I think that’s probably correct and I think that makes Opera users considerably less secure than Firefox users. The percentage of Firefox users on older, unsupported versions of Firefox is likely far less than the percentage of Opera users on older, unsupported versions of Opera. This is because Opera lacks an automatic update feature that’s fast and friendly.

It’s also because lacking that automatic update feature, Opera still fails to use its considerable reach in the press to stress with each new release that they’ve fixed a large number of critical security vulnerabilities and old versions are now terribly, horribly insecure and unsafe to use at all.

Before Firefox had an auto-update feature, we used what little press we got around each release to shout from the rooftops that users really, really needed to upgrade to this new version because the one they were on was no longer safe. Opera buries their security notices and minimizes the security implications of upgrades by both failing to speak loudly about the ones they do list and failing to list all of the security bugs fixed.

As a user, if you saw a new update from Opera with one small security fix, you might not think it’s worth updating. But what if Opera actually fixed 30 critical security bugs in that release. Since they don’t say anything about any bugs that they found, just the ones found by 3rd parties, you really don’t know how insecure your current version is. If you think it’s just one small fix, you might not care, but if you saw it was over 30, you can bet you’d be more likely to upgrade. At Mozilla, we were open about how many security bugs were fixed because that was one of our only ways, back then, to convince people of the importance of using the new version.

Another way that Opera fails to keep their users safe is that they only support one version of their browser, the current one. If you fail to update from 8 to 9, for example, you are necessarily using an unsafe browser. At Mozilla, we support our current version and our previous version with security updates for at least six months after the new version is released. This gives some users of the earlier major version time to stay on the old version before it becomes dangerous. It doubles our work on security since we have to keep two very different (code wise) versions of Firefox secure at the same time, and it doubles our work on build and release because we have to ship and ship updates for two versions, but we think it’s important for those people who cannot upgrade to new versions as fast.

Opera could improve this. We do it with about 100 employees and Opera has about four times as many employees as us. It’s a matter if priorities, I guess, and Opera’s priorities do not place keeping Opera Desktop users safe at the top of that list.

- A

http://my.opera.com/desktopteam/blog/2007/08/03/fun-with-the-fuzzer

Standing applause to both Opera and Mozilla here

- ØØ -

Notepad is even more secure. I also know a small tool that is abandoned for years that never had a secunia advisory. So it’s a prove that abandoning a product makes it way more secure than Opera is (Opera has had advisories).

That’s the logic you push.

We don’t claim that Open Source is more secure (altough we both believe that). Also, please distinguish “being secure” and “having published security advisories”. That’s totally different. Later one is what you measure using Secunia. Former one is what is really important, but it’s rather impossible to measure that. Former one (beside of the normal measuring amount of bugs and “days in risk”) includes very secure browser that once, once per 20 years has a huge security hole that puts in amazing risk all it’s users. It’s like a meteorite. You can’t say “we’re secure” basing on the fact that it didn’t hit us YET.

“If that was true, then Opera would be the one with 6 Secunia advisories listed as unpatched instead of Firefox.”

This statement assumes that availability of sources is strongly related to the amount of security advices on Secunia. I’d say this statement is wrong.
There may be tens things that impacts the amount of sec advices on Secunia. For example the popularity of the product, it’s richness (Firefox is based on Gecko which is full featured RAD platform like QT, Java…). There may be multiply reasons, and the fact that Firefox has 6 advisories and Opera 0 (and the small abandoned app from my previous example has never had any) doesn’t falsificate that open sourcing app raises it’s security (can you measure how much less security advices per year Opera would have if will switch to open source? no, you can’t…)

“Granted it’s not a critical security flaw, but it’s a great example of the false sense of security that is promoted around Firefox…”

No, actually it’s rather bad example, but I know you need something…
It’s a bad example because:

1) It has nothing to do with security of our users. Show me one proved example of successful attack using this method?
2) Overall, show me one proved example of user who’s machine was hacked via Firefox…

Isn’t it all about this? Secure users. Users who can use their product and no one has ever broke into their computer via our software. That’s what we provide. Do you call it “lack of security”?

See, I understand that as every community you need hookpoints for your ego and to explain your devotion. I understand that security, performance and “perfectl choice of feature set” are 3 most important claims about Opera. And to feel better you need to lowerize those values in competitor’s products. But please, don’t go to far…

Claiming that opensourcing a set of security tools so that we can create a community of browser vendors who’ll improve them and provide a complete and complex set of tools for testing browser security without waiting for hackers to do this, and the fact that we believe that browser vendors can and should work on this together instead of keeping their own tools hidden in their labs, is wrong… is… hmm… step to far.

I just want to say these arguments are stupid. Opera is more secure, no firefox is more secure, no opera, no firefox BLAHHH Sounds likes children to me, How about both browsers do what it thinks is correct in attempting to make a browser secure.

Just because its closed source does not mean its secure and the same goes for open source. Just because one has more bugs listed on secunia then the other doesn’t mean therefore the browser is secure or more secure then the other.

You guys got to stop looking at numbers and acting like thats proof to how secure something is. Just because the mac has 4 viruses, that doesn’t mean I go around saying Mac is more secure then Windows. The same goes for browsers, just because firefox has more bugs listed on secunia then opera has listed, does not mean firefox is less secure.

Opera just because you have ZERO bugs listed on secunia could possibly mean, one, no one cares enough about your browser to find flaws, two, noone has found flaws yet, three, the flaws are discovered just no one cares enough to report them, four, its possible that it maybe secure, although HIGHLY UNLIKELY considering all software is made by humans, and what do humans do MAKE MISTAKES.

I can already here someone bringing up the secunia and marketshare argument LIKE ALWAYS.

Either way, both browsers have done a wonderful job at making internet browser much more better then ever before.

Apart from that, I haven’t yet made up my mind if what Mozilla is doing is good or bad: I guess we’ll first have to see what the tool does exactly do, and then wait if it can be used in an evil way. Still, currently I tend to lean to the “it’s a good thing” side.

Opera does not release its browser code and could use the tool to find bugs on their own. They would have a slight benefit from not having their code released completely, so it might make it harder for someone with malicious intent to understand how to make the bug work for them.

Firefox has its benefit in the greater number of “good people” looking at the code. Even if the code is readily available to a baddie, the bugs could be fixed very quickly by the large number of Firefox developers. They just need to get their heads together to come up with a viable solution.

All in all, it will really boil down to how quickly the bugs are fixed. Both Opera and Firefox have good track records in this area, so the release of the security tools could help them both.

scenario 1)
You give the tool to the guys at Opera, they’ll probably say “hey cool thanks!” and use it to improve their browser. The tool will help finding X security holes, and Opera buys the Mozilla guys a crate of beer.

scenario 2)
You give the tool to everyone, the guys at Opera say “hey cool a tool!” and will use it to improve their browser. The tool will help finding X security holes, and Opera buys the Mozilla guys a crate of beer.
The evil hacker dudes say “hey a tool that is … oh bummer. not as good as our self-made one. But hey, it’s different, so why not use it, too!”. The tool will help THEM find the SAME X security holes that Opera can find with the same tool. So it’s a bit of a race and probably will result in some Opera employees having to work longer shifts on the weekend to be faster than the evil guys who want to spend quality time with their girlfriends.

So really what you can achieve by making the tool open source is to improve the tool. This means that everyone who writes software will need to audit their code with that very tool, because if he does not there will be a headline a day after release saying “Joe’s software hacked within minutes by publicly available tool”.

I’m really not a fan of security by obscurity. But am unsure that making (what I will bluntly call) “high quality hacker tools” publicly available is a good way of creating incentives for software makers to improve their code.

Opera not being open source have zero vulnerabilities without repairing.
Firefox being open source have six vulnerabilites without repairing

Then Mr. Dotzler what is the browser vendor that fix more quickly its vulnerabilities? Firefox?
I doubt it much.

Now don’t get me wrong, I love open source, and I do believe that it helps with security. Microsoft needs to take a serious look at the bennefits of open source for their own browser. But at the same time I don’t believe that we can say an application is more secure just because it is open source. If that was true, then Opera would be the one with 6 Secunia advisories listed as unpatched instead of Firefox.

As far as Firefox being more quickly patched, please explain this advisory which has been around since 2004, and never patched. Granted it’s not a critical security flaw, but it’s a great example of the false sense of security that is promoted around Firefox…

Every hole found will be one hole less, which is way better than a hole only evil crackers find.

There is no worst method to “secure” your code than hiding it. There is no major security protocol in the world that would base on the fact that the methodology is not public.
Whenever you hide a code or hide the protocol to “secure” yourself and your clients, you create an illusion of security. You base your trust and belief on the impossible to fulfill hope that the methodology or code will never leak out, will never be broken, noone will ever reverse engineer it… Look at the history of security flaws. Windows did this mistake. They lost the war exactly because so often they believed that their users are secure because hackers don’t know where the holes are…

Showing the code to the public, showing the tools to the public, allowing everyone to try to hack into is the ONLY reliable method to really improve security. If everyone has access to your code AND will not be able to break into, then you can claim you’re secure in the same way as science theory is accepted only once enough people try to falsificate it and fail to do so.

I have an impression that you don’t believe that it’s mathematically possible to create an algorithm that will be both, publicly available and secure. That assumption is wrong. Check OpenBSD. Of course, the more complex the code is the harder it is.

Look at Linux security. It’s all 100% publicly available. More. In many cases you can download file with system passwords and still it’s very hard to break it. The fact that you can download it, doesn’t make it easier.

Same with Firefox. If we would hide the code and cross our fingers in hope that no one will find the holes SO the users are secured, we will be fools. It’s a bit like leaving the windows in your house unlocked and claiming that you’re secure, because bad guys don’t know which windows are not locked…

As Asa mentioned. Bad guys have way better tools than we do. We spend our life on creating web browsers. They spend it on cracking. We have great browser. They have great tools to find vulnerabilities. Until they start open sourcing it, we can live in an illusion or join our forces and try to be faster than they are in finding and fixing our security holes. This applies to Opera in the same way as Mozilla, Linux, Microsoft, Apple and others.

“You mistook the sky for the stars gave back on the field of the lake at night” (A. Sapkowski)

Yes, you’re right, the bad guys do have such tools already. But don’t forget the “script kiddies” who can now easily access a tool they wanted to “try out” for a long time.

Besides, when people shall move to a more secure browser, why aren’t you advertising Opera? No, I don’t really want this question answered.