December 7, 2007 11:35 AM PST

When more bugs can mean tighter security

Related Stories

Critics rap Microsoft safety study of IE, Firefox

December 4, 2007

At software giant, pain gives rise to progress

December 3, 2007
Related Blogs

Firefox churns to version 2.0.0.11


November 30, 2007

Public test next week for Vista SP1


December 5, 2007

Facebook's Zuckerberg: 'We simply did a bad job' handling Beacon


December 5, 2007
The Mozilla Foundation is perhaps best known for its Firefox Web browser, an open-source offering that was first developed to go head-to-head with Microsoft's Internet Explorer.

Tristan Nitot, the president of Mozilla Europe, has much to say on the differences between Microsoft's and Mozilla's approaches to browser development. CNET News.com sister site ZDNet UK caught up with Nitot at the Online Information conference in London this week to talk about the security of Firefox and Internet Explorer, online privacy, and the future of open source.

Tristan Nitot
Credit: Mozilla
Tristan Nitot

Q: A recent study by Jeff Jones, a Microsoft security strategy director, found Internet Explorer to be more secure than Firefox. Are you surprised?
Nitot: I'm surprised that bug counting, which is a terrible metric, was used by Microsoft. It isn't easy to assess security, but bug counting definitely isn't the way to do it. I'd rather talk about time to fix the duration of the window where users are at risk, which in our opinion is a much better metric.

In a nutshell, Microsoft claimed that because Mozilla had fixed more vulnerabilities since 2004 than Microsoft, IE was more secure than Firefox. What do you think of that argument?
Nitot: To quote Mike Shaver, (Mozilla's director of ecosystem development), just because dentists fix more teeth in America doesn't mean we have worse teeth than Africa. Just compare the number of high-security advisories over time between Internet Explorer, Firefox and Opera.

What is your opinion of the claim that the more vulnerabilities fixed, the less secure the browser?
Nitot: It's false logic. If you have issues and don't fix them you will look good on the outside but in reality you still have the issues. There's a really good movie, Les Repos--in English, The Rotten Ones--about two cops, one old, one young, and the younger is in the process of being corrupted by the older. They find a bad guy, catch him, and the young one wants to take the bad guy to the police station. But the old one says: "You can't do that--if we take him to the station the crime statistics will increase, and we will look bad. Release the guy and take his money. That punishes him."

This is comparable--if you do the right thing you look bad, but people are safer. What really counts is that our users are secure, and that people count on us to do the right thing. People within the Mozilla community have a better-than-average understanding of this--we work together and have to trust each other. If people hide, it's no good for the community or overall motivation. But we're not building fixes for our teams, we're building them for our users.

Let me give you a recent example. Ten days ago we released Firefox 2.0.0.10. When we released it a couple of hours later we found we'd introduced a regression, and that some Web site extensions were broken. We quickly decided to do another release, 2.0.0.11, which we released on Thursday night, three-and-a-half days later, which is a good turnaround. We don't like asking our users to update twice in a week, but we don't like regressions.

So it doesn't work to compare the number of vulnerabilities between the browsers?
Nitot: It's not good because it's comparing apples to oranges. Bug counting at Mozilla is very different to bug counting at Microsoft. We are open. We cannot hide or silently fix bugs--it would be betraying our community. We have to be transparent.

If people hide, it's no good for the community or overall motivation. But we're not building fixes for our teams, we're building them for our users.
--Tristan Nitot, president, Mozilla Europe

We like this, but it costs us in terms of PR. In Microsoft's world, people find bugs internally and will not publish or talk about security bugs. These bugs won't be counted by third parties, and can be silently fixed and pushed out in an update or service pack. And Microsoft service packs take a long time to come out--a year at least, maybe two. In the meantime, users are at risk.

I prefer Mozilla's approach--be transparent, and have our users secure, even if in terms of numbers that doesn't put us in a favorable light.

Microsoft's Jones criticized the length of time Firefox releases are supported, saying Mozilla drops its support before operating systems such as Ubuntu (which has committed to providing security support for Firefox 1.5 until 2009). What is your response?
Nitot: We are committed to providing a new major release every six months, but we are open-source. You can port fixes from Firefox 2.2 and 3 to 1.5, if you like, or ask Ubuntu to do it for you. Microsoft still supports IE 5.01, which is an obsolete browser. IE6 is already obsolete, so--IE5--come on!

The Web is in its infancy, but we have already wasted a long time in terms of innovation because browsers aren't evolving. Five years to have IE6 is way too long. Why would we want to stick to very old browsers that prevent Web sites from innovating?

Do you use Windows yourself?
Nitot: I used to use Windows, but now I use a Mac.

Why did you change?
Nitot: It was because of the end-user license agreement (EULA) in XP Service Pack 2. When SP2 came out, I read the EULA, because it's a contract. If you click "I accept," you've effectively signed a contract that binds you to Microsoft. When you sign something you've got to read it (beforehand). But what I saw was so creepy I couldn't click on the "I accept" button.

CONTINUED: Challenges for open source…
Page 1 | 2

See more CNET content tagged:
Mozilla Corp., bug, motivation, secure, vulnerability

12 comments

Join the conversation!
Add your comment
As usual, both sides of the fence, when it suits them.
Didn't they used to claim "look at all the bugs in IE. Switch to us for higher security/less bugs"

Now that MS has fixed a lot of the bugs and addressed security, somewhat, and happen to have fewer breaches lately, now they're saying that having bugs is BETTER for security??

Whatever.
Posted by Anon-Y-mous (124 comments )
Reply Link Flag
Err, no they didn't.
It was more like "look at how easily IE makes your computer into somebody else's *****. We want to make something that helps prevent that from happening".

Also, they never said that having bug is better for security. RTFM. What they did say was that having all of your bugs publicly viewable is better for security - at least that way everyone knows about it and is forewarned.

Internet Explorer has bugs in it now that no one outside of Microsoft and the undernet/hacker communities know about. It's like being on a cruise ship that's leaking water badly, but only some of the crew and all the rats down in the bilge know about it. In the analogy as in web browsers, you never really find out about it until it's way too late to save yourself from the results.

/P
Posted by Penguinisto (5042 comments )
Link Flag
Yep, Mozilla is full of hypocrisy
First they pointed to IE bugs to show that Firefox is better.
When pointed that Firefox does not have bugs because no security researcher has ever looked at it (because nobody uses it), and that when Firefox gains user share security researcher will find tons of bugs, Firefox guys said it will never happened.
Now it is *starting* to occur (I'm sure we'll see more once Firefox gets more popular), and they tell us that bug counts do not matter.
Posted by Mike E. (25 comments )
Link Flag
Cracks in the wall
Who cares which browser had the most "cracks in the wall"? It's
the severity of the problems that counts, not the quantity.

IMO, Mozilla might have had the most cracks, but IE on many
occasions has left all the doors open. When was the last time
you read a security bulletin that advised you to use IE instead of
Firefox? I can't recall any.

But when was the last time you read one advising you to not use
IE? For me, it was last week. In fact, it seems that most
advisories concerning websites have a "don't use IE" or "set IE
security to high".
Posted by rcrusoe (1305 comments )
Reply Link Flag
RE: Cracks in the wall
You are wasting your time. You can't argue with a closed mind.
But I have to say I can't recall ever having seen a Firefox browser
hijack and I have seen lots of IE browser hijacks. :-)
Posted by protagonistic (1868 comments )
Link Flag
Uhmm, yeh....
ok, where are you getting your advisories? Mozilla.com? Haven't seen one yet( a serious security firm) that tells me to not use one web browser or the other.
Posted by suyts (824 comments )
Link Flag
Use whatever you want
at the end of the day you get to pay for your own mistakes. That
includes poor choices in software. I know which vendor has cost us
billions of dollars in losses due to sloppy programming practices.
Posted by fastdodge (32 comments )
Reply Link Flag
Title is Awkward
Just like the initial story.

Posting the illogical crap which Microsoft spews out is low-down enough.

But trying to rectify yourself after the intial blurb... and with the title like you've posted it... (* LOL *)

Sounds like if Microsoft created more bugs... which they continually do... that their Operating System will become MORE secure! (* ROFLOL *)

Thus the title of this article is just as inaccurate as Microsoft's initial Slander against Firefox which you first posted!

Either IE is MORE secure or Microsoft's logic is not logical at all.

CNet News seems to be reporting it BOTH WAYS!... that just doesn't go over very well with me.

Either it is or it isn't... wishy-washy stepping on this side of the fence one time and the other side of the fence the next time isn't a good reputation maker!

Bottom Line: Either you're for or you're against Microsoft... trying to play the middle against each other will get your hands and feet burnt real quick like!

The facts are:
#1: Microsoft has lax security
#2: Microsoft's ill attempts to claim that they're increasing their security have been proven wrong time and again in the past.
#3: Microsoft continues to attempt to make a good name for itself for those willing to listen.
#4: If Cnet keeps supporting Microshaft's stance... I might just have to go out and look for a better source for my news!

Report the facts is what I'm interested in hearing. I don't care what Microsoft says or thinks unless what they say is factual, but I've yet to find that to be the case and I've been watching them closely since 1984!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.