Germany Warns Against Using Firefox 509
jayme0227 writes "Due to the recent exploit in Firefox, Germany has warned against its use. This comes a couple months after Germany advised against using IE. Perhaps we should start taking odds as to which browser will be next." Note: the warning (from the Federal Office for Information Security) is provisional, and should be rendered moot by the release later this month of 3.6.2.
Free software in action (Score:5, Insightful)
This just in (Score:3, Insightful)
Software is inevitably going to have bugs in it and try as we might, it's something we'll always have to deal with. There are always mitigation strategies, such as running Firefox in a virtualized environment a la Sandboxie [sandboxie.com] or a full virtual machine, but we'll never be privy to using only bug-free software day to day. I'm glad to see the German government taking an active approach to notifying people in regard to vulnerabilities in an attempt to mitigate them, but as TFA states, what's the point in suggesting users quit using Firefox when the alternatives are potentially just as vulnerable?
Re:To add some information to the void.. (Score:3, Insightful)
Seth, scroll up one post in the blog. 3.6.2 was released tonight.
Bah (Score:4, Insightful)
Responsible reporting (Score:3, Insightful)
The German government seems to be being quite responsible here. There is an issue with Firefox, and most users probably don't know about it because they don't regularly read tech news sites.
The government is simply trying to keep people informed about this rather important topic, and has done so in a reasonable and proportional way. Not every warning put out is a damning condemnation of flawed security that mandates switching to Lynx you know.
Re:3.6.2 released (Score:4, Insightful)
And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.
Re:Bah (Score:4, Insightful)
So, what would you rather have?
That they warn you about vulnerabilities in IE6, but ignore vulnerabilities in open source browsers?
I think they've done the right thing - there was a security hole (in the 'current' 3.6), and they warned about it. Their warning DID include that it affected the 'current' 3.6 version and that it should be fixed in 3.6.2.
That's fair comment, and it's their job to report it and not lull people into a false sense of security that the (then current 3.6) version of firefox was safe.
If they had NOT warned, it might have damaged their reputation for NOT covering it, and it might also have helped MS lobbying efforts if they could have been shown to be biased by reporting on IE issues, but not Firefox ones...
Re:3.6.2 released (Score:5, Insightful)
> No ability to view pr0n.
I doubt that.
Re:Free software in action (Score:4, Insightful)
I want software that was correctly written and had no exploits to begin with.
And I want Anonymous Cowards to start making /. posts that are insightful, useful, and realistic.
And WHERE'S MY PONY?!
Re:Free software in action (Score:5, Insightful)
Re:3.6.2 released (Score:3, Insightful)
And if you want to be really safe - use Lynx instead. No images, no Flash, no Javascript, No ability to view pr0n.
Use Noscript.
Re:Free software in action (Score:5, Insightful)
Because "don't set this place on fire" is not a fire escape plan. Bugs and vulnerabilities will happen either way, and you still need a plan for dealing with them.
Re:Free software in action (Score:4, Insightful)
They just ship OpenBSD with most services disabled by default, and then claim it is safe by default.
That's similar to Microsoft's shipping IE on their server O/S with most stuff disabled by default, and then claiming that IE is not vulnerable
on their server O/Ses by default.
Yes they are safe by default just like a car with its wheels, engine and battery "disabled" by default is safe from most carjackers.
Re:Free software in action (Score:4, Insightful)
Creating 100% secure software is like trying to prove an absolute statement (as in "All X have Y") - to prove it right, every single one of the subjects of your statement have to comform to it, while proving it wrong only takes one that does not.
Or in more specific terms: no matter how good the team developing a piece of software is and how long they have to do it, all it takes is one of them doing a single mistake and the results is not 100% secure.
It's reasonable to expect that all first order mistakes (i.e. the blindingly obvious) are caught, it is however not reasonable to expect that higher-order mistakes (for example: "unexpected interactions with a different version of a certain library installed in the same system in the 64 bit version of the OS") are caught, expecially those relating to external factors (which can change after the release is done).
Also there are economic limits to the level of security in a piece of software: more specifically, time is money, getting only the top best professionals to do it is a lot of money and (suprise, suprise) people are not willing to pay the higher price that such a product would require to break-even.
Re:Bah humbug! mod parent TROLL (Score:3, Insightful)
The difference is that Firefox has vulnerabilities like any normal application... Internet Explorer on the other hand has been the forefront infection vector for botnets of hundreds of thousands of machines for the past decade.
Re:Free software in action (Score:4, Insightful)
None of those Mozilla-loving eyes found this bug, yet a researcher unaffiliated with Mozilla but certainly looking for exploits, found it. Now what about all the researchers looking for exploits in order to driveby firefox users.. that will just keep the damn thing a secret?
Yeah.. they got the fix out fast. Bravo. Look at the real significance of these events, tho..
Re:Free software in action (Score:3, Insightful)
No matter how clever you think you are, no matter how hard you work to prevent vulnerabilities, they will be in the release code in something as complex as a web browser (or an Operating System).
"I want software that is written correctly and has no exploits" is an unrealistic expectation. It's like saying "I want my power tools to be built in such a way that they cannot possibly harm me"
Most (certainly not all) software is built with very careful reviews, trying to figure out ways that black hats might exploit the software and code against it. But it's an arms race - the black hats are constantly working on ways to get by the software.
So, yeah, while I agree with GP that "I want software that is written correctly", this is the real world, where there are bad people who will think of things you didn't and break your software. So this cannot possibly be an "either/or" decision.
I want people who write software as correctly as feasibly possible, understanding that humans make mistakes and that other people are out there who are just as clever as the software authors and who do nothing but try to break it. I accept, in return, that I have to take a role in securing my system if I want control over my system.
More importantly, I want people who are open and honest about those flaws when they happen, acknowledge the flaws quickly, and fix them very rapidly. I can't defend myself against a flaw I do not know exists, and I want that flaw to go away very quickly once it is discovered. I have seen precious few teams who crank out fixes faster than Team Firefox.
So far, in the browser world, I have yet to find a team that releases consistently higher-quality (not perfect, but high-quality) code, is more open about their vulnerabilities, and responds to defects more quickly than the Firefox team. That's not to say that all other browsers out there are bad, or that Firefox is 100% secure, but the Firefox team appears to be doing about the best job one could realistically expect. And yet, it's still all free.