Mozilla faces the curse of popularity

Mozilla faces the curse of popularity

Summary: Regardless of whether your process is proprietary or open source, you still need a process to collect bug reports, test patches, and expedite them to users. That process is always a bottleneck.

TOPICS: Browser

FirefoxOne of the longest-running arguments here, not just on Open Source but in ZDNet forums generally, involves why Microsoft stuff is so buggy while open source stuff isn't, or doesn't appear to be.

Is Microsoft's problem that it's bad software, or is it just popular?

That's not an either-or question. The answer lies somewhere on a continuum. But the reverse of that question is also important. Is open source software really better than proprietary, or is that just a function of its low market share?

Mozilla's Firefox browser is a great test case. How it responds to its present security problems, and how fast new problems come on, will help us answer these key questions.

Users are already reporting exploits. Statements from  Mike Schroepfer, director of engineering at the Mozilla Foundation, that  'We're releasing as soon as we possibly can' sound almost Microsoft-like. But what else could he say?

Regardless of whether your process is proprietary or open source, you still need a process to collect bug reports, test patches, and expedite them to users. That process is always a bottleneck. We don't know whether it's more of a bottleneck (because you can't order around armies of programmers) or less of one (because vast armies of programmers are available).

The good news is we're about to find out.  

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Old sayings....

    I've always heard that "the truth shall set you free."

    I think in this case the truth shall prove how much of a moron most open source advocates are.

    • morons

      The only morons are the people who jump on every
      little announcement of vulnerabilities in open
      source software as somehow proving that
      it is insecure. I hate to tell you but all
      software has vulnerabilities, open and closed
      source, and no one with any credibility has ever
      claimed otherwise. Trying to make it sound like
      the open source community claims it is
      vulnerability free is a straw man, in fact the
      open source community is usually quite open and
      up front about bugs and security problems.
  • Several questions

    What OSs are the bugs showing up on? How fast, as compared to MS, are they being addressed? I don't believed anyone has ever said MS has a monopoly on bugs. FireFox may just be the software to demonstrate the superiority or the inferiority of open source in addressing them. With close to 90 million downloads no one can say FF is not popular. So with bugs and all it looks like open source is on the superior end.
    • 90 million downloads, but how many unique?

      "With close to 90 million downloads no one can say FF is not popular."

      Firefox is definitely popular. But anyone trying to stick a number on it needs to think again. As I pointed out in my other post to this article, when you update Firefox, you download an entire new version. This makes statistics of number of downloads completely useless. Just think, how many of those 90 million were "1.0 -> 1.0.1 -> 1.0.2 -> 1.0.3 -> 1.0.4 -> 1.0.5 -> 1.0.6" ?
      • Real numbers

        Rather than look at downloads, let's look instead at real world
        usage (although this is never completely accurate due to identity
        spoofing agents):

        FireFox, offered through the Mozilla Corp., rose a fifth of a point
        in market share in August to 8.27 percent from 8.07 percent in
        July, NetApplications said. Microsoft's IE, on the other hand,
        continued its slide in the market, dropping to 86.31 percent
        from 87.2 percent.

        IE lost market share as Firefox, Apple Computer Inc.'s Safari; and
        America Online Inc.'s Netscape gained. Safari rose to 2.2 percent
        from 2.13 percent in July, while Netscape posted the biggest
        gain to 2.02 percent from 1.5 percent.
        tic swayback
      • Multiple installs to one download

        That is correct, but I would like to add the fact that you also need to take into account the downloads that are not registered.

        I have installed and updated Firefox on many, many machines from single downloads.

        Every time I install Linux on a desktop the Firefox installed by default isn't counted in the download stats. Every time I update it the download doesn't count.

        If the install to download ratio is 1000:1 or greater should the download stats raise or lower?
    • Just curious why doe it matter?

      What does the comparison between various version of MS and other operating systems as far as bugs and fixes is concerned. The fact is operating systems have bugs period and whether you use MS or Linux or Mac you need to secure both your network and the system against intrusion, attack and misuse. The need doesn't change with the OS. Right now Linux and Mac are getting off lightly because there isn't a few hundred million people probing them for vunerabilities. Sooner or later, they'll get nailed too. As it happens I'm a big fan of Linux and not one of MS in any of it's versions. The security issues are in their essense the same regardless of the OS.
  • Apache answered that question long ago


    This tired old question of whether security is a function of popularity keeps coming up over and over again.

    Here's the answer:

    1) Apache is by far the most popular web server on the planet (65+% of all web sites, or something like that) and has been for quite a few years.

    2) Apache is open source.

    3) Apache is quantitatively and demonstrably more secure than Microsoft's IIS web server, and has had far fewer patches in its lifetime than IIS.

    Can this issue finally be put to rest now?
    • And Apache (LAMP) is hacked more than anything else.

      Go to the CERT site and read it yourself.
      • links?

        Care to show proof of this claim? Besides what does Apache being more secure than IIs have anything to do with Linux/Apache/MySQL/PHP,Perl,Python,etc.. being more secure than IIs. Nice "spin" - do try again though..... Fact is Bit, Apache IS more secure than IIs AND it's 3x as "popular." QED!
        • I think you need a "logic link"

          Hmmm, LAMP is 3X more popular than IIs, Web sites are hacked and defaced everyday. Ummm, do you follow the logic yet?

          If the web runs on Apache and the sites get hacked all the time, guess what's being hacked...

          As for your links request, I already pointed you to CERT. Do you need help finding it?
          • There is the question

            "If the web runs on Apache and the sites get hacked all the time, guess what's being hacked..."

            What exactly is being hacked?

            You can deface sites without actually hacking Apache and IIS. You also don't have to hack the OS. Heck, it could be some obscure program that allows the user priveledges.
            Patrick Jones
    • Bzzt, try again

      How many home users run Apache or IIS? How many people log onto their web servers to surf or read mail or run Before your argument becomes the least bit convincing, you have to convince us that security statistics of headless servers has any relevance at all to home computer security. The two classes of computers are vulnerable to completely different attack vectors.

      But, if you really want to insist that popularity has nothing to do with it, please explain why Apache is hacked FAR more often than IIS and has been this way for over a year.

      [i]Can this issue finally be put to rest now?[/i]

      I would hope so since it has been proven time and time again that the popularity of a piece of software has a lot to do with the number of successful attacks against that piece of software. Or is that not what you meant? ;)
      • proof?

        Please show us where Apache has 3.5x the number of vulnerabilities as IIs. Good luck!
        • Done

          First off, who ever said that the relationship between popularity and successful attacks had to be linear? It does not have to, nor has anyone other than people like you insisted that it must be linear.

          But I digress, you wanted proof.

          Notice several things:
          1. On page 9 and 10 are graphs that shows that the number of attacks against Linux web servers increases year after year, hmmm, in similar proportions to its popularity! Linux web servers are now (and for more than a year) hacked more often than Windows web servers.

          2. And there it is, on page 11, Apache successfully attacked more often than IIS for more than a year now.

          3. Page 13 shows how the system was attacked. By FAR the biggest way in was through, surprise, a misconfigured server. This shows that the user is by far the weakest link. Now, if the user is the biggest weakness on a headless server, can you imagine how much of an impact the user has on home OS security? Add to the fact that social engineering based attacks on web servers are nearly non-existant, yet they are VERY successful against home users, can you now understand why pulling out the tired Apache vs IIS defense when talking about home users is silly at best?

          To recap, I've shown that the Apache vs IIS defense is irrelevant to the Firefox vs IE debate but I went one step further to show that even if it was relevant, it still supports the popularity argument. End of story!

            Many people have debunked that whole website because their testing is no where near scientific. There are so many problems with their methods. You can probably find many of the arguements in some of George Ou's talkbacks.

            I am not saying that their conclusions may not be true, but their method is very suspect.
            Patrick Jones
          • Fair enough

            I know that many people, when unable to fight the facts, resort to fighting the source. Zone-H might not be perfect but I believe it more than Microsoft funded studies and more than Red Hat/Novell funded studies. I even prefer it to a plain list of vulnerabilities since only successful attacks really count at the end of the day. It is difficult to say "there were 3 vulnerabilities in this system and 7 vulnerabilities in the other so system A is better" when the severity of an issue is ignored. Severe issues will likely cause more attacks so counting attacks instead of issues yields better statistics.

            At the end of the day, zone-h is the only non-partisan group to put out ANY statistics of this nature. Those that debunk it have no statistics of their own and their argument usually reverts to "m1Cr0$oFt sux so II$ must be less secure".
          • As non-partisan as it may be.

            It still does not give enough of a picture to support the argument in question, however.
          • I was one of those debunking it

            It is their testing method that is suspect. They rely solely on the "hacker" reporting their exploit and its parameters. The only thing they "verify" is that a website has been defaced. Then there is the fact that one server hosts many websites and they count each website separate.

            As I said, I am not argueing that their conclusions may not be correct. You are correct in that I have no statistics of my own to prove one way or the other. However, having done many scientific studies, I just cannot accept anything they report as factual.
            Patrick Jones
          • self-reporting statistics simply aren't reliable

            "Those that debunk it have no statistics of their
            own and their argument usually reverts to
            "m1Cr0$oFt sux so II$ must be less secure"."

            Actually I think the argument against it is that
            its reliant self-reporting, which is considered
            invalid way of gathering statistics. While there
            may not be much other available data to compare
            it to, that does not make it any more valid. So I
            don't think zoneh is enough to support an
            argument of 'l1nux sux so apach3 must b3 l3ss