Saturday, April 15, 2006

Firefox Claims of Better Security Increasingly Questionable

Firefox fans put new spin on browser security

This article steps up to the reality that browser security is not a function of open source code being inherently more secure code. Perceived security, measured by frequency of successful attacks, is a function of ubiquity and design. As any application or platform gains more market presence, it becomes more interesting to attack. Hackers are highly skilled individuals who have the desire to make names for themselves. Consequently, they will attack targets with greater visibility. When was the last time you read about someone writing a virus or Trojan for the Amiga platform?

Fundamentally, what this debate typically boils down to is emotion, zealotry and ideology. Much of the emotion, zealotry and ideology is simply anti-Microsoft, much like a lot of the support for Kerry was simply anti-Bush sentiment. You can only react against something with an anti-ideology for so long. Eventually, the antithesis has to stand for something. And when the antithesis is the "Windows is less secure than open source" assertion, it doesn't stand up to scrutiny, as Firefox's security problems illustrate.

The blind ideology is expressed well in this quote, which was obviusly not vetted by the guy's PR people.

The thing I like about the non-MSIE products is that I find they're more easily user-configurable to prevent things like pop-ups and pop-unders, which can be security risks," said Mike Finnie of Computer Forensics. "It seems that the Mozilla group is fairly immediately responsive to incidents of security lapses or bad code, and it seems to be making a genuine effort to fix them and get them released. But on a scale of one to 10, how many more points would they get than Microsoft? I don't know.

In other words, the guy thinks Firefox is better than IE but has no idea how much they are better. He can't put a number on it because he has no evidence for it. He just feels it.

IE has security issues. I'm not saying it doesn't. What I am challenging is the assumption that open source is inherently more secure simply because it wasn't developed by Microsoft. Linux, Solaris, Firefox and Mac OS X are all alternatives to Microsoft products. And all of them have locations on their websites where users and admins can download security updates.

Mozilla Security Updates Page
Macintosh OS X Security Updates Downloads
Sun Microsystems Updates
RedHat Linux Security Updates
Novell SUSE Linux Security Announcements

If open source is inherently more secure than proprietary systems, why do these pages exist? And don't give me the argument that Microsoft has more problems than some other favored platform, because that's not a standard of measurement. That's just a copout.