Security → Re: Firefox 20.0 Released

I've read through the thread but don't get the point.

Because of the security fixes that are included?
Because of the telemetry data, which is not enabled - by default?

Because users might use their browser to browse Facebook or might use Google Search?
And yet they'll worry about TD (...TigerDirect...?).

Do these reverters even know TD?
Do they even know how long TD in some sort or another has been there?

Send performance data to Mozilla to help improve Firefox

Firefox 7: Telemetry

Adding a new Telemetry probe

about:telemetry

What is Firefox Health Report?

(Did you know that FF has no native way to upload to a FTP server.)

Appreciate your information. As noted on the Moz board I'm still a relative noob.

Will read your information to see if I can gather some clarity in the matter.

About »Re: Firefox 20.0 Released

Don't take anything I say personally.
When I post, I rarely post anything directed to a specific person, even if it may appear that way from my posts.
(Often I know not even who I may be replying to.)

About all I know about "telemetry" is what I dug up yesterday.
And from that, it appears that "telemetry" (or by whatever name it has gone by in the past) has been there for a long time now. The information that it may send, if it were to send, seems innocuous.

To me, it is better, smarter, to be protected by the security fixes in a current release then to worry about what potentially might be sent by some "telemetry".

Mozilla is not looking to mine your data.
In the future, who is to know.
And if it were to be, you can be sure they'd get plenty of flack on it.

I'm going to play devil's advocate here, so bear with me. It's not personal to you, but something I've been watching for a while now.Do you have any idea at all when the security issues that required these security fixes crept into the program?

No really, I'm serious. Let's say, for example, that Mozilla incorporates a wonderful new feature in 16.0, and discovers along about version 18.0 that it's opened a security hole. So they fix it in version 20.0 (took a while to find).

A person staying current would have certainly loaded the buggy version and would need the security fix. But a person who is running - say - version 14.0 wouldn't need it. They won't have the nifty new feature, but they also won't have the security bug. So they're not under any urgent need to upgrade to version 20.0.

What got me thinking about that was the longevity of IE 6. (Save your boos.) Most of us want more functionality than it offers, but still. People ran it for years. People ran it safely for years. Some people still run it, and their computers haven't been taken over by whatever baddie was out there. Microsoft got it to a point of stability where there were only occasional security updates when serious bugs went back that many versions. It's plain and it's out of date, but it's also not susceptible to the same things a later version is.

My point being, that this knee-jerk "security" argument being spouted by all the browser makers and treated like gospel doesn't necessarily apply to everyone. Someone lagging behind a version or two may be perfectly safe, and all the hoopla becomes more security theater to prod us all along.

Now, I'm not trying to talk you or anyone out of updating - far from it. But I consider the "telemetry" business to be a little more serious than you do. I don't allow auto updates for anything but my AV, and I've never allowed my computer to helpfully send data home to Mozilla.

But I'm also not impressed by arguments that every update Mozilla comes out with is really a big security fix for a problem that will wipe out my computer if I don't load it the minute it asks. Sometimes I look at the nifty new features and they look like security risks as much as the stuff by the bad guys. And till I figure out everything that I'm going to have to do to kill them, I don't update. It also doesn't hurt to see what issues come up for the early adopters.

It's not an either/or question vis a vis telemetry / security. I guess that's my bottom line.

> any idea at all when the security issues that required these security fixes crept into the program

Could have been any time.

Could have been ages ago, but then they don't even bother to look at anything that is not supported. (They would look back at the ESRs.) Could very well be that a yet older version of a program is vulnerable to the same exploit, but generally, no one cares. One could look into it themselves, but would you even know?

And when something actually gets fixed could be yet another matter entirely. They may know a problem exists (I'm sure they know of plenty right now), but it might not be the (proper) time to implement the fix. Or the problem is not commonly known, is not being exploited, & has not been disclosed. Something like that could lie for ages before being fixed. And then there are the fixes that depend on others, other things. Like SSL or whatever fixes. A particular "fixed" version of SSL could be implemented, that would be the easy part, but if nothing else around, servers or whatever, speak to that version of SSL, well it all might as well be greek.

And at what point, & how do you determine that your "14" is "secure". At what point, & how do you determine that there are no bugs in "14".

> IE6 ... Microsoft got it to a point of stability

MS got to a point where they had a browser & did NOTHING to advance it. Hence from IE6 through IE9 there was not even a built-in spell-check. Yes they may eventually have patched security fixes, but no real program advances. They took the market from Netscape, they had the numbers & IE languished. It was not until others improved on it that they finally reacted. Now you might say that Enterprise wanted such a beast, & that is likely partially true, but still.

Mozilla, "seamonkey", & up through FF released when, once a year, perhaps. So if a bug was found & fixed, it would be a long time before "users" got to see the change. If a security issue arose, ditto. Now they've gone "rapid release", so every time you turn around there's a new version. But these new versions do have all the security related fixes in - in a much quicker time frame then otherwise was the case. And, more so in the FF case, they have also implemented feature changes - presumably for the better, though many would argue & also general code changes.

Could bugs, security or otherwise have crept in? Certainly. But who is to know.

> IE6 ... it's also not susceptible to the same things a later version is

It's probably more susceptible to most things, I would think. JavaScript is where it is at in a browser, & what is in IE6 is likely far less hardened then what they have now, even given IE6's "age". And yes, there certainly could be exploits against particular versions or later versions that did not affect older ...

> "telemetry" ... serious

That Mozilla knows how long it took my browser to start up? Or particular program functions (like a certain update to the bookmarks file) took an abnormally long amount of time. Information that if they are made aware can help them improve, help them fix bugs.

Windows crash reports, the same way. You submit a crash report. MS aggregates the data. Enough of the same report comes in, they say, "hey, we have a problem". Eventually, the next time you submit that crash report, assuming you do, you're forwarded to a KB article that tells you how to fix the situation. (A Windows crash report, or a Mozilla crash report could potentially return far more "private" details [like the porn sites you've been visiting] then "telemetry".)

> knee-jerk "security" argument being spouted by [anything/anyone] and treated like gospel

No, I don't buy into that either.
But who is to know. Do you? Do I? I know I don't. I have to rely on the "experts" to do what I feel is going to be in my interest. And if that says it is in my interest to update for security reasons, then I typically will do that.

> Someone lagging behind a version or two may be perfectly safe

True. Likewise someone lagging behind 10 versions may also be perfectly safe. While at the same time someone using the latest nightly version gets stung. What happens to a particular person using a particular version of a software is not really meaningful.

> I consider the "telemetry" business to be a little more serious than you do

I have no problem with that. Each must deal with a circumstance in a way they feel comfortable.

> I don't allow auto updates for anything but my AV

And I don't use an AV.

> and I've never allowed my computer to helpfully send data home to Mozilla

Luckily that is your prerogative. Not all softwares allow you to make that determination.

> I'm also not impressed by arguments that every update Mozilla comes out with
> is really a big security fix for a problem that will wipe out my computer if I don't
> load it the minute it asks

And I wouldn't particularly be concerned if I lagged for a period of time either. But who is to know? I don't. I pay the experts to advise me & I make my determination from there.

> nifty new features

That is an entirely different situation. You don't the the look (UI) or the way you interact (UX) with a newer version of a program, that is something that people complain about all the time. You don't like the features, so you'd prefer to remain with an older version. No problem with that, so long as you're able to do it securely.

> nifty new features ... look like security risks

Of course any change has the potential to introduce new security risks. But then so does the decision to remain stagnate, by malware exploiting old existing or new discovered holes in older software (that would forever more remain unpatched).

But again who is to say, or know? Older versions aren't going to be looked back at. No one cares any more that FF 19 has an existing vulnerability - because it has been patched in FF 20.

> It also doesn't hurt to see what issues come up for the early adopters

Plenty feel that way. That they'll wait before updating. Even in this thread (above) is noted a bug that crept into FF 20, that really buggers the browser for some. Does not affect me. Likely does not affect you. So it makes no difference to us. But to the ones it does affect, that are affected by it, it greatly affects them. Now you could say, "if they weren't early adopters"... But then what if it were a security related bug, that affected the same group of people. Didn't affect me. Didn't affect you. So it makes no difference to us. But it surely did affect "them". And since they decided NOT to be "early adopters", they waited ... until their bank accounts were drained. So who is to know. You do what you feel is prudent for your situation.