Discussion in 'other software & services' started by ronjor, Mar 15, 2012.
Thanks for the heads up Ron.
I wonder how this would work if you are always running firefox in a LUA on XP?
Firefox skirts Windows security feature to make silent updates happen by Gregg Keizer.
This is it for me on FF.
They have built their rep on no script and being more secure as a browser. Google is gone over the the tracking dark side.
I'm removing FF from my PC's and I have google ips blocked in completely.
On the market I'd sell their shares short.
I'm not sure if this is a good thing or a bad thing for Fx. It's a bit drastic to uninstall Fx though. I always found that when Fx goes a bit dodgy, there's always SeaMonkey.
just use a portable version.
It's things like this that make me really glad I'm still using 3.6. Mozilla promote regular updates as a means of staying secure but wadda ya do when they've become the parasite? Trusting Mozilla is all fine and dandy until someone comes along pretending to be Mozilla.
I'm a big advocate of user's having control over their own updates. Sure, there are a lot of users who either don't know how or don't want to learn how to manage their own systems, and these are the people Mozilla are trying to attract. It does make life easier, but it's a recipe for disaster just waiting to happen.
AFAIK, you can turn of silent updates.
It's easy to disable, see attachment.
That's good you at least have an option. It would have been better if they'd disabled it by default and given people the option to enable it, and given a warning that enabling has the potential to be less secure. But I think the audience they're shooting for are looking for convenience so the way they've done it will probably work better for them.
I disagree that it should be better by default.
-As you say, a lot of their audience doesn't have layered security. That's their target with automatic updates, not users like us.
I disagree that enabling it has potential to be less secure.
-How can automatic updates be less secure? Patching exploits, vulnerabilities are far better than an old version of a browser. It's the same logic with Windows Updates, the recommended for the general users are to install it automatically. Again, the general users aren't using layered security, no Sandboxie, no HIPS, etc.
Autoupdates, when implemented poorly, can add an attack vector. Not a very useful one though.
If you implement a proper autoupdate system it's irrelevant.
As quoted above, Mozilla developed it in years so I think (just my opinion ) it will be secure .
But there are conditionals in there.. that the newer version really is "more secure" than the older version in some way and the newer version doesn't bring with it any new and/or changed behaviors that "reduce security" in some way. If there were strict guidelines designed to assure that silent updating would be done only to fix bugs/vulnerabilities and feature additions/changes would never be rolled out in silent updates, I would think this less of a concern. Is that what they are planning to do?
But isn't a patch for an already discovered exploit much better than an unknown exploit that, as you say, "could" be presented in the newer version. Again, this feature are for those majority who are lazy to update their software. (I know a lot, but they all migrated to Chrome which also has automatic updates, good for them ).
i have never seen
can i disable now? i have firefox 11.0
and 12 is out
You can disable it when you are installing Firefox 12.
can i do it even during the automatic udpdate ?
much needed feature in my eyes. right now its a complete pain to update firefox on locked down windows 7 systems, the update service should solve that
You want to do it exactly when an update is in progress?
That would depend on the relative severity and how much damage was done via each when all was said and done. That's not really what I was talking about though. As made clearer by my next sentence it is silently delivered NON-patch-related changes that concern me the most. Certain things like adding unique identifiers, adding a metrix ping which is on by default, and the consideration of supporting Google's full URL safe browsing API are just three features I recently read are on the table and those certainly aren't purely good things. Who knows how many other controversial features are on the table and what Mozilla might want to silently push out down the road and in enabled by default form (with or without patches to known vulnerabilities).
How much should we care about those who are too lazy or otherwise challenged to keep their software up to date? Should we encourage or fail to discourage a deviation from good software design principles (alert the user to important changes, get their explicit consent when it comes to controversial things, etc) and sound computer administration (check things before acceptance) to accommodate them? That I think is a deeper question than it initially seems and it requires thinking through multiple long complex future scenarios. Perhaps there is something to be said for "technological natural selection"? Perhaps this is a slippery slope and Mozilla's step will help embolden industry (which absolutely wants to control what we use and what we can/cannot do with it) to move towards a silent update model and take us another step closer to a dystopian future?
Can't argue with that, it's just a matter of trust to Mozilla.
Well I really don't care about them, but devs do.
Again, its just a matter of trust. IMO, the only reasons of this automatic update is security issues. Just that . If Mozilla really wants control, they will not give an option to disable it during install. If the user just click their way through installation, for me, they really that automatic update. (Clicking their way through the installation is a sign of laziness .)
i mean how should i update firefox to v12?
should i download from mozilla or via firefox to avoid the service?
I'm on Pale Moon x64 now, so I don't have that problem . But if I were still using Firefox, I'll do a clean install while preserving my profile. That's just me though.
Separate names with a comma.