Firefox Lead Engineer On Origins, Security, And More

An anonymous reader writes "ZDNet has an interesting interview with Ben Goodger, the lead engineer for Firefox. When asked to comment on critics' claim that Firefox has a better security reputation than IE because it doesn't have enough market share to attract trouble, Goodger responded with a one-two punch. "Firefox is better designed in a number of ways -- we have no "mode" that allows untrusted content to be executed automatically, for example -- no "safe zone. Another reason -- market share does not predict security. Apache has more market share than has Microsoft IIS, which has more holes than Apache." On Longhorn, he believes it will be a tough sell for Microsoft because of backward compatibility issues."

firefox vs. Nortons

[zardoz342]

I just had a customer tell me he deleted Firefox because the latest version of Nortons told him it was a security risk, so he's back to IE, and blamed ME for compromising his system

Re:firefox vs. Nortons

[Ieshan]

Absolutely false concerns.

We run Norton Antivirus and Firefox side by side, with no trouble whatsoever.

While I'm not doubting that someone stupid might have done such a thing, Norton certainly wasn't the root of the problem.

Re:firefox vs. Nortons

[Gherald]

I just had a customer tell me he deleted Firefox because the latest version of Nortons told him it was a security risk, so he's back to IE, and blamed ME for compromising his system

It was probably "Norton Internet Security," aka firewall. Firefox was "trying to access the internet" so Norton prompted the user to authorize this. It's perfectly normal Windows firewall behavior (cf. SP2 firewall, ZoneAlarm, etc).

Nothing to be concerned about.. have you tried explaining this to your customer?

Re:firefox vs. Nortons

[EnronHaliburton2004]

>Nothing to be concerned about.. have you tried
>explaining this to your customer?

Something about "Pack the computer into the box and ship it back. You're obviously too stupid to use a computer."

Re:firefox vs. Nortons

[Gherald]

> Something about "Pack the computer into the box and ship it back. You're obviously too stupid to use a computer."

Well then, as a sysadmin it looks like I ought to start deactivating at least half of my users' accounts . . .

Re:firefox vs. Nortons

[dtfinch]

That's the spirit.

Re:firefox vs. Nortons

[tod_miller]

So it is fine for Spyware/Dialers to be taken of softwares 'threat' lists, but legitimate software?

I cannot believe not more fuss was kicked up to stop Sophos (or whoever) removing the dialer software of thier list.

It is thier software, they advertise it as preconfigured to thier judgement. If all cisco routers suddenly came preconfd to block mp3 packets, then we would all sooon find isp's telling cisco to remove this feature, or shop else where.

I am guessing people wont mind dialers being blocked and that it is a service.

Dumb client probably completely missread it, or saw a zonealarm request for access or something.

User, pfftsk.

Ugh

[billybob]

Those are the type of people that made me want to commit suicide when I did tech support. :(

Re:firefox vs. Nortons

[bob65]

I just had a customer tell me he deleted Firefox because the latest version of Nortons told him it was a security risk, so he's back to IE, and blamed ME for compromising his system

How did you respond? I hope you did something (preferrably violent) to him. It is one thing to be ignorant, but an entirely other thing to accuse someone (especially someone who was trying to help you) of wrong doing. There is absolutely no excuse for that, and no one should have to put up with taking the blame for somethin

Distribution

[brilinux]

I wonder whether this also has to do with Firefox's more varied use. I have used it on FreeBSD, OpenBSD, Many Linuces, as well as Linux. It seems that regardless of the browser used, any of those systems other than Windows would have a better security situation anyway. While it is still better on Windows, overall, I would say, that a large amount of its relatively low rate is the non-windowsness.

Nah

[billybob]

I understand what you're saying but I would wager that well over 50% of the firefox installations are on Windows machines. Remember - MS Windows has over a 90% share of the entire OS market. I know that a large portion of that market are extremely stupid people who wouldnt know a browser from their own ass, but there are a lot of smart people who do use windows you. I know, hard to believe :P

Re:final 1.0

[0x461FAB0BD7D2]

you could try the Mozilla Suite itself, replacing both IE and OE. And Mozilla Seamonkey is 1.7 (1.8 if you like alpha releases).

It's simple

[Stevyn]

The Mozilla Firefox team was able to look at all the wrongdoings of Microsoft and avoid them from the ground up. Firefox is a great app and I use it everyday. I cringe when I have to use IE at school.

Microsoft could always ditch IE and use firefox code to develop their "new and secure" browser, but they've been pissing OSS for too long to take that route.

The browser wars are starting back up again. IE hasn't changed in years because it hasn't had to. Now everyone is screaming to use firefox over IE. This hurts Microsoft because they need to keep the image that they're the best of everything.

I hope firefox kills them in the browser wars. They have a better product. It was designed with usability and security in mind.

Re:Correction

[stormcoder]

Boy I wish I had mod points. Clueless people going on about things they don't know anything about.

ActiveX is native code, essentially, specially modified DLL's that run unsandboxed with the same permissions as the parent process. This opens up all kinds of fun things you can do to someones system. On top of this interesting feature there are IE zones, which give different default execution permissions. For instance, the Internet zone causes a prompt to be shown when an unsafe ActiveX control is trying to execute. Unfortunately it is relatively easy to trick IE into thinking an ActiveX control is coming from a trusted zone, which doesn't prompt before executing an unsafe ActiveX control. And another problem is that many ActiveX controls are marked safe, but are in actuallity, unsafe.

So how is the above similar to XPI? You always get a prompt from XPI files. Even if an XPI is signed you get a prompt. What's similar?

Re:Correction

[phobonetik]

While, yes, always prompting is essential, as soon as FireFox gains market share into the general base of 'standard pc literacy', people are way too careless to click 'ok' to anything, and hence install/wipe/ruin their computing experience. Having a prompt is a definate edge, but I hope from your implication above that XPI doesn't let runaway extensions on Mozilla to wreak as much damage.

Re:Correction

[hattmoward]

Maybe Firefox should ship with XPInstall disabled, and pop a warning explaining that it is disabled (if it is disabled) whenever an XPI is clicked. The current behavior with it disabled is to do nothing. I have only seen one site attempt to install an XPI "for me" like so many ActiveX controls that get offered to you in IE, and that will likely ramp up if Firefox becomes more common.

XPI has pretty much the same power as a runaway ActiveX control, theoretically limited to the OS permissions of the proces

Re:Correction

[stormcoder]

But what makes the entire ActiveX fiasco truly horrendous is that a malicious ActiveX wont give you a prompt. If there is a prompt at least there is a good chance to avoid it. It is very difficult to build a fool proof mechanism because fools are so ingenious. There will be users who bypass safety mechanisms no matter what you do.

Re:Correction

[stormcoder]

This is actually a very nice illustration of the difference between XPI and ActiveX. Notice that you have to explicitly click on a link to download an XPI. This is not the case with ActiveX. Typically, ActiveX controls are embedded into the page and are automatically downloaded. Since the control is automatically downloaded, all you have to do is trick the browser into thinking that the control is coming from a trusted site. This has been done and will continue to be done because of the concept of a trusted

Re:Correction

[NutscrapeSucks]

First modbombing and then bullshit. Sieg Heil Mozilla!

ActiveX is native code, essentially, specially modified DLL's that run unsandboxed with the same permissions as the parent process. This opens up all kinds of fun things you can do to someones system.

Same with Mozilla XPI. Or do you really ignorant enough to think that there is any "sandbox"?

Unfortunately it is relatively easy to trick IE into thinking an ActiveX control is coming from a trusted zone

And what if you could "trick" Mozilla in a siml

Re:Correction

[stormcoder]

Ah, low end Slashdotter; Uses insults instead of their brain.

XPI's are not "Auto-installing", they prompt you. You have to download them explicitly. ActiveX controls are embedded in the page and download automatically. Mozilla has no concept of zones so you can't trick it into thinking the code comes from a privileged zone. There is a difference between a possible bug in Mozilla vs. an intentional feature built into IE. You speculate that one day there may be a bug that allows XPI's to be installed without

Re:Correction

[NutscrapeSucks]

Uses insults instead of their brain

Right, you are a condesending ignoramous with his facts wrong. And you started it :)

ActiveX controls are embedded in the page and download automatically.

This is just factually incorrect. (Unless you mess with the settings, but this is also true of FireFox.)

Re:Correction

[stormcoder]

Since you are so all knowing. Tell us exactly how ActiveX works and then tell us exactly how XPI works and then contrast them for us.

If I have my facts wrong tell us which facts? I have IE set to default and I view a page with an ActiveX control embedded in it, what happens? Tell us how you embed an XPI in a page? Where am I wrong? Saying your wrong and I'm right doesn't make it so. Lets see some specifics.

Re:Correction

[efishta]

In my default settings for both Windows 2000 and XP, even before the recent SP3 and SP4 for 2000 and SP1 and SP2 for XP, Internet Explorer has always prompted me if I would like to install the ActiveX control. Always - and it has always been on default settings as well.

Check your settings, because there's something wrong there, or you accidentally hit the spacebar or Enter or hit Yes without reading the dialog box that pop ups.

That's the fact the parent was talking about.

Re:Correction

[stormcoder]

There is a difference between installing and downloading. If you check your cache the control will be there. And just because you happened to be prompted in some cases doesn't mean you're prompted in all cases. For instance, if the control is downloaded from a site listed in your trusted zone then you won't get a prompt for the installation. The problem comes with the fact that it is relatively easy to trick IE into thinking the control came from a trusted site. This is how a lot of spyware gets installed.

Re:Correction

[NutscrapeSucks]

As I said, ActiveX and XPI are very similar, as XPI is a clone of ActiveX functionality. The difference mainly lies in the policy mechanisms, and even there they are very similar.

You make a point elsewhere that a user has to "click a link" to install XPI, so I suspect that's what you mean by "embedding". Well, a few months ago (before the whitelist appeared), there were pages that attempted to install malicious XPIs that were "embedded" (when the page loaded). I didn't View Source and see how they worked,

Re:Correction

[stormcoder]

Embed as in the embed tag or the object tag. That is how ActiveX objects are typically loaded in Webpages. The equivalent can be done in Javascript as well. Even if the control is not installed, the code is still downloaded.

What makes all the difference is the point that you keep glossing over. The security zones. Microsoft has built in a feature that would be considered a bug in the other browsers. The function to be able to bypass all security restrictions. This would even be a problem if ActiveX ran in

Re:Correction

[NutscrapeSucks]

XPI also has no sandbox at all and can bind to all local components, "safe for scripting" or not. Once again you commit falsehoods by pointing out a problem in IE and implying that it does not exist with XPI. Good day.

Re:Correction

[stormcoder]

XPI is sandboxed by the API. If the API doesn't allow it, it can't do it. ActiveX has full access to the Win32 API. There's a big difference here. I also never related "Safe for scripting" and XPI. "Safe for Scripting" is another ActiveX idiom and has nothing to do with XPI. You keep calling me a lier, among other things, but when I ask you for a specific instance all I get is "YOUR WRONG, expletive". Your simply a waste of electrons.

Summary of conversation so far:

Nutscrape: YOUR WRONG, YOUR WRONG, YOUR W

Re:Correction

[NutscrapeSucks]

XPI downloads can call Win32. YOUR (sic) WRONG. Expletive!

Solution: stop being wrong all the time. (And I agree, attempting to talk to you is lame.)

Re:It's simple

[prostoalex]

The Mozilla Firefox team was able to look at all the wrongdoings of Microsoft

Let's set the record straight - Microsoft won the browser wars over the Netscape, because it delivered a better product with IE 4 and IE 5. Netscape Communicator 4 was bulky, glitchy, slow to load and slow to respond with ugly widgets. Netscape 6 was the same nightmare with different skin and off-the-scratch source code. IE at that point was faster, easier to use, and had native Windows widgets with faster response times.

IE 6 is function-less, incapable of being customized (internal popup blocker did not come till SP 2) and is a security nightmare. Firefox just delivers a better product at the time.

Microsoft was not always a loser in this game.

Re:It's simple

[dimator]

Let's set the record straight - Microsoft won the browser wars over the Netscape, because it delivered a better product with IE 4 and IE 5.

Let's set the record a little straighter - are you sure bundling the browser had nothing to do with its popularity?

Right, but Parent is still right

[brunes69]

Bundling did play a factor yes. And bundling is what has kept them in the lead for so long.

But the parent is totally right in saying that Netscape 4 - 4.5 sucked donkey balls. It was slow, bloated, and incredibly hard to develop HTML for because of its goofy layers system. Even if MS had never bundled anything, I am quite convinced that Internet Explorer 4 (and later 5) would have gotten the majority market.

After that it becomes more grey. If IE had never been bundled, IE6 vs. Netscape 6-7-Mozilla is much more difficult to call.

Re:Right, but Parent is still right

[richie2000]

Even if MS had never bundled anything, I am quite convinced that Internet Explorer 4 (and later 5) would have gotten the majority market.

MSIE was free back then. Netscape Navigator wasn't, it cost (IIRC) around $25 or so. It wasn't just the bundling, it was the 800 lbs gorilla doing the funky billion dollar dance all over the puny competitor. Just another business day in Redmond.

Re:Right, but Parent is still right

[delus10n0]

Who cares? What benefits the end-user? Microsoft:

1) Made a better product (IE)
2) Gives it away for free.

What the crap is wrong with that?

Are you going to get upset with Apple for giving away iTunes, iPhoto and iMovie? What about Safari?

Either you make a better product, or admit defeat. It's fairly simple logic. The whole bad stink about IE being bundled into windows is stupid.

Re:Right, but Parent is still right

[richie2000]

What the crap is wrong with that?

What's wrong with that is that they used their ill-gotten gains (over-priced Windows, as seen in court) and market monopoly to push their own version of a supposedly open technology. That created lock-in and made is easy for them to push ActiveX and IIS to sell Windows servers, making it more difficult for the "better product" to compete on even remotely equal terms. To add insult to injury, they ignored IE for years after they won the first browser battle - simply becaus

Re:Right, but Parent is still right

[delus10n0]

That created lock-in and made is easy for them to push ActiveX and IIS to sell Windows servers

Says who? The numbers don't reflect that, FYI, as Apache holds the web server "market share". You also aren't required to use IIS in order to deploy ActiveX objects on your website.

To add insult to injury, they ignored IE for years after they won the first browser battle - simply because they had achieved their market dominance.

Who cares? You can use any browser you want. No one's forcing you to use IE's. Lik

Re:Right, but Parent is still right

[delus10n0]

One would argue that Firefox's popularity/"market share" is on the rise, despite Microsoft's "dominance".

Re:It's simple

[Quill_28]

>Let's set the record a little straighter - are you sure bundling the browser had nothing to do with its popularity?

No way. I hated netscape with a passion.
It was slow bulky and other bad things.

IE was much better IMHO.

I now use firefox. Why? Because it is better than IE IMHO.

It don't see wordpad the defacto word processor just because it was bundled with windows for the last decade.

And again

[Safety Cap]

Let's set the record straight - Microsoft won the browser wars over the Netscape, because it delivered a better product with IE 4 and IE 5.

Ahh, let's set the record even more straight (with a nod to dimator [slashdot.org]):

Netscape made a fatal development decision. THEY CEASED DEVELOPMENT FOR THREE YEARS. Let me say that again: some PHB acquiesced to the developers' request (or decided on his own---who knows?) to allow them to start over. Oh a medium to large project, you never, ever, ever start over [joelonsoftware.com] when market shar

Re:It's simple

[delus10n0]

incapable of being customized (internal popup blocker did not come till SP 2)

Huh? You can install BHO's, such as Google's or MSN's toolbar, or an app I use called PopUpCop to deal with that stuff. So yeah, IE can be customized.

Re:It's simple

[gilesjuk]

I agree with all those points.

The problem I have with IE is the lack of updates and the fact that it's mostly now a Windows product.

Companies can manage security a lot easier with one browser across the whole organisation. They're more likely to think about deploying Firefox if the org uses different operating systems.

Re:It's simple

[Anonymous Coward]

Microsoft never WANTED to develop a browser. They were FORCED to by MS execs who thought Netscape had enough potential to cause money loss. Once they made a feature-rich browser (although insecure, no one argues that it doesn't do enough), they put Netscape into the red. Now they drag their heels everytime someone finds a security issue in Explorer. It served its purpose and they aren't interested in continuing its development.

Re:It's simple

[kinrowan]

I must disagree. I do say IE doesn't do enough.

Firefox is far more feature-rich than IE, once you take into account third-party extensions, which is the second reason most of the people that I know who use FF give for using it over IE (after security). That additional functionality can't be dismissed.

Firefox market share is up to 18% on technology

[prostoalex]

Both W3Schools.com and CNET News.com report that Firefox users make up 18% of their audience [itfacts.biz]. Techie-oriented sites, I know, so doesn't speak much for mainstream, but Google was a techie-oriented engine at some point as well.

Re:Firefox market share is up to 18% on technology

[MrHanky]

That's a pretty big share. I found another one for a newspaper, and took the liberty of copying the stats in my journal [slashdot.org]. Of course, this one is skewed differently from w3schools.com, but it should be about as mainstream as it gets.

For the lazy: Mozilla Firefox has about 1.5%, Linux has about 0.60%. And no, as with all other web statistics, it's not scientific.

The most important thing he said...

[EvilJohn]

...and why Firefox will succeed:

"I use the tools that let me get stuff done quickly -- no brand affiliation or idolatry."

another good message

[BigBir3d]

To access this site, the minimum recommended browsers include Microsoft Internet Explorer version 5 or higher, Mozilla Firefox, or Netscape version 7 or higher.

this is the message on my companies employee website! :-)

security?

[Anonymous Coward]

hey how about that -feature that allows you to show ones saved passwords if they dont have a master password set? (oh btw the master passwd being asked for every 3 seconds is frustrating) yeah i know there were other ways to do this, but theres no good reason to a user interface in firefox for it. this -feature- affects firefox1.0PR it is listed under bug 259996

I love

[Shulai]

The crappy ZDNet.au site and its CSS that render text invisible.