France Telecom Switches to CommunicatorThursday October 14th, 1999Jean-Luc Esser writes, "France Telecom - First French Telecom Company - switches to Netscape Communicator in all offices for their mail needs. Until then they were using IE! Way to go!!" Great news! I'm not surprised they did this, and I would expect more companies (especially European companies) to make a similar move. IE5 is incredibly insecure; I can't imagine *any* company concerned with security wanting to standardize on it. No URL for this news yet - let us know if you come across an article concerning the switch, and we'll post it here. Was the recent Netscape "oh look, you can write html on your webserver that runs any native binary code you like on the computer of anyone who views the page" bug fixed in 4.7, btw? :) [I assume it was, they mentioned security fixes, that's a rhetorical question...] I don't think either browser has a great claim to be secure (though IE is obviously a lot worse to judge by the massive number of IE holes found every month or two - or is that because it's made by Microsoft and is also more popular, and therefore is more likely to be attacked?). Hopefully Mozilla will be an improvement. In the meantime, I think the best security available is "security through obscurity" - i.e. they should've gone for Opera, who's going to bother creating exploits for that? :) --sam >or is that because it's made by Microsoft and is also more popular, and therefore is more likely to be attacked? Probably a little of yes and a lot of no. Certainly, Linux crackers (as opposed to legitimate hackers, who are generally good-natured) may be more likely to attack IE, as it's from the evil giant of Redmond. But on the whole, I would say that's not the main reason, because most of the security holes are found by researchers at Princeton and related universities by people who are trained to know lots of ways to break most security impasses; it's their job to find holes like this. The holes found in this nature (by academic research) hardly are meant to cause harm to the software involved; indeed, the studies are to make the software more secure. But lately, many more bugs have been found in IE 5.0 than in Netscape (the one advantage of an old codebase is that security inevitably gets better over time); it's logical to think that the older product, with an adequate amount of fixing, would be more stable. I don't expect Mozilla to change this trend, as security holes tend to be exceedingly obscure (even if you know where the hole is, it often doesn't make sense as to why it occurs). The only way to really have tight security is to have a team of crypto experts hammer on the product consistently in all possible fashions for months (essentially what the research labs do, unless the security hole is painfully obvious), or to do what's currently being done and patch the holes as they are found. However, Mozilla architecture might be good enough to squelch some holes; no one really knows yet. Disclaimer: I'm not a security guru, and I make no guarantees as to the validity of what I just said. If it's wrong, I'll gladly take correction from someone more knowledgeable in the field than a college freshman. What you said makes sense. However I think Mozilla might have an advantage (despite its newness) if the code is of better quality, as newer code may well be. (I haven't looked at Mozilla source though.) For example, a large proportion of these security holes are caused by simple buffer overrun errors in various parts of the code, and good-quality code should always check buffer size or allocate dynamically. Of course, there is also the issue of open-source which (though I don't think open source is a panacea by any means, and many products achieve better quality while still being closed-source) does certainly have security advantages because of greater code scrutiny. Holes are likely to be both discovered and fixed more quickly. By the way, I disagree with your "hacker/cracker" distinction. I think it's a misguided distinction anyway (as far as I'm concerned, a cracker is somebody who breaks copy protection in computer software, usually games - I used to do this so I should know ;) - but that's a sidetrack... What I'm trying to say is that the people who find most of these security holes (excepting university researchers) are not doing so for malicious intent. They are hackers, not "crackers" in any sense of the word; they generally publish exploits (so that browser manufacturers etc. can fix problems) rather than keeping them secret and using them for nefarious purposes... --sam There is that third group of volunteers who deem it their civic duty to help fix security holes. So we have these three groups: 1) Those who exploit bugs, which tends to lead to a solution because someone complains and reports it. 2) Those who discover and publish bugs, which leads to a solution but can allow the nefarious to exploit the bug until it's fixed. 3) People paid (usually by universities and research institutions) to find security holes in browsers. That work? :) (Oh, and if crackers are the people who crack copyrights, and hackers are people who generally take code and try to improve it, change it, or whatnot, what is the word that denotes people who take code and make it worse? Jerks? :) ) I've heard these three groups of "hackers" described as White Hat (the ones that break security so that it can be improved in the future), Black Hat (the ones who break security so that they can do evil things with our files), and Munchkins (the ones who break security because it's fun). I think there were more classifications in whatever source I got these from, but I can't remember where that was. I'm fairly sure that it wasn't just an elaborate joke on Red Hat Linux... To me there is something bad about a homogeneous environment. If someone finds an exploit for program X and the company runs program X only, then there is a greater risk -- and black hat crackers who know this can do a lot more damage (to wit: see how the Melissa virus hit MS-only companies). Even if NS is a thousand times more secure, the point still applies. (Also, users might be happier if they could choose their favourite mail program.) Of course, you might argue that switching from IE already makes the environment less homogeneous, since NS is not "integrated" with the other programs the way IE is (disclaimer: I have never used IE, and almost never use Windows, so I don't know what I'm talking about :-) On our numerous Windows machines, the students can choose freely between NS and IE. Personally I use both NS and lynx for web browsing, but MH for mail. (I was even luckier: I could choose which OS to run!! Hehe.) --jgj (J.Jensen@rhbnc.ac.uk) Netscape is, as I think, the more secure and - generally - better product. On the other side, NS 4.7 is behind Microsoft in a few things: One of the most important is that Messenger can only host 1 POP3 account while Outlook can host a lot of them. As most of the existing problems will be fixed in Mozilla/Netscape 5, it's important to get a final release as soon as possible - else a lot of users will switch the other way round: from Netscape to MS - and we all don't want that to happen.... |