Saturday, September 24, 2005
Mozilla Firefox and the Open Source Myth
The open-source movement is to computer security what "intelligent design" is to the science of evolution:
1) Its claims must be taken on faith.
2) If you disagree, you must be crazy.
3) There's no listening to reason.
A fine example of this quasi-religious fanaticism centers on the Mozilla Firefox web browser, an open-source alternative to Microsoft's Internet Explorer (IE). There has been a growing alarm over past year, particularly from the open-source community, that IE users should switch to Firefox "as a security measure" (see, for example, here and here). The gist of these claims has rested on the notion that Firefox is inherently safer than IE because fewer people use it (thus making it less of a target for hackers), and that it lacks, by design, certain "dangerous" features like ActiveX.
While these sound like plausible arguments, are they testable, or even relevant?
The first claim -- one should switch to Firefox since it's inherently safer because it's less popular -- is self-defeating at best. As Firefox gains popularity (it now amounts to roughly 10% of browser usage by most estimates), it certainly becomes a target for hackers. In addition, as it becomes more popular, users demand more features, thus creating more opportunities for vulnerabilities.
This makes the second claim -- that Firefox is inherently safer because it lacks some features -- somewhat suspect. Because Firefox "as-is" lacks many features that users want in a browser, various providers of add-on "plugins" have come to the rescue. However, those plugins have created their own security flaws in Firefox. (reference)
Back in March 2005, Mitchell Baker, president of the Mozilla Foundation, dismissed these questions on faith. "There is this idea that market share alone will make you have more vulnerabilities. It is not relational at all." (reference)
In other words, trust us -- the Kool-Aid's great!
Unfortunately, the open-source mantra doesn't appear to stand up to scrutiny. Symantec, the computer security company, recently released a study on browser security (reference). While Symantec has a clear motive to raise concerns about any browser's security, the report raises serious questions about Firefox's security.
The report notes that 25 vendor-confirmed vulnerabilities (18 high severity) were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied.... During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity."
The Mozilla Foundation countered the report by saying that the security flaws in Firefox have been less severe than those in IE. "Which would you prefer, to have a broken finger, or your head ripped off?" quipped Mozilla Europe president Tristan Nitot. He also assured the public tha Mozilla can react faster than Microsoft because their code is in the users' hands: it is open source, while IE's code is non-public. (reference)
Of course, one could just as easily argue that Firefox's vulnerabilities to date have been less severe because fewer people use the browser across a wider number of platforms; that open source code makes it that much easier for a hacker to find a vulnerability; and that a for-profit corporation has a very strong incentive to make sure a high-profile product like IE gets fixed.
The fact that Mozilla's own servers distributed versions of Mozilla Suite 1.7.6 and Thunderbird 1.0.2 that had been infected with the Linux.RST.b virus doesn't help Mozilla's case. After all, these corrupt versions had been contributed as part of the open-source process. (reference)
So who's right? Just like with "intelligent design," there's no way to scientifically test the open-source claims, except to wait and see. You can't run an experiment where Firefox jumps to 40% of the browser traffic and simulated hackers try to exploit its vulnerabilities.
The mantra of "open source good, closed source bad" reminds us that in George Orwell's Animal Farm, the animals become what they disdain. So, too, can open source as it develops and grows. Linux is now as much a corporate product of IBM as Lotus Notes. Mozilla Foundation, true to corporate form, brushes off criticism of its products while it insists users rely on them with a faith bordering on fanaticism: software by "intelligent design." -- GAHJr
1) Its claims must be taken on faith.
2) If you disagree, you must be crazy.
3) There's no listening to reason.
A fine example of this quasi-religious fanaticism centers on the Mozilla Firefox web browser, an open-source alternative to Microsoft's Internet Explorer (IE). There has been a growing alarm over past year, particularly from the open-source community, that IE users should switch to Firefox "as a security measure" (see, for example, here and here). The gist of these claims has rested on the notion that Firefox is inherently safer than IE because fewer people use it (thus making it less of a target for hackers), and that it lacks, by design, certain "dangerous" features like ActiveX.
While these sound like plausible arguments, are they testable, or even relevant?
The first claim -- one should switch to Firefox since it's inherently safer because it's less popular -- is self-defeating at best. As Firefox gains popularity (it now amounts to roughly 10% of browser usage by most estimates), it certainly becomes a target for hackers. In addition, as it becomes more popular, users demand more features, thus creating more opportunities for vulnerabilities.
This makes the second claim -- that Firefox is inherently safer because it lacks some features -- somewhat suspect. Because Firefox "as-is" lacks many features that users want in a browser, various providers of add-on "plugins" have come to the rescue. However, those plugins have created their own security flaws in Firefox. (reference)
Back in March 2005, Mitchell Baker, president of the Mozilla Foundation, dismissed these questions on faith. "There is this idea that market share alone will make you have more vulnerabilities. It is not relational at all." (reference)
In other words, trust us -- the Kool-Aid's great!
Unfortunately, the open-source mantra doesn't appear to stand up to scrutiny. Symantec, the computer security company, recently released a study on browser security (reference). While Symantec has a clear motive to raise concerns about any browser's security, the report raises serious questions about Firefox's security.
The report notes that 25 vendor-confirmed vulnerabilities (18 high severity) were disclosed for the Mozilla browsers during the first half of 2005, "the most of any browser studied.... During the same period, 13 vendor-confirmed vulnerabilities were disclosed for IE, eight of which were high severity."
The Mozilla Foundation countered the report by saying that the security flaws in Firefox have been less severe than those in IE. "Which would you prefer, to have a broken finger, or your head ripped off?" quipped Mozilla Europe president Tristan Nitot. He also assured the public tha Mozilla can react faster than Microsoft because their code is in the users' hands: it is open source, while IE's code is non-public. (reference)
Of course, one could just as easily argue that Firefox's vulnerabilities to date have been less severe because fewer people use the browser across a wider number of platforms; that open source code makes it that much easier for a hacker to find a vulnerability; and that a for-profit corporation has a very strong incentive to make sure a high-profile product like IE gets fixed.
The fact that Mozilla's own servers distributed versions of Mozilla Suite 1.7.6 and Thunderbird 1.0.2 that had been infected with the Linux.RST.b virus doesn't help Mozilla's case. After all, these corrupt versions had been contributed as part of the open-source process. (reference)
So who's right? Just like with "intelligent design," there's no way to scientifically test the open-source claims, except to wait and see. You can't run an experiment where Firefox jumps to 40% of the browser traffic and simulated hackers try to exploit its vulnerabilities.
The mantra of "open source good, closed source bad" reminds us that in George Orwell's Animal Farm, the animals become what they disdain. So, too, can open source as it develops and grows. Linux is now as much a corporate product of IBM as Lotus Notes. Mozilla Foundation, true to corporate form, brushes off criticism of its products while it insists users rely on them with a faith bordering on fanaticism: software by "intelligent design." -- GAHJr
