Internet Explorer vs. FireFox Part 2

As with the last post, as I began to answer the questions posted as comments, I found myself quickly drawing near 3 pages (with questions). The original post can be found here, and the last post can be found here. That said, I will now begin to answer those.

How does "extensive customization (similar to web.config) on the users end" allow for security? If any anything, wouldn't fewer restrictions mean less security? From what I read, you didn't answer my question about how .NET will make for a more secure experience, a statement you ended your previous article with. From what I read, you mention the future use of .NET components in Vista. You do mention authenticode as a security feature for ActiveX controls, but that has been around for awhile, been subject to (successful?) exploitations, and has nothing to do with .NET (or does it?). So then, how does .NET really make for a more secure experience?

I apologize for not completely answering your questions, I thought that I had. The extensive customizations are not necessarily less restrictions (though it could be made to be such). When I say that extensive configuration I mean that it is fine-grained control over the application. I talk about the web.config file as it illustrates a way that there are many predefined areas and certain valid values while it is still extensible to contain custom sections and values. If you are not familiar with the web.config file then I will try to illustrate how this works.

The security benefits and configurations in and of themselves are large topics. From Vista’s view, it mainly locks down the computers settings (file system, registry, etc) and stabilizes the components. I expect to see a performance gain as well, but that may also be due to the hardware that will be running Vista. For brevity I have will not go into detail at how Vista improves security in Windows as this is a rather large topic as well as it is not completely complete as of this post.

From Internet Explorers perspective there will be certain areas that are globally available(I do not know what these are as of yet as IE7 is still in Beta 1 and is very far from a full release as you can see by here that it is mainly in a compatability testing mode). These settings are similar to the ActiveX restrictions currently in Internet Explorer.

The last area will be the components customizability. This is where the component would allow the user to optionally change things (if needed). This could include many things such as if they wanted to send usage data, store local data, etc. These would be as needed by the component depending on what it would need to do. Remember the flow of rights though, even if you enabled a way to send information over automatically, if that kind of activity had been disabled say in Vista’s preferences (most likely Indigo’s preferences), an exception would be thrown and hopefully handled gracefully by the component.

Much of this is still up in the air as the new version Vista and Internet Explorer are still up in the air. The best way to predict how this will affect is to compare Service Pack 2 to most of Microsoft’s other updates: Significant. I wish I were able to give more specific details as to each of these settings that will be available, but I am a poor college student and can’t afford an MSDN subscription, right now I am limited to what I read and what others say.

I am not aware as of yet if Authenticode has been subject to exploitations. Authenticode is still based on 2 of the industries highest security hashes (MD5 and SHA1). This is not to say that these are perfect, but from what I have heard it would not be worth taking the time and resources to break a signature.

It is also good to remember that components may not be just browser only objects, such as an Optical Character Recognition (OCR) program integrating with a browser to automatically read text found on images.

In your last article, you stated that FireFox is "subject to all of the security vulnerabilities as internet explorer". In this article you respond to that statement by noting that Service Pack 2 takes steps to lock down unauthorized ActiveX controls. Alright, but that still means Internet Explorer can use ActiveX which we already agree can be used for malicious means), and FireFox does not. Therefore, FireFox is not subject to the security vulnerability of ActiveX that Internet Explorer is, right? Therefore, FireFox is not "subject to all of the security vulnerabilities of internet explorer", right?

You are correct, FireFox is not vulnerable to malicious ActiveX controls. At the same time you are not able to benefit from good ActiveX controls. When people complain about their computer acting funny I always send them to Trend Micro’s online scanner because it’s free and it always has the latest definitions. This service provided by an ActiveX control. I personally have never had a problem with malicious ActiveX controls due to the fact that I actually look at what is trying to be downloaded first (“PLEASE CLICK YES…” isn’t a way to get me to click yes either, also check out this image with the yellow bar as well as this one).

FireFox makes up for this with extensions to their browser. This means three things: Extensions can be great, extensions can be malicious, and non-malicious extensions can be exploited.

I won’t take time to explain the first one. The second one is fairly easy to understand as it’s just like the recent epidemic that is hitting Internet Explorer. With the ability to add new plug-ins to FireFox, you cannot guarantee the security as they have. Without the ability to have extensions, FireFox and Internet Explorer would be very stagnant and would leave the internet the same.

The third one can basically happen due to a TODO that wasn’t finished line in the program, incorrect programming habits, lack of sleep, etc (remember this is a non-malicious one). There have been incidents where extensions for FireFox have been compromised allowing control of the computer.

FireFox in my opinion is as vulnerable as Internet Explorer. It may not be subject to all of the same things, which was poor way to word things on my part, but it is/will/could be just as vulnerable to attack as Internet Explorer as it gains more popularity (if it continues to gain popularity).

In response to my last question about your school's CS department, I was wondering if you are taught to use Microsoft-based tools for your programming assignments. I see you do use Visual Studio and Vi. When (or if) you were taught C++, were you taught it using Visual Studio? Were you taught C# in any of your classes? Will you be taught any of the .NET languges in your courses?Thanks for taking the time to respond to my questions. I hope next time your answers could
be more specific.

I have not taken a C++ class yet. The time that we used Visual Studio was just for the Intellisense while doing a Javascript project. We did not really use it to program at all. I will be learning C++ this semester and will see what program they use. I believe that they use Borland, but I am not sure.

As well I don’t know if they teach C#. I have been developing ASP.NET applications in both VB.NET and C#.NET (VB.NET at first because I knew VB from ASP, C# after I learned C). I now do all of my development in C# for work and have learned C# from basically what I know aobut C and what I have read in articles by people.

As to whether or not they will be teaching any .NET languages I do not know as well, I would believe so, and I would believe that would be very probable as they have the Visual Studio IDE, though this may be only because Visual Studio is included in the Microsoft Developers Network Academic Alliance (MSDNAA).

Tags: FireFox Internet Explorer Windows Vista .NET