There Is No Safe Web Browser

[linuxgeek]

src

Face it: There is no 'safe' Web browser

Netscape’s turn from wonderful to woeful last week set a new Internet speed record for embarrassment.

Hours after the once-proud Web browser’s Version 8 upgrade hit the streets, it limped back into the garage for an overhaul. Turns out the new browser had old parts from a rival browser, Firefox, and those parts were faulty. The flaws allowed dishonest types to sneak into computers through online connections and snatch user passwords and other personal information.

We’ve all heard reports of browser security trouble before; they’re as frequent as rain clouds over St. Louis in summer. But somewhere close to the problem’s description usually are the words “Microsoft” and “Internet Explorer.”

That’s what made the Netscape-Firefox mess-up so significant: This time, Microsoft’s once and future rivals for the online market were the ones encountering trouble, not its own quirky Web tool. After all, Netscape and Firefox had pinned their reputations on being more secure than Internet Explorer, the dominant browser since 1998.

Netscape recovered quickly from its stumble; a revised Version 8 appeared within 24 hours. Firefox, too, had fixed its flaws in short order. But the message to Internet users now must be abundantly clear: There is no such thing as a totally safe and secure Web browser.

The Netscape-Firefox bond

The continuing search for a better browser is why Netscape’s developers “borrowed” from Firefox. In fact, the two have close ties. You see, deep down, Netscape and Firefox are virtually identical. Key developers of the first later built the second using the same basic blueprint.

At their core is something called “Gecko,” what tech types refer to as a “layout engine.” Imagine Web page programming code as paint and the browser window as a canvas. Gecko, then, basically is the brush; it “paints” Web content onto the browser window.

Variations on Gecko, a very stable and versatile tool, also perform artistry inside other browsers such as Mozilla. The Mozilla browser and Firefox both come from The Mozilla Foundation, a nonprofit software development group founded by some of the same people who developed the first version of Netscape back in the mid-1990s.

Firefox grew out of the former Netscape developers’ build-a-better-mousetrap mind set. It first appeared as “Phoenix” in 2002, then “Firebird” a few months later. But copyright issues dogged those names, so the browser became Firefox in early 2004. The first full-blown, we’ve-got-the-worst-of-the-bugs-worked-out Firefox, Version 1.0, arrived in November.

Or so the developers thought.

Reality bites

Internet browsing as we know it began with Netscape in 1994. Before that, surfing the infant Web required something just short of a degree in computing (although Netscape’s predecessor, Mosaic, did simplify things). Netscape, however, was remarkable for being intuitive; even computing neophytes figured out how to get online with it.

This irked Microsoft Corp., which by then had made a name for itself with productivity software. But it was slow to catch a ride onto the information superhighway. So in 1995, the company licensed browser technology developed by Spyglass Inc. of Champaign, Ill. From that came Internet Explorer.

Microsoft quickly made up ground on Netscape in part by integrating Internet Explorer with the company’s Windows 98 operating system. Internet Explorer grew to constitute over 95 percent of all browser use about a year ago.

Firefox cut into that number, fast. The Mozilla Foundation didn’t just promote Firefox as an alternative to Internet Explorer; the foundation touted Firefox as much more resistant to electronic germs and hacks than Microsoft’s browser, and the browser market — frequently stung by flaws in Internet Explorer — responded.

Firefox managed to deflect the worst of the Web bugs — for a while.

It was only a matter of time

Firefox’s first major flaws turned up earlier this month. Its Version 1.0.3 exhibited at least two errors that, when manipulated together, enabled hackers access to the user’s computer. The flaws prompted a Version 1.0.4, which was issued three days later.

Netscape 8.0’s developers, it turned out, had used components of Firefox 1.0.3 in their framework.

That Firefox sported cracks in its shining veneer seemed inevitable, browser experts warned. The browser garnered 50 million downloads by late April, and is approaching 60 million — about 10 percent of the browser market. Experts believe that kind of popularity will attract hackers trying to find ways to exploit as-yet-unseen weaknesses.

Until now, hackers have concentrated on Internet Explorer because so much of the market depended on it.

Hacking happens

So if it sounds as if we’re all at the mercy of hackers just looking for some new challenge, that’s partially true. As law enforcement officers will tell you, crime finds you if it wants you bad enough, no matter what preventative measures you take. But the vast majority of criminals have an Achilles’ heel: They prefer convenience to challenge. For now, it’s more convenient for them to pick on Internet Explorer.

We rely on alarms and fences to minimize threats to our physical selves, yet most of us still don’t extend the same protection to our computers. It’s believed that today, even with thousands of computer viruses floating around — threats can enter a new computer within four minutes of first getting online — fully 70 percent of computer users still don’t employ antivirus measures or firewalls, or don’t maintain the ones they have.

Clearly, hackers wouldn’t be so successful if they didn’t have so many potential targets.

Of course, it’s up to software makers to hold up their end, too. But they’re no less susceptible to market forces, deadlines and bureaucracy than anyone else. Mistakes happen. Hacking happens. To assume you won’t fall prey to either fairly begs for trouble.

Of the thousands of computer viruses now available, most are variations on an earlier theme, a “Version 1.0” of their own. Antivirus and firewall programs are effective largely because they recognize this. Too bad most computer users don’t.

If they did, Netscape’s and Firefox’s problems wouldn’t have been such big news.

 

[kbate]

Those looking to make easy money from vulnerable users will always be one step ahead of the security people. It is inevitible that some flaws will be found in every browser/operating system and program that uses the internet for communication.

 

[rosco rathbone]

That is why I use a browser that I made myself.

 

[linuxgeek]

Is part of the reason I like using Opera. Does the job well yet is only 1% to 2% of the market share so hackers aren't very interested in hacking through it.

 

[Sanitysux]

Is part of the reason I like using Opera.

I started using Firefox about a month ago. It wasn't security concerns that prompted me to switch, I just wanted better performance and heard Firefox was faster than IE. So far, I'm glad I made the change. Just curious though, what's the story of Opera? I've heard of it, but I don't know anyone that's using it.

 

[Celtic Princess]

I just dropped in to say hi to linux.


I would read the first post but it would probably force me to call my tech and demand he reassure me that my laptop is as safe as it can be. I get nervous easily.

 

[Nathon_88]

Thanks. Now I'll be worried my computer isn't safe at night.

*pets laptop* It's okay baby. No one wants all that nasty porn, anyway.

 

[Celtic Princess]

Thanks. Now I'll be worried my computer isn't safe at night.

*pets laptop* It's okay baby. No one wants all that nasty porn, anyway.

You pet your laptop too?! I knew I wasn't the only one...

 

[Nathon_88]

You pet your laptop too?! I knew I wasn't the only one...

How else will it know I love it?

Conversly, why NOT think your computer might respond better to positive thought patterns than to negative ones.

 

[linuxgeek]

I just dropped in to say hi to linux.


I would read the first post but it would probably force me to call my tech and demand he reassure me that my laptop is as safe as it can be. I get nervous easily.

Howdy. Life better?

 

[linuxgeek]

I started using Firefox about a month ago. It wasn't security concerns that prompted me to switch, I just wanted better performance and heard Firefox was faster than IE. So far, I'm glad I made the change. Just curious though, what's the story of Opera? I've heard of it, but I don't know anyone that's using it.

Opera isn't an open source browser. Does have 2 versions. the freely distributed one has an ad bar at the top that pulls up adds by google searching places it thinks are related to where you are browsing.

I originally went Opera because i didn't want to open myself up to attack by using IE and Netscape had been taken over by the Illumnati. I also like that it has a ability to identify itself as IE, Mozilla, or Opera. Useful for sites who may be designed to give different content depending on the browser you use to view it.

 

[Celtic Princess]

How else will it know I love it?

Conversly, why NOT think your computer might respond better to positive thought patterns than to negative ones.

Exactly. See, it knows when I'm mad at it and things just get worse from there. So, I try to be nice.

 

[Celtic Princess]

Howdy. Life better?

Depends on how you look at it.

Thanks for asking.



How's tricks for you and your better half?

 

[Hester]

what about camino or safari?

 

[linuxgeek]

Depends on how you look at it.

Thanks for asking.

How's tricks for you and your better half?

Is how life is most of the time. I try to go with the glass 1/2 full approach.

Not too bad on this part of the world. guess the most special (as in short bus) thing at the moment is we've been notified the apartment property we are staying is in process of being sold and converted to being treated as condos. While it's a nice place to rent, I don't want to own it. The cool thing is the location we are have found to consider moving to is 4 stories /w elevator and is willing to work with us for putting antennas on the roof. *big smile*

Could likely get the 2m/70cm antenna up since it would barely be visable from the ground so we'd be able to do all the local talking we need. The building design also gives the possiblity of getting a wire antenna up which can be used for HF/shortwave so I can do my talking around the US & world from airconditioned comfort. The management person LadyC talked to the other day was very interested in us being able to setup a weather station that the NWS could access to pull direct data for the area of Orange County. A very cool thing since there is nothing currently in place.

 

[linuxgeek]

what about camino or safari?

haven't played with either of those. they sound like ones I've heard primarily used with OSX.

 

[Morwen]

I used to use Netscape exclusively then it turned into a bloated unusable monster. So for the last couple years I've used IE. Then the whole Spyware fiasco hit and now I use Firefox.

Google is going to buy Firefox and they are going for Microsoft's throat (the desktop). Who will win, I don't know.

 

[Hester]

haven't played with either of those. they sound like ones I've heard primarily used with OSX.

well get on it, man!!!

 

[Sanitysux]

I think that I'll stick with Firefox for now. I'm very happy with it's performance.

 

[linuxgeek]

I used to use Netscape exclusively then it turned into a bloated unusable monster. So for the last couple years I've used IE. Then the whole Spyware fiasco hit and now I use Firefox.

Google is going to buy Firefox and they are going for Microsoft's throat (the desktop). Who will win, I don't know.

unfortunately, I suspect if it comes to a battle of companies who are out to make money, Micro$oft will likely win. They are a Goliath with resources larger than most people can imagine.

Micro$oft's standard practice has been to do every tactic, ethical and otherwise, to kill off or absorb any competition (hence why many in IT refer to them as the Borg). The way it should work is someone going against them forces them to create a better product. Instead they just destroy the competition so people don't have choices and Micro$oft can continue to put out the same level buggy software and operating systems they have for years.

The nice thing about Open Source projects is there are very few ways Micro$oft can kill them off. When it comes to Linux, the best they have been able to do is bad mouth it or blow out of proportion any flaws is has. Of course I find this a funny tactic when Micro$oft products have the same flaws they are pointing out in others. Kinda like a dramaqueen bitching about someone else being a dramaqueen.

 

[Sanitysux]

The nice thing about Open Source projects is there are very few ways Micro$oft can kill them off.

Speaking of open source. What's Linux like these days? I tried Mandrake 7.2 a few years back and wasn't very impressed with it.
I couldn't get it to dual-boot with Windows like it was supposed to, so I just dumped it.
I haven't really kept up with the latest developments since then. Has it been improved much?

 

[JazzManJim]

Tere is no such thing as perfect security - for web browsers or anything else.

The best anyone can ever hope to do is to put security in place that takes more time, effort, or resources than what it's protecting is worth. That, of course, assumes that the people doing the breaking in are after some sort of material gain.

If they're just looking for a thrill, then they're going to get in. Bet on it.

 

[Morwen]

unfortunately, I suspect if it comes to a battle of companies who are out to make money, Micro$oft will likely win. They are a Goliath with resources larger than most people can imagine.

Micro$oft's standard practice has been to do every tactic, ethical and otherwise, to kill off or absorb any competition (hence why many in IT refer to them as the Borg). The way it should work is someone going against them forces them to create a better product. Instead they just destroy the competition so people don't have choices and Micro$oft can continue to put out the same level buggy software and operating systems they have for years.

The nice thing about Open Source projects is there are very few ways Micro$oft can kill them off. When it comes to Linux, the best they have been able to do is bad mouth it or blow out of proportion any flaws is has. Of course I find this a funny tactic when Micro$oft products have the same flaws they are pointing out in others. Kinda like a dramaqueen bitching about someone else being a dramaqueen.

Typing it as "Micro$soft" is kinda slashdotty-queer. You know how to read Slashdot right? You look at the links, and ignore the comments.

Google is the biggest threat Microsoft has faced in a long time. It's what Larry Ellison used to blab about, distributed computing. It's what Yahoo should have done a long time ago.

The software on the client side is somewhat irrelevant to the future. It will not be Linux though because Linux is about as user-friendly as tax law.

 

[linuxgeek]

Typing it as "Micro$soft" is kinda slashdotty-queer. You know how to read Slashdot right? You look at the links, and ignore the comments.

Google is the biggest threat Microsoft has faced in a long time. It's what Larry Ellison used to blab about, distributed computing. It's what Yahoo should have done a long time ago.

The software on the client side is somewhat irrelevant to the future. It will not be Linux though because Linux is about as user-friendly as tax law.

Yeah well, been a registered /. reader/commenter for a while. And I see M$ as a money machine not a software company.

I agree Google is a decent threat. They use over 10,000 linux boxes to pull off what they do. Their only overhead is hardware and personnel. There are no off the shelf software costs.

The Linux desktop is in many cases is...well... I think the best way I've heard it describe is: Microsoft Windows expects you to know nothing. Linux expects you to be a genius.

The Linux desktops are getting better. SuSe Linux had a very nice desktop going even before Novell bought them. The advancements over what they had is likely just the natural evolution it would have gone through with a bit of acceleration due to corporate funding. One of the things which puts SuSe close to on par with M$ Windows is the fact that it installs with a lot of software. User just needs to figure out what is there not go searching the net and then try to install.

What will give Linux a shot at taking marketshare from M$ Windows is that it does have major corporate sponsors now. Novell, unfortunately, had many years of bad marketing & resource management decisions, and while putting out a server product superior to M$, they lowered their marketshare by spending so many years only advertising to CxOs. so they aren't the powerhouse they use to be. IBM, however, still has a decent marketshare. They are also saving a lot in R&D by building off Linux to pound out effective OSs for their newer mainframes and supercomputers.

What I see equalizing things is if we get people in government willing to slap down Micro$oft for its borg business practices. To me they aren't capitalism. Part of capitalism is competition. Forcing everyone in the market to produce a better product and be able to sell it for less while still making a profit. Micro$ofts borg practices are pure monoploy. And too many people get hurt by them for it to be a game.

 

[Ishmael]

I know of no one hacking Lynx. Yet.

I've been running some tests on the Netscape 8.0 release (not the Beta version) and find it quite responsive. Speed wise it's as quick as IE or Firefox. Beats the hell out their bloated 7.2 product.

I just looked at my browser stats for the yucks of it. It's amazing how many folks are running unpatched browsers out there. (77.9% are using IE 6.0 plain vanilla. IE 6.0.2xxx and 6.1 barely appear in the stats tables.)

Ishmael