Is Firefox Headed Towards A Massive Decline?

Pedro, have you tried 3.6.5 in the meantime? And if you have, what's your impression?

 

Pedro thanks for pointing it out, you are right (see blue), I used to simple words, to prevent lost in translation, see scenario explanation of Wikipedia is what I meant will fall for (in red)

Regards Kees

 

Seems easily preventable if Alice doesn't absentmindedly click on the email link.

 

+1

I tried Chrome and Opera in the past few weeks.

Opera:

pro:fast, had few good functions built-in(but you can get these in Firefox with the extensions)

con: miss all the extensions from Firefox. i saw they had userJS files for implementing AdBlock and that sort of stuff but its not same, Firefox extensions are better and easier to install.

Chrome:

pro: fast, lots of good extensions

con: need more extensions and a little more work on the existing ones.

If Mozilla will run out of money or something bad happens with Firefox then i will switch to Chrome.

 

But what if Alice just visits some website with an XSS exploit?
https://www.wilderssecurity.com/showpost.php?p=1001182&postcount=13
(the whole thread is really good if anyone is interested, thanks to Elio, and Rich)

I don't pretend i understand all this, but it's clearly not as clear-cut as one would think at first.

 

The discussion of XSS is allways clouded with providing examples what could happen when injected code (from any executabe code source like flash, javascript etc) gets their hands on information provided by the user.

User input/trigger ==> web site server processing ==> screen + often data stored locally.


What is disclosed at an XSS vulnability?
Bad software design included user data in the 'screen' [A] (page displayed at user's browser). Normally one needs to remember data which is stored at the user's PC like session cookies with your user name and session state ((like your username is saved in a cookie at Wilders).

A. Bad software design
Currently most professionnal web sites have development standards and reviews to prevent this type of data leakage.

B. Normal intermediate session data
This is inevitable, due to the way internet works, programmers have to save data between one page and another (to remember who you are for instance). At wilders your username is stored in a session cookie. There is nothing bad about that. The only thing what is potential problem is when XSS injected code can read these 'intermediate session data'. When you clear your browsing history and refresh your webpahe, you will see your username has disappeared at Wilders.

Direct results of an attack
Posisbly the worst thing what can happen is that a intruder knowns my user (nick) name, password and email address. This is with amateuristic designed software. With good designed software only the nickname and a (randomly determined) session state identifier is disclosed.

XSS horror scenario's
The horror stories allways start to compile on the direct attack results of amateuristic designed websites, with inter member communication facilities (you have to get additional data of the victim user). Most webbrowsers provide defense mechanisme against XSS attacks, also software like Trusteer and PrevXSafeOnline protect intermediate session data. User common sense should trigger a warning when Wlders Admin's or registration page 'suddenly' wants to know my banking account and creditcard details. The first (admin is obviously), the second (changed registration page) would imply the attacker not only was able to store a persistant XSS (script), but also was able to add/cahnge webpages on Wilders to get this additional info. This means that the site (wilders) was seriously hacked. It is easier to redirect to a phising site than to hack a site (after XSS intrusion).


Regards Kees

 

Discussion here perhaps. The real experts on the subject do not participate often, and judging by some of the posts here and there, if it was me, i probably wouldn't either
Hell, I don't really feel like participating!

Yeah, if it weren't for them bugs.. we would be safe. We all know how that goes.

 

Well technically it are not bugs. When a programmer piles up content for a web page to be displayed, they may select fields from a data base (e.g. select 'friends' from facebook_data_base where connection is 'nick_name').

They should sanatise the content (e.g. stripping the nick_name field, since it is only used for relating a person to other persons), before releasing it for page display. So it is not a really a code bug. But there is a grey line between a flaw and a bug.

Regards Kees

 

Well that is the whole idea of internet forums, the who says so is irrelevant, because we do not disclose our real identity . I can post my opinion besides Ilya and Vlk, while I am only being an amature.

Regards

 

This is true for anything, computing or real life:

-------------------

Attackers intending to exploit cross-site scripting vulnerabilities must approach each class of vulnerability differently. For each class, a specific attack vector is described here. The names below are technical terms, taken from the cast of characters commonly used in computer security.
Non-persistent:

Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive data, such as billing information.
Mallory observes that Bob's website contains a reflected XSS vulnerability.
Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website, but will contain Mallory's malicious code, which the website will reflect.
Alice visits the URL provided by Mallory while logged into Bob's website.
The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). The script can be used to send Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc.) without Alice's knowledge.
Persistent attack:
Mallory posts a message with malicious payload to a social network.
When Bob reads the message, Mallory's XSS steals Bob's cookie.
Mallory can now hijack Bob's session and impersonate Bob.[16]

-----------------

If you trust someone and they "betray" you - game over. You will bring down your defenses and do whatever is necessary to get the content.

The only solution is to: mistrust everyone and have no friends.

Besides, it comes down to that one execution. If you don't execute, it does not happen and then anything else is irrelevant.

Mrk

 

Chrome is taking users from Firefox, not IE

http://www.neowin.net/news/chrome-is-taking-users-from-firefox-not-ie

 

It's possible, but i really don't think they proved anything..
I mean, going by 'ReadWriteWeb's statistics', Firefox is the leader(!)
And from these statistics we are to derive that the Chrome's numbers in NetMarketShare are being taken from Firefox - where IE is leader, losing ground, and both Chrome and Firefox gaining ground? lol

 

The point here is Firefox's tumbling share, contrasted against Chrome's growth.

You show that you're capable of understanding that line of reasoning when you point out that IE is losing ground compared to Firefox/Chrome. The same concept applies in this instance.

 

No no, i pointed out for numbers. I don't claim no one's numbers are falling or rising.
It takes a lot of mental gymnastics to arrive at any conclusion from the article.

 

The numbers are falling and rising, whether you claimed as such or otherwise.

Granted, that wasn't a rigorously-controlled scientific study, and is unlikely to be exact. But it's not that hard to start from a few general assumptions and work towards the most plausible conclusion. There's room to nitpick if you want to, but it doesn't really take a lot of imagination to see, at least according to the posted stats, Firefox's market share falling while Chrome makes gains.

 

I know a lot of people online & in real life who have changed Firefox for Chrome. It isn't hard to see why either.

 

In regards to XSS, is it better to use Chrome or Firefox without NoScript? I've used NoScript for several years, but I do not see my wife or my parents ever ever using it.

 

Which stats, the one Firefox is gaining ground or the ones it's losing?...

 

I was under the impression that we were talking about ReadWriteWeb's stats. Assuming we're in the same conversation, it should be obvious which ones we're looking at here.

 

Corrosive as always. What a pleasure.
We're probably not in the same conversation indeed, as i read the original article.

You see, even their take on it is that their stats are not indicative of overall market share, but of 'early adopters', and of those, only the ones that read their website(s).
Deriving from this that this trend applies to the overall market is an assumption, not fact.

 

Have I said otherwise? You seem to be arguing against an imaginary claim here. Perhaps if you would take your reading skills you used on the original article, and apply them to my posts to see what I really said...

All I've claimed was that it was the most likely conclusion to draw, especially when you take into regard browser usage reports from other sites like Ars Technica and OMG! Ubuntu!. It's probably inaccurate to say that IE isn't being affected by Chrome, but Firefox seems to be to be the biggest loser at Chrome's expense (and no, just in case you get confused again, I'm not trying to make a factual claim here).

 

Later

 

It's open source, if something goes wrong with Mozilla/Firefox just fork the project and make it into what you want it to be.