Security – Open Source vs. Closed: It’s a matter of eyes

For years there has been the whole what is more secure, Open or Closed source? Microsoft has and still takes a beating over this. Truth, though, is a different thing.

We all have heard of Heartbleed by now. The 2 year old security gap in OpenSSL has been all over the news. During all of this, a hole in the much loved Chrome browser that will allow websites to turn on your microphone and record what you are saying was announced. Another bug that had been around for a while (August 2013). Meanwhile, the hated entity known as Microsoft has been pretty much unaffected by these issues. Maybe it is time to remove our preconceived and ancient thought over security in the Open vs. Closed Source world.

The argument has been, from what I have heard and can tell, that Open Source is more secure because you have more eyes looking at it. The code is open and out there so people can find the issues faster and with the collaborative nature of Open Source, will be patched faster. Truth of the matter, as has been shown over the past week, is that it is not the case, and security holes can get past this set of checks and balances just as they can in any Closed Source system. The surprising thing is how long it has taken to find Heartbleed. One would think, with all those eyes looking at the code, that it would have been found much sooner. Of course this has led to the theories of the bug being an NSA backdoor. True or not, the code was still out there for everyone to see.

Chrome is a slightly different issue. Here is a bug that was found over 6 months ago, that still hasn’t been patched. It was brought to Google’s attention and they sat on it. Could this be another NSA (or insert your favorite Government agency here) backdoor? A way to spy on you without warrants? We will never know for sure, but it does show one major hole. Our thinking of Open Source and security is not completely correct. It is not the be all end all.

What has been lost in this is that Microsoft, and its Closed Source implementations of SSL have been free and clear of the Heartbleed problem. Microsoft at one time was awful with security. In this day and age though, it has gotten a lot better. It is responsive to holes, and the amount of out-of-band patches and workarounds for Zero Days is quite speedy. In fact the biggest security holes in Microsoft systems, is usually Java and/or Flash. Flash is still Closed Source, but Java was at one point more open. Java also is embedded in the web very deep. Try using NoScript at it’s tightest levels and see how much of websites get blocked, and how many websites complain about Java not being turned on. Yet through all of this, Microsoft is the one that still takes the blame, especially in the public’s eye. That is because we, the ones in the know, have done little to reeducate the public, and ourselves.

Do not get me wrong. I have nothing but love for the Open Source community. Collaborative efforts are awesome, and the community puts out some fantastic software, and alternatives to Closed Source (and overpriced) programs. It just has to be realized that it is no more secure than Closed Source. In the end it is all about the eyes on the code and the people looking for the holes. Remember Security is a process, not a destination.

So Long Firefox, its been nice knowing you.

A few days ago I wrote about A problem with Add-Ons and Firefox 5, along with no support anymore for Firefox 4. Now Firefox is really trying to commit suicide.

Firefox was a great browser. Yes, I say was, because it won’t last that much longer. Not with the path they have chosen at least. Focusing on the consumer market isn’t a bad thing. You will get people who will use Firefox at home when their corporations don’t allow for its use internally. Actively saying, “We don’t care about corporations,” though is akin to committing suicide.

Mozilla might not care about the corporate environment, but they do need to be aware of it. With hosted apps, and work websites becoming more and more prevalent in the world, to survive on a consumer end, you need to be. Heck, most of the web sites that people visit are done by corporations. Now with the accelerated pace of releases, and no support for the prior release, web designers will need to check more and more versions of Firefox against their websites to make sure that they aren’t broken by the changes. The amount of manpower and time will drive up the cost of web development. Sites will shut down, or the other logical solution will happen.

Sites won’t try to be compatible with Firefox anymore. They just won’t care. Chrome is passing up Firefox in usage, and Internet Explorer still has the majority of market share. Google just needs to support prior versions for a corporate environment, just like Microsoft has already started to jump at companies reminding them they won’t run into a lack of security patches. Heck, IE8 and 9 are pretty good from a security standpoint as it is.

Firefox thinks that doesn’t matter. Consumers will continue to use Firefox. No, they won’t if it doesn’t render web sites properly. The lack of foresight on Mozilla’s part is pretty amazing. First thing taught in retail and marketing is that 1 complaint, 1 problem with a client, can hurt you in a huge way, as they spread the word to avoid such an item.

Six weeks between releases is ambitious, and hurts consumers who’s plug ins and add-ons might now work with the latest version. Can new versions of the plug ins be ready in under the time it takes for the next version to come out? This is the other side of the death spiral Mozilla is putting itself into. Consumers love the plug ins. If they don’t work, what good is Firefox to them anyway?

There is still time for Mozilla to save itself. They have to support a 3 month old browser they put out. They have to show the world that they care about more than their own egos. They have to stop being the poster child for what can be wrong with open source, and get back to showing what is right with it.

Firefox 4 – Did they get it right?

Firefox 4 is out. For a browser that re-sparked the browser wars, Firefox had been falling behind lately. Can 4 bring back Firefox?

I have a tendency not to download betas of web browsers. I’m not much of a bug hunter, haven’t been able to establish myself in those communities, don’t have a ton of time for actual hard core testing, and I’m not a developer. I just like having things work, especially where web browsing is concerned. So when I heard that Firefox 4’s final release was going to be the exact same as the last Release Candidate, I decided to actually jump the gun and start using it. I figured it couldn’t be any worse than using 3.6.

I’ve been using Firefox as my main browser since version 2, and overall have liked it. There have always been some issues with it, such as the memory hole it has, but they were things I could mostly live with. As  Firefox 3 kept getting updated though, it was all getting worse and worse. To open my iGoogle home page, which is set up with a bunch of news widgets, would take 5 minutes. Not only that, but the whole browser would be slow and unresponsive until it fully opened.

So I finished downloading Firefox 4 and installing it, expecting the same sluggishness. Surprisingly to me, my iGoogle paged opened in under a minute, and I was all set to go to other websites in other tabs, even while the iGoogle page was loading up. This is starting to look promising.

I continued on my browsing way, going to sites I frequent such as Tech Republic, ZDNet, Krebs on Security, and many more. All rendered faster than in Firefox 3.6. I did run into an occasional site which just wouldn’t open in Firefox 4 (Buffalo Wild Wings being one), but considering that there have been a lot of changes in Firefox 4, this doesn’t surprise me.

Everything isn’t all roses though. Java rendering (I enjoy playing Text Twist) and some Flash rendering is slow and painful. The Java being the worst of them all, as it slows to a crawl with a java game on Yahoo’s website. Once loaded, it works ok, but still a bunch of issues. Also, Firefox still uses a lot of memory, and doesn’t have the best memory management in the world. I have also heard reports of people who have had issues with it upon install, although the percentage seems to be small.

Is Firefox 4 an improvement? Definitely. Is it a game changer? No. Can it fend off Google Chrome? Maybe. Personally, I’m not going to Chrome unless I have to (Google has enough info on me from Android, Gmail etc, they don’t get any more if I can help it), and I don’t care of IE, Safari, or Opera. In the end, its really about what you are comfortable with and what works. On that, Firefox 4 is a solid, fast browser.