When more bugs can mean tighter security
Tristan Nitot, the president of Mozilla Europe, has much to say on the differences between Microsoft’s and Mozilla’s approaches to browser development. ZDNet.co.uk caught up with Nitot at the Online Information conference in Londonthis week to talk about the security of Firefox andInternet Explorer (IE), online privacy and the future of open source.
Q: A recent study by Jeff Jones, a Microsoft security strategy director, found Internet Explorer to be more secure than Firefox. Are you surprised?A: I’m surprised that bug counting, which is a terrible metric, was used by Microsoft. It isn’t easy to assess security, but bug counting definitely isn’t the way to do it. I’d rather talk about time to fix the duration of the window where users are at risk, which in our opinion is a much better metric.
In a nutshell, Microsoft claimed that because Mozilla had fixed more vulnerabilities since 2004 than Microsoft, IE was more secure than Firefox. What do you think of that argument?To quote Mike Shaver, [Mozilla's director of ecosystem development], just because dentists fix more teeth in America doesn’t mean we have worse teeth than Africa. Just compare the number of high-security advisories over time between Internet Explorer, Firefox and Opera.
What is your opinion of the claim that the more vulnerabilities fixed, the less secure the browser?It’s false logic. If you have issues and don’t fix them you will look good on the outside but in reality you still have the issues. There’s a really good movie, Les Repos ?in English, “The Rotten Ones” ?about two cops, one old, one young, and the younger is in the process of being corrupted by the older. They find a bad guy, catch him, and the young one wants to take the bad guy to the police station. But the old one says: “You can’t do that ?if we take him to the station the crime statistics will increase, and we will look bad. Release the guy and take his money. That punishes him.”
This is comparable ?if you do the right thing you look bad, but people are safer. What really counts is that our users are secure, and that people count on us to do the right thing. People within the Mozilla community have a better-than-average understanding of this ?we work together and have to trust each other. If people hide, it’s no good for the community or overall motivation. But we’re not building fixes for our teams, we’re building them for our users.
Tags: fi, london, open source, zdnet