To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/opensource/0,3800004943,39129700,00.htm

Mozilla: Firefox 'as safe as a condom'
Browser-maker deflects security concerns by talking about sex...

By Paul Festa

Published: Wednesday 20 April 2005

As security bugs swarm around the Firefox browser, volunteer marketers want to shore up the open-source project's security message with a safe sex theme.

Eyeing the wave of bad press after Monday's reports of the Mozilla Foundation's patches for significant new security holes that could let attackers install malicious code or steal personal data, Mozilla's marketing volunteers are staying on-message with the security theme.

One campaign under consideration will associate the open-source browser with safe sex, showing a condom wrapped with the Firefox logo sticking out of the rear pocket of someone's jeans. "Always use protection," the ad copy reads. "Get Firefox.com. Firefox is the free web browser that offers greater privacy and prevents pop-ups, spyware and viruses."

The new patches have led Firefox partisans to finally acknowledge that the core sales pitch for their browser may be vulnerable.

"The versions of Firefox up to version 1.0.3 have had terrible security risks," wrote one participant for the volunteer Firefox promotion, Spread Firefox. "I think these security risks have undermined the promise of Firefox as a more secure browser."

While Firefox offers popular features like tabbed browsing that Microsoft's Internet Explorer browser doesn't have (although third-party IE-based browsers do offer them), it has managed to take IE down a few notches in market share – primarily based on perceptions that Firefox is safer than IE.

As Firefox approaches the 50 million download mark, some participants have begun contemplating celebrations of that milestone. But others have begun to fret that security concerns are weakening what many see as the browser's primary raison d'etre.

Those concerns have sprung a major leak in the Mozilla Foundation's message that Firefox is more secure, as foundation President Mitchell Baker asserted at PC Forum last month.

"The cynical may note that two Firefox security updates have been issued since Mitchell made her comments," Mozillazine wrote in a posting on Monday.

The Mozillazine discussion is one of many that have sprung up on Slashdot and other forums after recent columns in InformationWeek and the IT Observer questioned Mozilla's security superiority.

Mozilla insisted, as it has in the past, that it enjoys fundamental security advantages over IE.

"Firefox is safer for a couple of reasons," said Chris Hofmann, director of engineering for the foundation. "With these security releases, the security development community that works on the Mozilla code is actually finding these things before exploits can be developed or discovered by hackers. None of these things that we've produced patches for in the last couple of releases have been things that have been discovered in the wild."

Another reason, Hofmann said, is that Firefox doesn't use ActiveX technology, which he blamed for the preponderance of Microsoft's browser security woes.

"This is the major architectural advantage that we have," he said. "With the ActiveX and the security zone model, Microsoft has taken browsers in a different direction, which provides a mechanism for the most serious exploits in IE."

Mozilla has made its own stabs at ActiveX support. One project, which Hofmann deemed "experimental", is an extension that would provide support for specific ActiveX controls like the Windows Media Player. Controls would have to be on a 'white list' of vetted applications.

An ActiveX alternative, known as 'Plug-ins Future', is a joint effort between Mozilla, Opera Software, Apple Computer and plug-in makers including Adobe Systems and Sun Microsystems.

Security expert Mike Finnie, of Computer Forensics, called the security contest between Microsoft and Mozilla "a toss-up", though he lauded Mozilla's responsiveness and Firefox's pop-up controls.

"The thing I like about the non-IE products is that I find they're more easily user-configurable to prevent things like pop-ups and pop-unders, which can be security risks," said Finnie. "It seems that the Mozilla group is fairly immediately responsive to incidents of security lapses or bad code, and it seems to be making a genuine effort to fix them and get them released. But on a scale of one to 10, how many more points would they get than Microsoft? I don't know."

Paul Festa writes for CNET News.com.