All browsers need to add a security zone model so one can browse in dumb mode until a feature is needed, & then make damn sure it works as advertised (M$ has come a long way with the XP SP2 version). Sun Java certainly has problems.
Agreed. It is unfortunate though that MS has a "local zone" which some software and help files rely on greatly. I wish they would separate it out since it allows for the nasty "read this local URL" attack. That was one of the first attacks that allowed you to bypass the basic security zone controls!
age. If avg joe can't figure out how to get more, then tough shit, they had to learn to drive a car too.
I would prefer if the average joe knew how to securely browse, etc. However, my point was a matter of flexibiilty. Warpmedia and I both enjoyed flexible controls for those in the "know". We are unhappy that NO such flexibility existed in the alleged "more secure" browsers when we both knew better than to trust anyone.
I do not trust Microsoft IE either. There is a reason why I run as a normal user. For example, the local zone bypass attack would have hit me if i blindly trusted that layer of security.
Actually, the point is that IE has granular up front security toggles. FF, Opera, and Mozilla do NOT. They also did not include them by design, whereas IE had it in 5.5. Hopefully they will include them in the future but it is disappointing that the "other browser" vendors had the hubris to believe they could be "better" than Microsoft with regards to security.
So if Mozzy learns & adds proper per site lockdowns, it's a step in the right direction. As of now they're doing an M$ head-in-the-sand about the real problem. Hence the bad venom coming out of my mouth about them.
Agreed. Once Mozilla and Firefox put up granular controls for javascript+java and per session, then in my eyes they are a much closer match against IE. The only drawback being ActiveX, but that is pretty minor.
Lastly it seems there's a lot of FF apologists around who would bash M$ in a second for such problems but are just as quick to go easy on their new buddy mozilla.
The developers are not much better either. The attacks the Firefox developers did to us on their bugzilla lists (a few others who saw the lack of per session support) was astounding. It was such a negative attitude that it disgusted me. The worst part was, we found out that the reason was "it was too hard to fix given the way Mozilla and Firefox was designed". Then they played it off as "too bad, no one needs such features". By the way, one of the primary reasons Firefox is not used in kiosks... lack of session support.
I wonder what their take is on granular security controls. I figured why bother taking nasty counter-criticism, so I did not bother posting a feature request for that one. I could already anticipate the "we do not support Active X so we are 100% secure" kind of responses.
--
- Carroll Kong
