Anyone see a game changer here?
Steven Bellovin
smb at cs.columbia.edu
Sat Jan 23 04:08:55 UTC 2010
On Jan 22, 2010, at 10:37 PM, William Pitcock wrote:
> On Fri, 2010-01-22 at 22:16 -0500, Steven Bellovin wrote:
>> On Jan 22, 2010, at 12:26 AM, Bruce Williams wrote:
>>
>>> The problem with IE is the same problem as Windows, the basic design
>>> is fundementally insecure and "timely updates" can't fix that.
>>
>> You do realize, of course, that IE is recording less than half the
>> security flaw rate of Firefox? (See
>> http://prosecure.netgear.com/community/security-blog/2009/11/web-browser-vulnerability-report---firefox-leads-the-pack-at-44.php)
>
> Consider for a moment that both Firefox and Safari are built on
> open-source code where the code can be audited. As a result, it is
> clear why Firefox and Safari are more "insecure" than IE, it is simply
> because the code is there to be audited.
>
> Frankly, they are all about the same security-wise.
>
I think that that's wishful thinking. IE has fewer security problems because Microsoft has put a tremendous amount of effort -- and often fought its own developers -- in a disciplined software development environment with careful, structured security reviews by people who have the power to say "no, you can't ship this". They've also put a lot of effort into building and using security tools. (For earlier comments by me on this subject, see http://www.cs.columbia.edu/~smb/blog/2009-04/2009-04-29.html)
I'm not a fan of Windows. I think it's ugly and bloated, and I don't like it as a user environment. I'm typing this on a Mac (which I like for its JFW properties, not its security; I do not think it is more secure than Vista or Windows 7); I'm also a heavy user -- and a developer -- of NetBSD. If the world suddenly switched its OS of choice away from Windows, I wouldn't weep. But I also would and do hope that the other platforms, be they open or closed source, would learn from what Bill Gates has done well.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list