How will Mozilla’s security tools affect Opera and the public?
Published July 30th, 2007 5:12 PM EDT By Daniel GoldmanThere are some interesting developments in the realm of browser security. On Wednesday, Mozilla will release tools that can be used to find security exploits in browsers.
As the internetnews.com already points out, that while the intention is to make Firefox technology more secure, the tools could potentially also put millions at risk.
The article quoted an Opera spokesman (I haven’t confirmed yet) who said Mozilla sent these tools to Opera developers in advance and are now using it to test Opera’s security.
There are some quotes form Christen Krogh, President of Engineering at Opera, who voiced some concerns for these new tools.
“Any tool given to the public to find ways of exploiting a piece of software is at risk of being misued,” Krogh said. “When an organization publishes such tools, it must consider whether that tool can be a disservice to millions of innocent bystanders.”
Opera uses fuzzers and other tools, homegrown and otherwise, to secure its browser technology.
“As far as its effect on Opera users specifically, our users know that we work tirelessly to keep our browsers — on PCs, mobile phones, game consoles — secure and our users as safe as we can,” Krogh said.
Disclaimer: I don’t yet know much about these tools Mozilla is releasing. We’ll have to wait until Wednesday.
If you enjoyed this post, then make sure you subscribe to my RSS Feed.
using
Whatever happened to hiring hackers. You would think that expert hackers would go father than a suit of software utilities…
using
These tools will make it easier for hackers, and basically require webmasters to invest significantly longer in coding their webpages for security. I think these tools should be left in the hands of browser manufacturers, and then contact sites on an individual basis.
using
We provided these tools to the other browser vendors with plenty of lead time for them to find and fix problems in their own browsers.
Other vendors, including Opera, should think about sharing tools they’ve developed. This way we can all make all of our browsers the most secure they can be. Open sourcing the tools will help them evolve as threats evolve and will help all vendors make more secure products.
GT500, many browser vendors do hire or contract hackers. There’s a large and growing security research community and tapping into that resource is critical to improving browser security. It seems to me that open source software development is more compatible with the security research community but that’s just my take on it.
IceArdor, hackers develop their own tools. This doesn’t make it any easier for them. It makes it easier for the browser vendors to maintain and improve the technologies they’re using to improve browser security. By your argument, making Firefox code available makes it easier for the hackers. Also, I don’t see what this has to do with webmasters. These are tools designed to find security holes in the browser, not in web pages.
- A
using
Of course open source is more compatible with hackers. It gives them easy access to the code, so that they can quickly figure out how to break it without the need to reverse engineer it. Now you just have to hope and pray that the hackers that are finding the nasty security flaws are the type that will report them instead of exploiting them.
The problem with freely available, and especially open source hacking utilities is that you are putting the tools to do serious damage right in front of everyone, and you’re making them open so that everyone who wants to can figure out how they work. Even with a set of tools that are only designed to evaluate a web browser’s security can be used by lesser hackers to expand their knowledge, and can be built upon to do more dastardly things.
Now the obvious counter-reply is that sites like SourceForge have plenty of open-source hacking tools, and that Mozilla’s tools are not going to include anything that couldn’t already be found with a little extra searching. My counter-reply would be that Mozilla is is far more high-profile than SourceForge, and that anything released by Mozilla has the potential to do far more damage than an obscure SourceForge project.
using
This would be good news, if browsers fixed security vulnerabilities as soon as they were discovered. Unfortunately, they’re not. Just look at IE’s history.
I believe this tool will improve Opera, because Opera’s team characteristically fix security flaws very quickly, (currently 0 unpatched security flaws) but will harm the masses in general.
using
GT, that’s just silly. The bad guys have plenty of tools. Putting more tools in the hands of the good guys, and developing more good guys is the way to win the war, not pretending that the bad guys are helpless until we give them something.
Our open code is more heavily audited and more quickly patched than any other browser on the planet. This make it a safer browser. Hackers don’t need to see the code to find exploits — that’s probably the least effective way to do it, but if the good ones can see the code, they can help figure out why their hack worked and that can help us fix it and any related issues a lot faster.
Jadd, as I said to GT, the bad guys already have these kinds of tools. The masses are already in bad shape if they’re counting on bad guys not having these kinds of tools. So, they really should move to browsers that have development teams that take security seriously.
- A
using
“Now you just have to hope and pray that the hackers that are finding the nasty security flaws are the type that will report them instead of exploiting them.”
Or you can write more secure code to start with and have a process for quick turnaround when a flaw is made public so that the risk to users is minimized. And you could have lots of friendlies evaluating your code with source analysis and tools with you and finding and fixing those flaws before the bad guys do.
You could do this or you could hide behind closed code and not build tools and processes for quick turnaround on fixes and pray that the hackers don’t use their own methods, whether reverse engineering, fuzzing, or just experimenting, to exploit your code.
- A
using
@Asa: Of course should people move to more secure browsers. But it’s really no big news that IE is insecure, is it? Why should people who don’t know anything about the internet and who expect that there is only one program to access it (and there are a lot of them) move now? What about companies who need IE for their intranet?
Yes, you’re right, the bad guys do have such tools already. But don’t forget the “script kiddies” who can now easily access a tool they wanted to “try out” for a long time.
Besides, when people shall move to a more secure browser, why aren’t you advertising Opera?
No, I don’t really want this question answered. 
using
GT:
False illusion won’t replace the reality, but may strike you hard.
There is no worst method to “secure” your code than hiding it. There is no major security protocol in the world that would base on the fact that the methodology is not public.
Whenever you hide a code or hide the protocol to “secure” yourself and your clients, you create an illusion of security. You base your trust and belief on the impossible to fulfill hope that the methodology or code will never leak out, will never be broken, noone will ever reverse engineer it… Look at the history of security flaws. Windows did this mistake. They lost the war exactly because so often they believed that their users are secure because hackers don’t know where the holes are…
Showing the code to the public, showing the tools to the public, allowing everyone to try to hack into is the ONLY reliable method to really improve security. If everyone has access to your code AND will not be able to break into, then you can claim you’re secure in the same way as science theory is accepted only once enough people try to falsificate it and fail to do so.
I have an impression that you don’t believe that it’s mathematically possible to create an algorithm that will be both, publicly available and secure. That assumption is wrong. Check OpenBSD. Of course, the more complex the code is the harder it is.
Look at Linux security. It’s all 100% publicly available. More. In many cases you can download file with system passwords and still it’s very hard to break it. The fact that you can download it, doesn’t make it easier.
Same with Firefox. If we would hide the code and cross our fingers in hope that no one will find the holes SO the users are secured, we will be fools. It’s a bit like leaving the windows in your house unlocked and claiming that you’re secure, because bad guys don’t know which windows are not locked…
As Asa mentioned. Bad guys have way better tools than we do. We spend our life on creating web browsers. They spend it on cracking. We have great browser. They have great tools to find vulnerabilities. Until they start open sourcing it, we can live in an illusion or join our forces and try to be faster than they are in finding and fixing our security holes. This applies to Opera in the same way as Mozilla, Linux, Microsoft, Apple and others.
“You mistook the sky for the stars gave back on the field of the lake at night” (A. Sapkowski)
using
Security by Obscurity does not work and is not good. So it’s embracing to have suchs tools and it’s great that the Mozilla-people share it in advance.
Every hole found will be one hole less, which is way better than a hole only evil crackers find.
using
Obscurity is a cornerstone of security in many ways. Or would you share your bank password with the world, open source style?
using
Open source isn’t about sharing the key, it’s about sharing the designs to the lock.
using
Asa, gandalf, I think Opera’s security track record is proof enough that you are both wrong. Open source is not more secure.
Now don’t get me wrong, I love open source, and I do believe that it helps with security. Microsoft needs to take a serious look at the bennefits of open source for their own browser. But at the same time I don’t believe that we can say an application is more secure just because it is open source. If that was true, then Opera would be the one with 6 Secunia advisories listed as unpatched instead of Firefox.
As far as Firefox being more quickly patched, please explain this advisory which has been around since 2004, and never patched. Granted it’s not a critical security flaw, but it’s a great example of the false sense of security that is promoted around Firefox…
using
“Our open code is more heavily audited and more quickly patched than any other browser on the planet.”
Opera not being open source have zero vulnerabilities without repairing.
Firefox being open source have six vulnerabilites without repairing
Then Mr. Dotzler what is the browser vendor that fix more quickly its vulnerabilities? Firefox?
I doubt it much.
using
I don’t get it.
scenario 1)
You give the tool to the guys at Opera, they’ll probably say “hey cool thanks!” and use it to improve their browser. The tool will help finding X security holes, and Opera buys the Mozilla guys a crate of beer.
scenario 2)
You give the tool to everyone, the guys at Opera say “hey cool a tool!” and will use it to improve their browser. The tool will help finding X security holes, and Opera buys the Mozilla guys a crate of beer.
The evil hacker dudes say “hey a tool that is … oh bummer. not as good as our self-made one. But hey, it’s different, so why not use it, too!”. The tool will help THEM find the SAME X security holes that Opera can find with the same tool. So it’s a bit of a race and probably will result in some Opera employees having to work longer shifts on the weekend to be faster than the evil guys who want to spend quality time with their girlfriends.
So really what you can achieve by making the tool open source is to improve the tool. This means that everyone who writes software will need to audit their code with that very tool, because if he does not there will be a headline a day after release saying “Joe’s software hacked within minutes by publicly available tool”.
I’m really not a fan of security by obscurity. But am unsure that making (what I will bluntly call) “high quality hacker tools” publicly available is a good way of creating incentives for software makers to improve their code.
using
If the security tools are browser or rendering engine specific is there any point for these tools at all?
using
In a way, I think this release could benefit both Opera and Firefox, just in different ways.
Opera does not release its browser code and could use the tool to find bugs on their own. They would have a slight benefit from not having their code released completely, so it might make it harder for someone with malicious intent to understand how to make the bug work for them.
Firefox has its benefit in the greater number of “good people” looking at the code. Even if the code is readily available to a baddie, the bugs could be fixed very quickly by the large number of Firefox developers. They just need to get their heads together to come up with a viable solution.
All in all, it will really boil down to how quickly the bugs are fixed. Both Opera and Firefox have good track records in this area, so the release of the security tools could help them both.
using
I think the real problem for Opera might be that they currently don’t have such a slick auto-updating functionality in place like Firefox has: I’d guess that there are more Opera installations that are not up-to-date than Firefox installations. (Relative, not absolute numbers of course.)
Apart from that, I haven’t yet made up my mind if what Mozilla is doing is good or bad: I guess we’ll first have to see what the tool does exactly do, and then wait if it can be used in an evil way. Still, currently I tend to lean to the “it’s a good thing” side.
using
Hello,
I just want to say these arguments are stupid. Opera is more secure, no firefox is more secure, no opera, no firefox BLAHHH Sounds likes children to me, How about both browsers do what it thinks is correct in attempting to make a browser secure.
Just because its closed source does not mean its secure and the same goes for open source. Just because one has more bugs listed on secunia then the other doesn’t mean therefore the browser is secure or more secure then the other.
You guys got to stop looking at numbers and acting like thats proof to how secure something is. Just because the mac has 4 viruses, that doesn’t mean I go around saying Mac is more secure then Windows. The same goes for browsers, just because firefox has more bugs listed on secunia then opera has listed, does not mean firefox is less secure.
Opera just because you have ZERO bugs listed on secunia could possibly mean, one, no one cares enough about your browser to find flaws, two, noone has found flaws yet, three, the flaws are discovered just no one cares enough to report them, four, its possible that it maybe secure, although HIGHLY UNLIKELY considering all software is made by humans, and what do humans do MAKE MISTAKES.
I can already here someone bringing up the secunia and marketshare argument LIKE ALWAYS.
Either way, both browsers have done a wonderful job at making internet browser much more better then ever before.
using
GT:
“Asa, gandalf, I think Opera’s security track record is proof enough that you are both wrong. Open source is not more secure.”
Notepad is even more secure. I also know a small tool that is abandoned for years that never had a secunia advisory. So it’s a prove that abandoning a product makes it way more secure than Opera is (Opera has had advisories).
That’s the logic you push.
We don’t claim that Open Source is more secure (altough we both believe that). Also, please distinguish “being secure” and “having published security advisories”. That’s totally different. Later one is what you measure using Secunia. Former one is what is really important, but it’s rather impossible to measure that. Former one (beside of the normal measuring amount of bugs and “days in risk”) includes very secure browser that once, once per 20 years has a huge security hole that puts in amazing risk all it’s users. It’s like a meteorite. You can’t say “we’re secure” basing on the fact that it didn’t hit us YET.
“If that was true, then Opera would be the one with 6 Secunia advisories listed as unpatched instead of Firefox.”
This statement assumes that availability of sources is strongly related to the amount of security advices on Secunia. I’d say this statement is wrong.
There may be tens things that impacts the amount of sec advices on Secunia. For example the popularity of the product, it’s richness (Firefox is based on Gecko which is full featured RAD platform like QT, Java…). There may be multiply reasons, and the fact that Firefox has 6 advisories and Opera 0 (and the small abandoned app from my previous example has never had any) doesn’t falsificate that open sourcing app raises it’s security (can you measure how much less security advices per year Opera would have if will switch to open source? no, you can’t…)
“Granted it’s not a critical security flaw, but it’s a great example of the false sense of security that is promoted around Firefox…”
No, actually it’s rather bad example, but I know you need something…
It’s a bad example because:
1) It has nothing to do with security of our users. Show me one proved example of successful attack using this method?
2) Overall, show me one proved example of user who’s machine was hacked via Firefox…
Isn’t it all about this? Secure users. Users who can use their product and no one has ever broke into their computer via our software. That’s what we provide. Do you call it “lack of security”?
See, I understand that as every community you need hookpoints for your ego and to explain your devotion. I understand that security, performance and “perfectl choice of feature set” are 3 most important claims about Opera. And to feel better you need to lowerize those values in competitor’s products. But please, don’t go to far…
Claiming that opensourcing a set of security tools so that we can create a community of browser vendors who’ll improve them and provide a complete and complex set of tools for testing browser security without waiting for hackers to do this, and the fact that we believe that browser vendors can and should work on this together instead of keeping their own tools hidden in their labs, is wrong… is… hmm… step to far.
using
It looks like Asa was at least right about the amount of time given up front before the release
http://my.opera.com/desktopteam/blog/2007/08/03/fun-with-the-fuzzer
Standing applause to both Opera and Mozilla here
- ØØ -
using
“I think the real problem for Opera might be that they currently don’t have such a slick auto-updating functionality in place like Firefox has: I’d guess that there are more Opera installations that are not up-to-date than Firefox installations. (Relative, not absolute numbers of course.)”
I think that’s probably correct and I think that makes Opera users considerably less secure than Firefox users. The percentage of Firefox users on older, unsupported versions of Firefox is likely far less than the percentage of Opera users on older, unsupported versions of Opera. This is because Opera lacks an automatic update feature that’s fast and friendly.
It’s also because lacking that automatic update feature, Opera still fails to use its considerable reach in the press to stress with each new release that they’ve fixed a large number of critical security vulnerabilities and old versions are now terribly, horribly insecure and unsafe to use at all.
Before Firefox had an auto-update feature, we used what little press we got around each release to shout from the rooftops that users really, really needed to upgrade to this new version because the one they were on was no longer safe. Opera buries their security notices and minimizes the security implications of upgrades by both failing to speak loudly about the ones they do list and failing to list all of the security bugs fixed.
As a user, if you saw a new update from Opera with one small security fix, you might not think it’s worth updating. But what if Opera actually fixed 30 critical security bugs in that release. Since they don’t say anything about any bugs that they found, just the ones found by 3rd parties, you really don’t know how insecure your current version is. If you think it’s just one small fix, you might not care, but if you saw it was over 30, you can bet you’d be more likely to upgrade. At Mozilla, we were open about how many security bugs were fixed because that was one of our only ways, back then, to convince people of the importance of using the new version.
Another way that Opera fails to keep their users safe is that they only support one version of their browser, the current one. If you fail to update from 8 to 9, for example, you are necessarily using an unsafe browser. At Mozilla, we support our current version and our previous version with security updates for at least six months after the new version is released. This gives some users of the earlier major version time to stay on the old version before it becomes dangerous. It doubles our work on security since we have to keep two very different (code wise) versions of Firefox secure at the same time, and it doubles our work on build and release because we have to ship and ship updates for two versions, but we think it’s important for those people who cannot upgrade to new versions as fast.
Opera could improve this. We do it with about 100 employees and Opera has about four times as many employees as us. It’s a matter if priorities, I guess, and Opera’s priorities do not place keeping Opera Desktop users safe at the top of that list.
- A