Browser

Talking trash about Internet Explorer is a waste of time


With all this talk about Firefox, Opera, Netscape and many other open source alternatives to Internet Explorer, I am surprised that nobody has stepped up to provide Active Directory Group Policy support.

Until these browser alternatives step up with full support of Active Directory and Group Policy, they will not take a significant market share away from Microsoft. They will buzz around but not make a significant dent in IE marketshare.

Let's be clear; I am not saying Firefox, Opera, etc are bad browsers. I use Firefox just as much as I use IE but for these browsers to become viable alternatives in big business, they need to have the same abilities of IE or why bother?

Once we see this support, it will be interesting to see what happens and which corporate customer would take the leap first. What are your thoughts?

78 comments
blarman
blarman

The basis of your argument is that Firefox can not take the lead in market share from Internet Explorer because it doesn't integrate with Active Directory? Ummm... Just a question, but what critical functionality that comes with Active Directory and affects Internet Explorer leads you to this conclusion? I don't see it listed in the article.

Deadly Ernest
Deadly Ernest

complaints about FF. However, I've only ever seen those problems when using FF on MS Windows OSs. On Unix or Linux FF out performs anything MSIE ever did on Windows. Clearly the differences are due to the way MS write the OS to give their own applications an advantage, and it's these same facilities that create the security issues.

Deadly Ernest
Deadly Ernest

unless it takes full advantage of the MS server management system. A system that really only works well when the whole enterprise system is MS software of the same generation, and has to be replaced shortly after MS put out new versions. Something is wrong if a web browser needs to be integral with the server management system, be it the domain server or the file server. The whole concept behind the web browsers etc is that they be platform and system independent and able to view web pages off anything. ------------ BTW When FF or anyone else actually change their browser to be capable of making the most use of the MS server software, you can bet that MS will put out a critical update for the software to invalidate that usage and have a matching update in MSIE. Also, I've seen organisations using FF as their browser whilst using MS server software without any issues. The browser shouldn't be critical to the operation of the server systems.

Cheesel
Cheesel

I think one of the problems is that websites have so many plugins that are dependent on IE. I use Firefox and there are so many times when I have problems running plugins--I get the green puzzle piece telling me to get the plugin, but then there isn't one available, so I end up bowing to the Evil Empire. :-(

ben.rattigan
ben.rattigan

I agree integration into Windows is needed for these browsers. It's not just browsers, many CRM and business apps require MS Office and Windows client platforms to run and vendors usually only support these apps on Windows. Linux and Open Source environment needs to attract the client end of the market more and the home user is key. Get home users using open source and they'll happily use it in the workplace.

Tony Hopkinson
Tony Hopkinson

and since there isn't a way of guaranteeing an AD interface to any browser, I'll talk trash about Microsoft. Course there are plenty of other reasons to trash IE.

apotheon
apotheon

1. Opera is not open source. 2. Netscape is not open source. 3. Active Directory is not the reason IE still dominates the browser market -- it's because IE comes pre-installed with Windows, and Windows dominates the desktop computer OS market.

apotheon
apotheon

My guess as to the real reason is, simply, that Steve learned it was possible to configure IE via AD/GPO and, heady with new knowledge, jumped to conclusions.

Steven S. Warren
Steven S. Warren

In corporate environments, IE has to be locked down per the companies specific standards. This may be not allowing the user to set cookies, removing things from the toolbar, checking and unchecking specific settings. Group Policy\AD allow you to configure IE to meet your needs quickly and then roll it out to hundreds of client workstations. We need that support from other browsers for them to be viable alternatives.

Tony Hopkinson
Tony Hopkinson

as a security problem. I view any mandatory requirement for extensions as a security problem. I treat them just the same as the amusing instruction. If our site is not working, disabling your firewall might fix it. Keeps me safe and warm, there are plenty of alternatives out there, so I don't need their badly written potentially malicious crap.

apotheon
apotheon

With FreeBSD, I have access to a whole host of content plugins and media codecs that are, in many cases, easier to install than on Windows with IE. There are, however, still a few that elude me for one reason or another.

Cheesel
Cheesel

Are you kidding? Home users using open source? You and I maybe, and other techie types but after 12 years of dealing with end users, you gotta be kidding me. For most of them, even Control Panel is still an undiscovered country.

sidgib
sidgib

I use Firefox as default browser. However, some pages do not load on Firefox and I need to copy address and open IE7 to view them. I am now forced to revert back to IE7 as default browser. What's the deal?...Sid Gibson

jimmie.kepler
jimmie.kepler

My complaining will not change a thing. The majority of my customers do not like it any more than some third party apps like it.

Steven S. Warren
Steven S. Warren

but until viable alternatives appear that have the ability to be locked down via AD and Group Policy, IE will rule.

Matt H
Matt H

I agree generally with the article. I use Firefox and Opera because I think they are far superior products, but for the group Intranet and Sharepoint sites I have to use IE because of the AD tie-in.

Deadly Ernest
Deadly Ernest

The more you lock down a system and turn things off, the more people complain about not be able to do things, and the more work you make for yourself when you have to push out patches etc. In every corporate environment I've worked in or for (and that includes some large government organisations like Defence etc) they've not cared how you set your browser up or which one you use, they handled control of system security at the gateway with a good anti-virus system, web proxy (including black lists and white lists) and web use monitoring software. The gateway only let through web pages that did NOT include any malicious or suspicious code, or anything else that was not permitted (eg porn). They recognise that some people are computer literate enough to get around most things you can do on a desktop, and with so many laptops being utilised by people at home, they have to allow them the ability to adjust to use their home system or what's available at hotels in transit. edited typo in title

blarman
blarman

Please continue your explanation and give me more details. You might start with the number of desktop users who are constrained by AD policies (how many use AD) and the number of those who use AD who use IE policies. Then of those who use IE policies, what are the business reasons for doing so, and do any alternatives exist (technology, cost, etc.) In order to evaluate your claims, there must be some support to remove it from the realms of speculation and opinion into the realm of substantiated evaluation. This is the only way to avoid the flame wars and evaluate the matter based on the business purposes that the technology fulfills.

apotheon
apotheon

I laughed out loud when I spoke on the telephone to a representative of my bank about the fact that I couldn't access my account online with Firefox, and he said that the website requires IE "for security purposes". Luckily, they wised the hell up, and now I can access online banking with other browsers.

apotheon
apotheon

You have a point. Darnit. They just use what's preinstalled, and make impulse buys at Wal-Mart.

apotheon
apotheon

Check out [url=https://addons.mozilla.org/firefox/1419/]IE Tab[/url], a Firefox extension that allows you to view webpages in Firefox tabs rendered by the IE rendering engine. This should solve some of your viewing issues. Note: This only works on Windows systems, of course.

Steven S. Warren
Steven S. Warren

Honestly, it doesnt really matter if your users do not like it, it is the corporate standard for most companies mainly because of its ability to be controlled via AD and Group Policy. It is time for other browsers to figure a way to be locked down via group policy or AD.

mithraigor
mithraigor

What are AD and Group Policy? I've never heard of them... Are they something like SELINUX?

apotheon
apotheon

Did you notice what I said about why IE is more popular? Did you? Hello? Wake-up call. There are ways to centrally lock down some alternative browsers. AD isn't the answer to everything. In fact, for many people, it isn't the answer to anything -- because many people use networking technologies other than Microsoft's.

Tony Hopkinson
Tony Hopkinson

Caligula, the Borgias, Charles 1st, Oliver Cromwell. Not always a good thing, some rulers.

keithc
keithc

As a consultant working in a large number of different organizations, including some with stringent security policies, I can honestly say I have never seen any use GP or AD to lock down the browser. Not saying it doesn't happen, just I haven't seen it. I have also noticed a large number of these organizations, including some with blah blah, making Firefox the first choice browser.

Tony Hopkinson
Tony Hopkinson

Hopefully he shouted at the halfwit who mislead him like that and made him look like a complete wally in front of a client. "Requires IE for security purposes" Can't figure out whether we should laugh or cry. Does it work with IE7?

Tachyon
Tachyon

One time I called a customer, I just needed the person on the other end to read me what was on the screen of the server. I spent half an hour just trying to walk her through turning on the monitor. We never got that far, not even using terms like 'tv looking thing' and 'blinky light'. How many people do you know that don't even know basic terminology. They don't know and differentiate terms like 'monitor' 'hard drive' 'floppy drive' 'computer' 'system unit' etc. That said, it's almost easier to start these people on Linux. They don't have a lot of garbage and Win-think in their heads. A nice clean slate. I've never had anyone like this whom I've started on a Linux box have any troubles learning and using it. And the fact that, due to a proper user and security model, they can't screw it up nearliy as easily makes my life easier.

blarman
blarman

I have personally helped so many people with their home PC setups (including one this weekend) that I can independently verify that many people use what they are sold and nothing else out of sheer ignorance. The vast majority of people I have worked with know nothing about software alternatives and freely admit it. To them, Firefox is an old Clint Eastwood movie and Linux is a character from the comic strip "Peanuts". "Open Source" draws a blank stare. After they call me, I clean up the messes from spyware and adware, clean out the Run keys and startup, and install a few free tools (including Firefox) and educate them about how to more fully use their computers. To a one they hav always appreciated simple explanations and knowing that there is more out there. Home users choosing IE because it is better? Not from my experience.

thinker999
thinker999

or worse yet, buy what cluelsss, WOW-head sales droids at CC,BB or CU *tell* them to buy, which is whatever the store manager is pushing, or whatever gets them the most spiff points..

apotheon
apotheon

The fact that you pretty much always fail to provide an accurate analysis of anything doesn't mean I berate everyone. I just call you on your crap.

Steven S. Warren
Steven S. Warren

Chad, You berate everyone on techrepublic with your longwinded diatribes. Your opinion is worthless to me because I honestly feel you lack the experience but just like to spew your sporty big words. I am simply over you and over it. Go buzz around somewhere else. bzzzzz bbzzzzz---

apotheon
apotheon

How does stating an opinion without any backing evidence any indication that I'm wrong? Have you ever even been within six miles of a college class in formal logic? If so: Why are you so bad at it?

Steven S. Warren
Steven S. Warren

Millions of people do not use Microsoft products because of impulse buys. In my opinion Windows is a better product for the masses. Open source is not ready for the masses and when it finally is, I believe you will find some other movement to champion.

Tachyon
Tachyon

I delete all IE icons and menu entries*, install IEtab, and do everything that I can possibly need to do on my Windows systems from Firefox, including windows update. I don't miss IE, and I don't need IE. *No I don't uninstall IE, I just remove access to it being run standalone. The IE core is necessary for too many apps to run to go deleting it. Though this combination of lazy windows programmers and insidious design by Microsoft annoys me.

Tachyon
Tachyon

"And lastly, "Roll your own solution" doesn't jive with most IT people. They don't have the time or will to be rolling their own solution. They want it out of the box and simplified. But this is the key cultural differences between Windows people and Linux/UNIX people." You've almost gone and admitted the real truth. The actual difference between these two types. The first type, your type, pays money and get's so called 'expert certifications" like MCSE etc. where they learn to use PRODUCTS enough to pass tests. They treat IT as just another job, do as little work as possible to get paid, and blame problems on others, or technology. The second type is mostly self taught. They love to solve puzzles, and hate to be beaten by a problem. They learn by doing and they learn and COMPREHEND concepts. They actually learn how technology works and they can adapt to new situations readily. And they aren't afraid of a little actual work which is what you are really saying with your little quote "...doesn't jive...They want it out of the box and simplified.." This is equivalent to "I am lazy, unskilled labour pretending to be an 'expert' in my field" and I'm quite sick of these types giving REAL IT workers a bad name and worse, lowering salaries by de-valuing our positions in the eyes of corporate management to the point that anyone able to read and speak english in a third world phone centre can have our jobs. If we "UNIX/Linux types" can learn Windows administration, you lazy ass Windows types can either damn well learn UNIX/Linux and accept that it's a fact of the IT world or go serve burgers somewhere where you belong. I have zero Squid certifications, and no courses in college on it. I just damn well RTFM and taught myself and use it where it met customer's needs. Why?! Because I'm a professional and that's my job!! Not selling them whatever crap makes me the most money and dumping them off on the product's tech support line.

apotheon
apotheon

Somehow, I'm not at all surprised that you are incapable of understanding self-deprecating irony. Now, please stop toadying to the guy defending your favorite OS and let the grown-ups talk.

Steven S. Warren
Steven S. Warren

I find it hard to believe that you can tell people they have a holier than now attitude when you call yourself Apotheon. How hypocritical is that?

apotheon
apotheon

"[i]Let's just talk about the two advisories but not actually expand on the fact that the latest Firefox advisory is a cluster of 9 critical exploits.[/i]" Let's talk about the fact that I addressed that: "[b]Granted, the advisory that is listed as 'patched' is made up of those nine vulnerabilities you so like to bring up[/b]" Are you blind or evil? I'm not sure which. edit: fixed quotes

apotheon
apotheon

One of the links worked. I double-checked both of them when you started complaining about broken links, and one of them (the one using LispURL) was broken. If the other didn't load before but does now, it's because you had a browser time-out for some reason. I think it's more likely that you clicked on one of them, and it didn't work, then after I fixed that one you just assumed the other was broken as well -- that, or you knew one worked and the other didn't, and the fact that I edited the message to fix one makes it impossible now for me to prove that the other worked as originally created so you can just lie with impunity. I'm not sure whether you're malicious or ignorant, but the statement that both were broken is patently false. Good job, again, on just assuming bad faith all the damned time. Clearly, you're not very well acquainted with the notion of trying to get along with your fellow man.

apotheon
apotheon

"[i]And that's precisely the issue I'm calling out as the lie. IE7 has had ZERO critical flaws on Vista, Firefox 2 has had 9 critical flaws reported by the independent Secunia within 2 months of being released.[/i]" Your assertion that my comments about protected mode are incorrect because of the number of flaws you've noticed for various browsers is like asserting that a claim the sky is blue is incorrect because half a million miles from the Earth's surface there's no atmosphere. It's un-friggin'-related. Whether or not protected mode exists, and whether or not it helps mitigate the effect of browser vulnerabilities, has nothing to do with whether or not vulnerabilities exist. I don't know who you think you're fooling. Actually, I don't think you're under the impression you're fooling anyone. I think you actually know so little about software architecture and software security that you actually don't realize these are orthogonal issues. "[i]I'd also like to see you say some of the things you say if you weren't hiding behind your screen name and posting under your actual paid contributor name.[/i]" Hi. My name is Chad Perrin. I live in Northern Colorado. I served in the United States Army in the '90s, own a bicycle worth roughly $3500 when it was new, and am registered to vote as a Libertarian. I stand behind what I say, including when I tell you where you can stick your [b]very personal attacks on my character[/b]. I've never hidden the fact that my legal name is Chad Perrin. It says so in the profile for the name apotheon. Get over yourself and your holier-than-thou attitude -- or, at least, expect to be regarded as a grade-A hypocrite if you're going to do so while calling people liars without any regard for what the term means and how thoroughly antagonistic and insulting it is to do so. You call me a bully, and yet I was perfectly civil with you up to the point where you called me a liar. It's mind-boggling that you still seem to think you're the "good guy" in this discussion.

georgeou
georgeou

Ah, the old advisory deception tactic. Let's just talk about the two advisories but not actually expand on the fact that the latest Firefox advisory is a cluster of 9 critical exploits. Here is the same advisory expanded: http://secunia.com/advisories/23282/ It's funny how Mozilla claims to fix bugs as they come out rather than some kind of scheduled monthly update but they clearly waited a month or more to bundle fixes for 9 critical flaws. As for the IE7 issues, there is only one critical exploit and it does not apply to Vista. All the remaining issues were not remote exploits that can fire off arbitrary code execution. The media made a big fuss about them because they found something to complain about during the launch of IE7, but that was the first time non-critical exploits got so much press coverage. Yes it?s very clever to say it?s 2 ?advisories? against 4 advisories. Problem is that it?s actually 10 exploits versus 4 and most of those 10 Firefox exploits open you to arbitrary code execution. So this is clearly another case of ?figures don?t lie but liars can figure?.

georgeou
georgeou

"My point was that it doesn't need Protected Mode to achieve roughly the same effects provided by Protected Mode on IE." And that's precisely the issue I'm calling out as the lie. IE7 has had ZERO critical flaws on Vista, Firefox 2 has had 9 critical flaws reported by the independent Secunia within 2 months of being released. You're honestly going to tell me that Firefox 2 without Protected Mode is just as safe as IE7 with Protected Mode. Given the current sets of available exploits available to each browser, one could easily argue that Firefox 2 WITH Protected Mode is still more dangerous than IE7 with Protected Mode because you have 9 critical exploits on FF2 versus 0 on IE7. It's also pathetic that you cry foul and then resort to "screw you" and other foul references to anatomy. But I guess one would expect that from Apotheon the forum bully. I'd also like to see you say some of the things you say if you weren't hiding behind your screen name and posting under your actual paid contributor name. It's rather cowardly to say these things under Apotheon.

georgeou
georgeou

As petty as you've turned this thread in to, I'm going to clarify it for you. You posted two embedded hyper links both of which led nowhere. Now both of them are fixed. Two broken links constitute plural.

apotheon
apotheon

You keep going on about how Firefox 2 is Swiss cheese and IE7 is "flawless". Let's compare Secunia advisory statistics by looking at the "all time Secunia advisories" pages for each. [url=http://secunia.com/product/12434/?task=advisories]Firefox 2[/url] I see two vulnerability advisories, one for cross-site scripting that has been patched and one for password phishing that has not. The most severe (actually, the [b]only[/b]) unpatched vulnerability is rated [b]less critical[/b]. [url=http://secunia.com/product/12366/?task=advisories]Internet Explorer 7[/url] I see four vulnerability advisories. One of them, for remote system access with the highest possible criticality, is patched. Of the three (count 'em, three) unpatched vulnerabilities, two are spoofing vulnerabilities and one is essentially a phishing vulnerability. One each of the spoofing and sensitive information exposure vulnerabilities are "less critical", same as for Mozilla Firefox's one and only unpatched vulnerability, and the other spoofing vulnerability is rated [b]moderately critical[/b]. Thanks to the fact that Vista is still not generally available for purchase, there are no notes in the Secunia advisories about current effectiveness of any of the exploits related to these vulnerabilities for IE7 on Vista. Similarly, the Firefox 2.0 advisories from Secunia offer no information on whether any of Fx's vulnerabilities apply to Vista users. Granted, the advisory that is listed as "patched" is made up of those nine vulnerabilities you so like to bring up, George, but then again the only advisory listed as patched for IE7 is made up of five discrete vulnerability warnings for that browser, and its criticality is higher than any vulnerability ever reported by Secunia for Firefox. It's also worth noting that Firefox vulnerabilities get reported publicly pretty much the instant they're discovered, and still patch times are almost always less than the shortest patch time ever recorded for a Microsoft patch (IE or otherwise): ten days. . . . and I simply cannot stress this enoug: [b]one of the major reasons for the low vulnerability count on IE7 for Vista is the simple fact that Vista isn't generally available[/b]. Are we clear yet?

apotheon
apotheon

You're still doing it. You're still misrepresenting the facts. There was exactly [b]one broken link[/b]. It is not true that I "responded with broken links". I responded with a list of examples that answered your question, which you ignored in favor of claiming that more links were broken than were actually broken, and now you're [b]still[/b] misrepresenting the situation -- you choose to make it sound like I posted several links, all of which were broken, with zero information, intentionally -- when the truth is I provided information, with two links, one of which was broken by accident. Argue the facts, not your fantasy-world illusions that you're Right and we who disagree are Wrong by definition.

apotheon
apotheon

"[i]I've never attacked you personally[/i]" . . . except calling me a liar. If you think that isn't a personal attack, your head is inserted into your fourth point of contact rather firmly. "[i]fairly benign language[/i]" My left foot, that's benign. You called me a [b]liar[/b]. Screw you. "[i]You made a patently false claim that Firefox can't endanger the host operating system[/i]" No, I didn't. I simply pointed out the independently verifiable fact that it doesn't endanger the host operating system [b]the same way IE does[/b]. It only does so, in terms of general architectural issues, the same way [b]any third-party application[/b] does, regardless of whether it's tied into core OS functionality or not. IE theoretically suffers all the same architectural vulnerability transference issues as Firefox, plus several others because of its integration with MS Windows. If you deny that, [b]you're[/b] the one claiming the Earth is flat. "[i]it doesn't need Protected Mode[/i]" My point was that it doesn't need Protected Mode to achieve roughly the same effects provided by Protected Mode on IE. Adding a protected operation mode, obviously differently than for IE since the security challenges are different by design on Firefox, could achieve additional security for the system as a whole, but it doesn't need it just to keep up with IE's architectural security characteristics. Perhaps if you actually bothered to think about what I was saying rather than repeating "protected mode" and "nine exploits" over and over again as some kind of MS marketing mantra, you'd realize that your characterizations of what I've said are complete poppycock.

apotheon
apotheon

"[i]For example, I often use Squid ACL's on transparent proxies to provide all kinds of security and access restrictions. In fact many more than are likely possible with Group Policies.[/i]" You make a very good point, without actually explicitly explaining it: Often such security "features" as AD/GPO are a kludge invented to solve the problem of having a network architecture that doesn't provide proper centralized access management. Something along the lines of Squid proxies can be used to centrally manage access capabilities on a single machine, [i]without having to push configuration to every desktop on the network[/i]. If/when there's a problem with pushing configurations to client systems, your security model breaks down, when trying to enforce everything via AD/GPO -- and doing so assumes that the people using the client machines aren't smart enough to work around the per-client security configurations. In other words, AD/GPO for access management relies (once again) on security through obscurity: you're trusting your users to be stupid and ignorant enough that they won't find ways to circumvent the restrictions you're trying to impose. In most cases, centralized management via firewall and proxy settings is the better option -- both in terms of ease of administration and in terms of actual security, since it only relies on lack of access to the proxy and/or firewall rather than ignorance for its security.

georgeou
georgeou

I was referring specifically to critical IE7 flaws under Vista. So far it has not had a single critical flaw under Vista. At this point in time, IE7 is the only browser that supports Vista Protected Mode. It also has zero critical flaws. Mozilla Firefox 2 has been riddled with holes within a month of its release. http://secunia.com/advisories/23282/ So not only is Firefox 2 filled with critical flaws that can compromise your PC, it fails to implement a jailing mechanism built in to Vista. "Frankly I fail to understand why IE would have any defenders or fans. It's deserving of neither. But then the same could be said of Microsoft in general." Try and defend using an alternative browser under Vista. For that matter, IE7 has been far safer than Firefox 2 even on Windows XP with 1 critical flaw versus 9 critical flaws on Firefox.

Tachyon
Tachyon

Apparently your version of product testing involves looking at the pretty UI changes and saying "oohh....uuuuwwww...ahhhh". The rest of us are dealing with broken websites, failed applications, and other problems caused by IE7 being everything but flawless. On top of that, you've made an irrelevant comparison, that being IE7 on Vista vs. FF2 on Vista. Also again assuming requirements for all browsers that may only apply to IE. Also, I'm quite sick of people saying that because Microsoft has less patches for product X verses product Y that it must be a better, more secure product. This is a complete fallacy and a total lack of logic. First, Microsoft rarely patches bugs unless bludgeoned into it by the press and the IT security industry. And when they finally do, the tend to bundle them into one patch so the patch count is lower. Secondly, most other products, escpecially open source ones, patch a lot more and for a lot more reasons. Any comparison that fails to take into account patch purpose and level of severity is meaningless. As for security, check out a properly compiled comparison of security levels and bugs at: http://www.webdevout.net/ie_is_dangerous.php Another fallacy you propagate is that IE7 is 'way outdoing' Firefox. This is again baseless. Firefox continues to see growth, and it continues to cut into IE's browser share. This is all despite the fact that IE7 has been released, and that much of IE7's numbers are bogus given the fact that Microsoft has pushed it on unsuspecting users through Automatic updates. Check out this link for reference to that: http://www.informationweek.com/news/showArticle.jhtml?articleID=196901142 Frankly I fail to understand why IE would have any defenders or fans. It's deserving of neither. But then the same could be said of Microsoft in general. It's like praising your hemorrhoid cream instead of griping about the fact that you have no choice but(t) to be using it.

Tachyon
Tachyon

he's trying to point out that some of us use browsers that don't need locking down in the first place. You are saying, "I drive a Ford Pinto, and I use Ford's new rear differential crash explosion protector so I don't have to worry about explosions from rear end collisions. And until every other car comes with differential gas tank puncture protectors, no one will drive them." He's trying to say "I don't drive a Pinto, so I don't NEED the puncture protector because my care doesn't have a design flaw that causes it to explode when rear-ended" Plus you haven't even defined what 'locking down' is supposed to mean so no one can answer your claims. Because you misunderstand the technology (apparently) it's hard for anyone to discuss it with you. Personally, I can't think of any security 'feature' of IE that I can't duplicate with other means. For example, I often use Squid ACL's on transparent proxies to provide all kinds of security and access restrictions. In fact many more than are likely possible with Group Policies. Finally, given the absolutely irrepairably flawed design of Internet Explorer, and it's use as the core of Outlook) is responsible for 98% of all malware infections, I don't really care what you can do with group policies. It's not worth the risk, ESPECIALLY in a corporate environment where valuable assets are at risk. Finally, why would anyone choose to use IE? It's such an inferior browsing experience to nearly all alternatives that I can't imagine any sane consumer or IT manager would choose it on purpose.

georgeou
georgeou

I politely asked you a serious question and you respond with broken links. Then you fix them and admit they were broken but call me a liar for saying they were broken. It sounds like there's no point in continuing with this thread if you're going to behave like a 5 year old.

georgeou
georgeou

Posted twice by accident.

georgeou
georgeou

If you come on a discussion board and claim that the earth is flat, there would be nothing wrong or unprofessional about me calling you a liar. I call it like I see it and I've never attacked you personally or used any vile language against you even though you haven't always extended the same courtesy. But it's funny how you'd rather cry foul about some fairly benign language instead of addressing the issue with your bogus claims. You made a patently false claim that Firefox can't endanger the host operating system and that it doesn't need Protected Mode yet I can come up with 9 critical exploits on Firefox 2 that can get your system owned. This isn't even the first time you've made this absurd claim either. So either you don't understand what the concept of a remote exploit is or you're trying to deceive us.

apotheon
apotheon

"[i]First of all most of the links you provided are dead links.[/i]" What definition of "most" are you using? One friggin' link was broken. As long as there's more than one link, a single broken link is not "most", which requires that greater than half the links are broken. Perhaps, if you were more interested in actually discussing the truth of the matter than in trying to demonize anyone that disagrees with you, you would have just informed me one of the links was broken and I'd have fixed it. By the way, it's fixed. Git. "[i]Maybe for people more familiar with *NIX environments that's true, for most people in IT more familiar with Windows scripting it may not be so true.[/i]" It's true for people equally familiar with both unixlike network environments and Windowslike network environments. It's not true for people only familiar with Active Directory, of course -- that goes without saying. By the same token, saying that writing a "hello world" script in Perl is easier than composing O Fortuna Imperatrix Mundi is only true if you're not asking Carl Orff in 1937 to write the script in question. "[i]And lastly, 'Roll your own solution' doesn't jive with most IT people. They don't have the time or will to be rolling their own solution.[/i]" It sounds like most of the "IT people" you know are glorified MS Office operators, especially when rolling your own solution with the directions at the other end of the provided link is a matter of a few minutes to put together.

apotheon
apotheon

It's unbelievable that TechRepublic allows its full-time employees to go around calling members of its customer base liars just because they disagree with him. "[i]It's also funny how you ignore the fact that IE7 has had no remote exploits on Vista.[/i]" I'm not surprised there aren't any (yet), considering that Vista [i]isn't even available to home users[/i]. "[i]Oh and before you accuse me[/i]" Learn to read. That wasn't an accusation -- it was a statement that I have no reason to defend the veracity of your claims. I [i]don't know[/i] whether you're right, and your repeated assertions that you [i]are[/i] right won't change that. Stop attacking the disagreeing party (me), and start providing some comprehensive opposing arguments -- unless you actually enjoy looking like you're a half-baked flamewar-seeking troll.

georgeou
georgeou

First of all most of the links you provided are dead links. "This can actually be accomplished more easily with certain other NOSes and network authentication systems than with AD." Maybe for people more familiar with *NIX environments that's true, for most people in IT more familiar with Windows scripting it may not be so true. And lastly, "Roll your own solution" doesn't jive with most IT people. They don't have the time or will to be rolling their own solution. They want it out of the box and simplified. But this is the key cultural differences between Windows people and Linux/UNIX people. It's not a question of which is right, it's a question of personal preference.

georgeou
georgeou

"The obsession with "protected mode" security is an interesting one, especially considering that the primary purpose of it is to prevent a browser intimately connected to most of the OS from spreading its infections throughout the system. Since Fx doesn't suffer that problem in the first place, "protected mode" operation on Vista is probably a distant thirtieth place or so in importance for security. In fact, by virtue of the fact that Firefox is a stand-alone application without any deep hooks in the OS at all (not only is it not used by the rest of the system as a general-purpose rendering engine the way IE is used, but it doesn't even talk directly to core functionality via contagion vectors like ActiveX), it already essentially achieves the aims of IE7's "protected mode" operation on Vista. Unlike IE7's "protected mode", however, it's an architectural separation rather than merely a sort of interdiction layer to filter out bad stuff, so there will not be any inherent flaws in the protection provided by Fx's isolation from the system the way I'm pretty sure there will be for IE7's "protected mode". I don't know how you say it with a straight face that Firefox doesn't need protected mode. Here are 9 BIG Firefox-gets-you-owned reasons why it's needed. It's also funny how you ignore the fact that IE7 has had no remote exploits on Vista. Your rants are becoming so filled with blatant lies that you're looking like a FSF caricature. http://secunia.com/advisories/23282/ "This, of course, is assuming George Ou is right about Fx "barely" working on Vista. For all I know, he could be somewhere out in left field, and maybe Fx works perfectly already." Oh and before you accuse me of being out in left field about Firefox not working fully on Vista, go read what Mozilla has to say about Vista compatibility. Otherwise you're just putting your foot in your mouth again.

apotheon
apotheon

I'm not surprised IE7 works better on Vista than Firefox, at this time, considering that Vista hasn't even hit the retail consumer market yet. We've still got a week and a half before that happens. I'm sure Fx operational issues on IE7 will be ironed out shortly after the Vista general release happens, and in fact wouldn't be surprised if it happened before the general release now that a "stable" business release has already occurred. In any case, it's probably not the Mozilla Foundation's highest priority to have Firefox running perfectly on Vista before the general release, since anyone already using Vista in business is in the MS early adopter crowd, and wedded to IE by definition. This, of course, is assuming George Ou is right about Fx "barely" working on Vista. For all I know, he could be somewhere out in left field, and maybe Fx works perfectly already. The obsession with "protected mode" security is an interesting one, especially considering that the primary purpose of it is to prevent a browser intimately connected to most of the OS from spreading its infections throughout the system. Since Fx doesn't suffer that problem in the first place, "protected mode" operation on Vista is probably a distant thirtieth place or so in importance for security. In fact, by virtue of the fact that Firefox is a stand-alone application without any deep hooks in the OS at all (not only is it not used by the rest of the system as a general-purpose rendering engine the way IE is used, but it doesn't even talk directly to core functionality via contagion vectors like ActiveX), it already essentially achieves the aims of IE7's "protected mode" operation on Vista. Unlike IE7's "protected mode", however, it's an architectural separation rather than merely a sort of interdiction layer to filter out bad stuff, so there will not be any inherent flaws in the protection provided by Fx's isolation from the system the way I'm pretty sure there will be for IE7's "protected mode". Then, of course, there's the simple fact of Microsoft's track record on security. I fully expect that IE7 will show itself to be nearly as much a threat as it always has in the past, during the next year. Vulnerability patch times will be necessarily slower than for a popular open source project like Firefox, "undocumented features" will rear their ugly heads, and the usual practice of hiding problems by bullying security experts into keeping them secret rather than fixing the vulnerabilities and practicing transparency will continue unabated. Frankly, anyone (in general) using Vista for purposes other than testing compatibility for software and services before a first service pack (or thereabouts) isn't paying attention. If security is important, early adoption of MS software should be the last thing on your mind as an end user.

apotheon
apotheon

First, the Mozilla website itself includes [url=http://wiki.mozilla.org/Firefox:2.0_Institutional_Deployment]instructions for limited AD/GPO administration[/url] of Firefox. Second, you can with relative ease [url=http://lispurl.com/cadadddadar]roll your own solution[/url] and push it out through the network. This can actually be accomplished [b]more easily[/b] with certain other NOSes and network authentication systems than with AD. . . . and finally, WetDog allows you to use Group Policy Objects in Active Directory with Firefox. That's just the free stuff. I don't happen to have the names off the top of my head, but I've seen at least two paid solutions for centralized network management of Firefox and Thunderbird security as well, in the past.

sleepin'dawg
sleepin'dawg

That will probably be some time after they publish Service Pack 3 or 4. Does anyone in their right mind doubt that these will be in our future? It's been years since MS has published anything without a host of problems and glitches, most usually caused by them making provisions for add-ons or things that prove to be impractical or vapourware in the real day-to-day world of normal usage. As for IE7 it is better than IE6 but not by very much and while it has a little more security, it's all the security integrity of a screen door on a submarine; about as effective as a fart in a hurricane. I only use IE7 through [b]Avant Browser[/b]. The fact that I still find that to be necessary is a sad comment on MS's ideas of what a swift and secure browser should/could be. I still like FF but find it slower than the second coming of Christ and it does hang occasionally for some inexplicable reason(s). [b]Dawg[/b] ]:)

Tony Hopkinson
Tony Hopkinson

I would try both and from the sound of it IE7 would win at the moment. I've no vested interest in FF just browsing as securely as I can with out losing too much functionality. As for FF not having it done yet, well I can't call them on that it would be pot and kettle. Some of MS's help for developers who design competing applications to run under windows isn't all that helpful. Net or back to old APIs it walls off low level optimisations from you and forces you down a path MS designed for themselves. One they are intimately aware of and that they can change much more easily. Lock in, dependency, enthralled, marginalised and then dead. Depends on how up to date with MS's architecture your code base is, it will range from a lot of work, to in our case total rewrite. We are switching to .NET As much as I jumped about warning people we were going to get ass raped, we started looking at Vista compatibility two weeks ago, wasn't my decision, I can assure you.

georgeou
georgeou

Microsoft invited the Mozilla team to Redmond for a week to help them work on FF for Vista. I chatted with the FF team and they admitted they talked about Protected Mode a lot and that Microsoft was good to them and that they had a lot of work to do. When I asked them about Protected Mode for FF four times, they kept dodging the issue and wouldn't tell me if they're working on it even though they admitted they had spent a lot of time with Microsoft talking about it. My problem with FF2 under Vista is not the quirks, it's the fact that they have failed to implement Protected Mode which they really NEED with those 9 critical vulnerabilities discovered within a month of FF2's release. Not only are there a lot of bugs in FF2 compared to zero flaws in IE7 for Vista, the fact that FF2 is not in protected mode means you get completely owned on an FF2 flaw. Even if there were a flaw in IE7 for Vista, it still wouldn't own your system or have access to your precious user files. This means FF2 is a mile behind IE7 on Vista when it comes to security. At this point FF2 is a joke on Vista and anyone who puts FF2 on Vista thinking they're getting a better deal is just fooling themselves.

Tony Hopkinson
Tony Hopkinson

I've missed the real you. There's lots of applications that don't work under vista as well as they do XP. VS2005 for instance. Watched it drop dead several times at TechEd. Still I agree the fact that MS's biggest competitor in the browser market not working under the new OS is very 'unfortunate' Am I suggesting that was deliberate, no surely not. After all there's no evidence of MS squeezing the competition out of the market with changes to their OS. Total coincidence. Unlucky No, really.

georgeou
georgeou

IE7 (not on Vista) so far has exposed users to 1 critical vulnerability (VML exploit) that was patched silently by Microsoft. FF2 was supposed to have been audited and cleaned up but within 2 months we see a mega patch with 9 critical flaws. http://secunia.com/advisories/23282/ FF2 barely works on Vista and does not support Protected Mode security like IE7 for Vista. Therefore if you put FF2 on Vista, you've opened yourself up to 9 critical flaws without the bennefit of protected mode. Had you stayed with the FLAWLESS IE7 on Vista which runs in a Protected Mode jail to begin, you would have been far better off.

georgeou
georgeou

Most IT administrators are familiar with Active Directory and Group Policy but are open to better suggestions. I'm sure they will want to hear about these alternatives, but can you provide us some details on capability and pricing?

Tony Hopkinson
Tony Hopkinson

Simply because it's a different code base and not integrated into the OS, it's less vulnerable to particular types of attacks. You can still get hit through it though, if you haven't got it, get the noscript extension. Use default disallow and be very careful who you say can run scripts. Some people have problems with it but TeaTimer (an extra that comes with spybot S&D) is a useful measure. (it alerts on changes to critical registry values). One of the absolute best things you can do for browser security is if you are trawling through some of the ah dingier areas of the internet, is do it as an unprivileged user.

apotheon
apotheon

"[i]Isn't Fireox far more secure than IE?[/i]" Generally, yes. At any given moment, it's not so clear-cut, because of the ever-changing landscape of browser security -- but if you're going to bet on one or the other, Firefox is in general an almost certain win. While the core technology of Firefox 2.0 isn't in and of itself markedly more secure than that of IE 7, it gets faster security patching thanks to its open source development model, it doesn't magnify any vulnerabilities by integration with the rest of the operating system, and because it's open source you can be pretty damned sure that there aren't intentional remote access "back doors" built into it (or other examples of hanky-panky going on under the hood).

apotheon
apotheon

"[i]the bottom line is STILL that without support for AD and Group policy, no browser will ever overtake IE.[/i]" No. That's the OPPOSITE of some of what I said. The OPPOSITE. Get it? Opposite? DISagree. Are we clear yet?

Steven S. Warren
Steven S. Warren

Both Firefox and IE have their vulnerabilities. I really can't say as I do not have any hard facts at hand and do not want to give my opinion. I have both Firefox and IE on my computers and use them both.

Cheesel
Cheesel

The reason that there are more IE users is because it comes with Windows. I remember when hardly anyone used it and most people used Netscape.... Isn't Fireox far more secure than IE?

Steven S. Warren
Steven S. Warren

So at the end of that longwinded diatribe where you use words like poppycock and spewed, the bottom line is STILL that without support for AD and Group policy, no browser will ever overtake IE. I am curious. Have you ever even locked down IE via Group Policy? Do you have any experience in this arena?

apotheon
apotheon

On what planet? Nobody seriously disputes that there are more IE users than Firefox users (for instance). The problem is that your post's point was nonsense: the point was clearly not that there are more IE users than Firefox users, but that the reason there are more IE users is that it's particularly compatible with AD security "features", and if Firefox (or whatever) is to match IE's popularity it must also support AD security "features" -- and, thus, people should stop "complaining" about IE until other browsers also support the same AD security "features" as IE. As I pointed out, not only is that poppycock, but you don't seem to know much about any of the incidental "facts" you spewed, like the notion that Opera and Netscape are open source software. So, no . . . there's no more agreement than there would be between us if you said the sky was pink and yellow paisley and I said it was more of a solid blue. Sure, we'd both subscribe to the notion that there's a sky, and even that it has color, but that's not the point of saying it's paisley.

Steven S. Warren
Steven S. Warren

You mean there are other operating systems other than Microsoft. I need to research this further. But at the end of the day, your post agrees with my blog. IE rules the roost. Thanks.

Steven S. Warren
Steven S. Warren

Don't get me wrong, I would love to see an open source browser or firefox, opera, etc. have the ability to be locked down via AD or group policy.

Editor's Picks