Firefox 8 RC out, Release on Monday

Discussion in 'other software & services' started by Hungry Man, Nov 5, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Once electrolysis gets finished running at low integrity won't be too hard. Sandboxing further than the windows model allows natively would be longer but protected mode should be easy.

    Frankly, if Chrome continues to stagnate and Firefox continues to make the gigantic changes that it's been making recently I'll switch and simply rely on Sandboxie/EMET.

    Then again, I really do love having a sandboxed Flash. And if Chrome very freaking gets 64bit I'll be happy to enjoy ASLR that actually does something.
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Hehe, well with Sandboxie, Flash kinda is sandboxed :D Lol, I'm not trying to convert you, just saying there are ways around things :) How is Chrome coming with 64 bit anyway? Is it still kind of a "We'll get around to it" deal? You know, I find this all interesting. You, a person who has long touted the security of Chrome, and, though understandably, dogged Firefox, can see that for all the controversy lately, Firefox is making changes for the good.

    I then look at many a Firefox release thread and see hate for just about every change they've made, even from so-called Firefox evangelists. It makes me shake my head a bit, lol.

    Edit: Chrome is stagnating because they set out to do what they wanted. I don't think it was ever about competing with IE, I think it was Firefox. Also, as we said, they've gotten comfortable with their success and position, and perhaps feel they have nothing else to prove. Dangerous line of thinking, just ask the continually falling Internet Explorer.
     
  3. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    Anyone who is interested can look at this.

    It's at least the third time that I've posted this link :(

    But it's always more satisfying to complain and conclude. Whatever!
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    http://code.google.com/p/chromium/issues/detail?id=8606

    I suspect the biggest issue is the sandbox. They likely don't want to switch to 64bit just to have a nice fat hole show up in the new sandbox. You know that when they do the hats are going to pull out their fuzzers and see how they can get 64bit Chrome to crash in new ways and how they can exploit it.

    Firefox has a long way to go but they've paved their way and I like where they're headed. They have their own "focus" issues like on the UI but hopefully they stop being silly about that and instead just work on things that matter; security, performance, stability.

    I like Chrome's security and browser security is what I'd consider my specific "interest." I learned javascript because of it and a lot of what I know about security is because of what browsers have implemented/ looking at exploits in them.

    That said, I'll happily hop on back to Firefox should they provide the better browser. I don't know that they will though. Chrome's larger market share (or soon to be larger) means more developer support. You're goin got see more chromium devs as well as extension devs.

    Trying to predict where Chromium's going doesn't really work though. I'll wait it out and see how things go.

    Honestly, if they just get 64bit soon I'll be happy for a while... crossing my fingers for 64bit Chromium 18.
     
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Lol, you know, I have seen that link several times...maybe it likes to go into hiding ;) :D
     
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Never seen it. I wish Chromium had that. Maybe they do and I don't know about it.
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I think Firefox is still slightly in that "Gotta be like Chrome" phase with the whole UI issue. It's obvious with the recent attention to memory issues and such that they're starting to come out of that. To be fair to them, everyone did it, including IE. I completely get not wanting the sandbox to go awry..that would be a disaster for them. I think Mozilla has kind of been "refreshed" maybe? They seem to know they were falling behind and not attending to long standing issues. It won't change overnight, but they seem like they "get it" now..I hope.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Chrome basically forced every browser to refresh. They're growing fast as hell.

    In the last few months Firefox has increased performance about as much as they had in the last 3 years lol in 2 months they had a full 20% increase in performance across the board, a UI revamp, and a restructuring of how they release their product.

    Suddenly there's a legitimate competition between browsers and the user is definitely benefiting.

    Firefox taking their memory leaks seriously (for once) is great. I remember FF3 was supposed to "fix" them and they also explained at one point that they were in fact a feature. It's nice that they're finally picking up the slack and improving the browser.

    Same goes for IE.

    If Chrome suddenly disappeared and IE and Firefox were the only two contenders I bet we wouldn't see IE dropping nearly as much. It's gone from the worst security hole on the OS to arguably (9 pages arguably haha) the most secure browser.
     
  9. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Two questions to the FF insiders
    a) When (which release) will low rights process isolation will be implemented in Firefox
    b) When will low integrity sandboxing of plug-ins be implemented also (e.g. flash and pdf)


    :D :D :D
     
    Last edited: Nov 6, 2011
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    1) They haven't even stated that they're going to. They've started the electrolysis project (a loooong time ago) and it's in the works. That'll split processes up for tabs etc.

    2) They haven't commented on that that I'm aware of.
     
  12. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Thanks,

    What I recall is that IE8 managed protected mode early 2008, Chrome managed process (sandbox) isolation end of 2008. Chrome now has its own PDF plug-in and Flash plug-in (run Native clients and run PPAPI flash in renderer). So Chrome making substantial progress on 2.

    But guys from FF will problably catch up sometime in future :cool: Seems to be way over planned release calendar, phase II (out of process for tabs only = catch up with IE8 ) was scheduled in 1 April 2010. It seems to be a planned security improvement (at least when these sources are reliable) https://wiki.mozilla.org/Security/ProcessIsolation and https://wiki.mozilla.org/Electrolysis
     
    Last edited: Nov 6, 2011
  13. Newby

    Newby Registered Member

    Joined:
    Jan 12, 2007
    Posts:
    153
    For give me for asking, but why are so many on Wilders stating that Firefox is the safest browser. Is it when taking cross-platform (linux/Mac) or older OS-ses (XP Windows 2000) into account? On Vista and Windows7 processes running low integrity can't touch the rest of the processes running medium rights, am I right? So IE and Chrome on Vista/Windows7 must have a security advantage using these options?

    Can somebody explain (e.g. Tlu, Vasa1 seem to know a lot about Firefox)?

    Thanks
     
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    Tlu >>> yes
    vasa1 >>> no :( (I just read and try to understand whatever I can. I don't have any formal education in SW/HW.)
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    It is all in how to read statistics, just an example (Symantec security report), http://www.symantec.com/business/threatreport/build.jsp

    For a real breach the following has to be considered

    1. Number of vulnabilities of the browser
    So when looking on aspect 1, Chrome and Safari look real bad.

    2. Total attack surface (including plug-ins)
    When looking at the total attack surface IE and Firefox look real bad (aspect 2). Take into account that older IE versions are allways included in these statistics, IE6 for instance is very vulnarable to Active X. Microsofts backward compatibility policy is good for companies delaying updates/upgrades, but bad for browser security and reputation. All the extentions/plug-in athors were complaining on the limitations Chrome and Opera impose on these extensions. In graph two you can see why this is a smart move (security wise). So heads up for Opera and Chrome.

    3. Average days these vulnabilities were unpatched
    When looking at average number of days an exploit is unpatched, again IE looks real bad, followed by Firefox. Despite the huge amount of bugs Safari and Chrome seem to close this window of opportunity for malware authors real fast. Chrome, and Safari look real good.

    4. Actual intrusion emerged in the wild based on these open exploits
    Somebody has to write and release malware to misuse in the real world. When exploits are open less than a day, it is very hard to write an intrusion on a published vulnability. So malware writers rely on users not updating their PC/configuration. When Chrome was launched people complained about Chrome installing in 'user space' and not in C:\Programs Files. Not needing admin rights to update also distributes the available patches to the actual users faster. Hence closing the gap between time of discovery -> publication -> patch/cure available -> update applied.


    So pick your stats and define your winner :argh:
     

    Attached Files:

    • 2.png
      2.png
      File size:
      202.3 KB
      Views:
      32
    Last edited: Nov 6, 2011
  16. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
  17. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    1. MajorGeeks has a habit of screwing things up.

    2. Yes.

    3. If it's some old a** extension that the developer of said extension even has forgotten about, yes. And you can be sure someone will croak about it soon enough :D

    4. Very little change between 7 and 8, but I always advise keeping updated.
     
  18. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    Where would we be without majorgeeks? It's amazing that they always have the final before Mozilla finishes QA :D
     
  19. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Majorgeeks does screw up occasionally, but most of the time they get right. If as you say they're actually out in front of Mozilla how do they do it? :D
     
  20. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Thanks for getting the ball rolling on a slow news Sunday LOL
     
  21. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    The release process is described in detail somewhere. I'll dig out the link later (which I recall having posted somewhere @ Wilders before). As long as Mozilla doesn't push out the release (along with guest's much desired changelog ;) ), I wouldn't bother.

    Mozilla routinely puts builds which aren't signed or which haven't passed QA on their ftp sites.

    The safe time to get it is when it's officially released at their http site or is pushed to us.
     
  22. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    And if your day is really slow, you'll have time to look at this and see that November 8th isn't a Monday. Of course, there's all this setting of clocks going on so Monday maybe Tuesday o_Oo_Oo_O
     
  23. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Somebody was going to, might as well be me :D
     
  24. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,219
    Location:
    USA
    Yes, perhaps Hungry Man was disoriented :cool:
     
  25. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Lol, I got surprised by it too. I thought "Already again?...why do we do this anyway? Does anyone realize time doesn't actually change just because we fiddle with the clock?"...and that went on for another few minutes in my head until I was distracted by other things :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.