Firefox won't be tested at Pwn2Own this year... "it's too easy"

[mikeymikec]

http://it.slashdot.org/story/16/02/...-attack-firefox-because-its-too-easy#comments

I wonder if the sources of the sponsorship might be skewing the attention to particular pieces of software. Admittedly I'm also wondering whether I should seriously consider changing to Google Chrome eek.

- edit - I've just discovered that I can replicate my cookie management configuration in GC, being "keep cookies until the end of session, with this list of sites as the exception to the rule". I think that's one thing that held me back before... that and I hate GC's UI...

 

[BarkingGhostar]

Your trust in Google is obvious. You've given into the dark side.

 

[Elixer]

Your trust in Google is obvious. You've given into the dark side.

Isn't Google's motto, "Do no evil--unless we can make a buck off of it"?

As for what was posted...meh, while I rather have them all participate, I don't see anyone switching to another browser because they aren't in that.

 

[Chiefcrowe]

I wonder when they expect to release the multiprocess ver. of FF?

 

[mikeymikec]

I wonder when they expect to release the multiprocess ver. of FF?

I think Mozilla have cared about form over function for quite some time. It'll happen at some point, perhaps when Firefox's competitors have embraced the next major advance in browser security.

Your trust in Google is obvious. You've given into the dark side.

IMO if GC was engaging in snooping beyond the obvious (default search engine is Google, ergo they can monitor your google searches, because... they're Google!), it would have been found out by now. Also, I have Windows installed. I run a fair few other pieces of proprietary software as well.

Perhaps when Firefox has been reduced to a market share that rivals Netscape's, then a serious effort to fork the project into something that resembled its original goals will happen.

 

[ninaholic37]

Doesn't matter to me. Still using Firefox 28. :thumbsup:

 

[jpiniero]

IMO if GC was engaging in snooping beyond the obvious (default search engine is Google, ergo they can monitor your google searches, because... they're Google!), it would have been found out by now.

There's the auto updater to think about. That's why Google started the auto updater scheme (and why you can't turn it off), the info that is sent when checking in to see if you need to update is valuable to them.

 

[Elixer]

There's the auto updater to think about. That's why Google started the auto updater scheme (and why you can't turn it off), the info that is sent when checking in to see if you need to update is valuable to them.

You can turn it off, just disable the update service.

 

[mikeymikec]

There's the auto updater to think about. That's why Google started the auto updater scheme (and why you can't turn it off), the info that is sent when checking in to see if you need to update is valuable to them.

Do you have any evidence about what info is sent?

 

[Ketchup]

I don't know if "too easy" is fair, as hacks were found to compromise both Chrome and Firefox last year. But I do think limiting to the browsers and apps that get considerably more use than the others (IE, Chrome, Safari, for example) does make some sense.

And from a security standpoint, making the Google update not obviously easy to turn off is a good thing. Microsoft does it with IE and Edge and I don't hear complaints about that.

 

[mikeymikec]

I half-agree with the logic of the organisers (assuming that their entire logic is as they've stated), on one hand it's worth drawing attention to Mozilla's lack of attention to improving security beyond fire-fighting, on the other hand I think continued attention needs to be drawn to it rather than a one-time job of not including it at Pwn2Own.

I've been thinking about Mozilla's priorities lately, and I wonder whether they need to come up with an entirely new strategy, maybe something along the lines of "we'll add two features this year with regard to 'extras beyond the core purpose of the product', the rest of the year will be spent tuning and improving security/performance". I think they've lost a large portion of their original grassroots techie supporters because they've spent so much time adding crap and playing with the UI.

Firefox made a name for itself initially as the fastest browser out there as well as considerably more secure than IE. These days it's a johnny-come-lately. If Mozilla wants it to become popular again, it has to take the pole position of a role with some meaning (e.g. "fastest", "most secure", or "has this essential feature that everyone wants to copy")

 

[TheRyuu]

There's the auto updater to think about. That's why Google started the auto updater scheme (and why you can't turn it off), the info that is sent when checking in to see if you need to update is valuable to them.

You can absolutely turn it off but you still have to have some way to update Chrome so the point is kind of moot since it still uses the same updater service. If you simply don't want it to update automatically set the services to "manual" start and disable the GoogleUpdate task. Doing it this way still lets to update Chrome by going to chrome://about or whatever the help->about Google Chrome page is.

Getting back to the actual topic, honestly I'm surprised it took this long. Security has never been a major priority for Mozilla/Firefox folks. It's not like they still don't do security bounties. This likely doesn't have any major ramifications other than the slightly bad PR.

Speculating about the future I think that as multiprocess Firefox finally gets off the ground it should at least enable them to do more things from a security standpoint that simply were not possible with the monolithic browser process. So as they work towards multiprocess Firefox the security aspects of it should sort of come naturally provided they've at least accounted for them when designing it (I don't see why they wouldn't).

Slightly off topic but if you do chose to use Firefox (or Chrome or any browser that uBlock[1] works in) as your browser if you don't like complication of NoScript I highly recommend running uBlock in medium mode[2]. You lose some granularity that NoScript (or uMatrix) provide but it's much easier to use and the barrier to entry is very low. It's the single easiest way to better your security and privacy situation (IMO).

[1] https://github.com/gorhill/uBlock
[2] https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode

 

[Z15CAM]

I contend FF v28.0 was the best Browser made and I still use it.

 

[inf1nity]

i'd use chrome if it wasn't such a memory hog.