right now, and looking at the stats IE is more trouble than it's worth.

There are recommendations from the people that bring you these security alerts warning it may be prudent to move from IE. It's not as if you'll even be missing that much, IE only loosely conforms to any standards!

Steve.

Iain Young

Ouch, I know where you're coming from there angry...

The software I'm currently writing (servlet based web application providing code analysis tools) has to work on all browsers, and involves large amounts of javascript, dhtml, css etc. Some of our customers (one or two of the biggest banks in the world, credit card companies, a couple of the major car companies etc), use IE in-house, others use Mozilla and one or two others use things like safari. I'm trying to do some pretty advanced / complicated dhtml manipulation, (basically trying to make the web page behave like an application rather than a website - without using java / flash etc) and it can be a real nightmare sometimes getting it to work.

Next job is to write my own dhtml x-browser drop down menu thingy to replace the dodgy freeware script I'm using at the moment. Hopefully shouldn't be too difficult onder2:

Opera is the biggest headache in my experience. To say it's not very good is an understatement. It might try and implement the standards, but it's sooooo full of bugs it's just not true..

Mozilla and firefox are based on the same engine (as is Netscape 7), so I'd expect them to implement the standards in a similar way

It's be nice if everyone used Firefox, but seeing as ie has something like a 90% user base out there, I don't think it's gonna happen soon

Iain

angrynorth

Unlucky! Sounds like my worst nightmare!

I agree about Opera, its pretty poor on the Mac to and it seems that installations vary from user to user on the PC, with some things working on one machine, but not another.

All in all though, I wouldn't have a problem with IE if it had modern CSS support. As for its security though, for the benefit of most users, a switch would be better in the long term. All IMO

Iain Young

I love these Friday afternoon debates


I was just making the point that just because the holes haven't been discovered, it doesn't mean that they are not there. You could argue that because IE has been around for so long, and fixed etc that it's a better choice than something which could have far greater problems waiting to be discovered (the probability of finding such a large hole in IE is less because it's had so much more testing).

I just have problems recommending that people switch to a beta piece of software before it has had any decent soak testing.

Semantics


Of course there isn't. However, which would you put more faith in? A product which has problems but which are fixed practically as soon as they are found, and has been actively and rigourously tested for many years, or a new product with no real soak testing which is still only in the beta phase of the development cycle?

True, but unfortunately there are many web sites out there which just don't work with Firefox. My online banking for example. I know that's not the fault of the browser, but until these sites either implement proper web coding standards, or Mozilla extend their feature set to include the MS extensions (some of them would be nice to have - especially some of the event handling / mouse pointer changing etc), we'll just have to keep using both....

Iain

angrynorth

Oh, the banking thing...

I used to bank with NatWest, they forced the use of Mac IE to view the online thingy. I emailed them and told them I wasn't interested in using Mac IE and I wanted to use Safari instead as it was more secure. They then emailed me back saying it wouldnt work in Safari no matter what.

I emailed them back some screengrabs of it working using Safari's debug menu to "clone" Mac IE so it could bypass the browser protection. All working perfectly, stylesheets in place and javascript menus fully built. I requested that they simply removed the browser checking as it worked fine.

They replied saying that Safari presented a security risk and they wouldn't take off the browser detection. They told me that Mac IE 5 (2 years old) was more secure than the latest, updated Safari and said that I had to use IE.

I now bank with Nationwide.
I got a letter from NatWest the other day asking why I wanted to close my accounts and a customer service satisfaction form

Iain Young

LOL

Natwest is my bank as well. Got much the same response from them when I was having trouble with Firefox and their website... muppets.....

stevencotton

Especially when one has the day off and are just waiting for pub time

Certainly, I could also argue the other way. It doesn't take very long to change your browser, it's just a click away. You can only test for what you know so testing is useless against new found flaws, and new bugs are just that

I am a programmer too

People pay for MS software, and they pay a lot more for support contracts and SLAs. That's why MS _have_ to fix things immediately. The flaws are usually quite specific though and with some vigilance you can avoid them. shell:// schemes are few and far between. Loading an innocent, high profile web page and being trojaned is all too easy.

Problem for me too. Again this was caused by Microsofts monopoly, almost forcing ignorance on the computer-using population. Could have easily been avoided too but these problems started with Mosaic and Netscape, long before IE came about. People just used Netscape-specific markup instead

Steve

Iain Young

Oi, don't rub it in. I've now got to sit through an hour or two meeting (conference call) with my fellow programmer chaps from the USA. Not really what you want on a Friday afternoon when it's sunny outside <sigh>.....

Never mind, nearly the weekend

SCOSaltire

doesnt matter which browser u use - they all are different.
the web is a mess.
not as bad as it was 6 years ago tho!
maybe in 5 years time the browsers will be running to 1 specification. i sure hope so.
we used to use pop-up menus and other javascript/css enhancements.
we dont now because we have to be more concerned with accessibility (even for those that cant spell )
so we design the web applications to work to those standards

JackClark

I've just finished an our with the West coast, made them get up early for a change