SoylentNews is people
SoylentNews
from the the-more-things-change-the-more-they-stay-the-same dept.
While both Betteridge's Law and common sense say, "No," Zack Whittaker at ZDNet takes a closer look:
An analysis of the last five-months' worth of monthly software updates shows that Edge had 25 vulnerabilities shared with versions of Internet Explorer, which had a total of 100 vulnerabilities.
Earlier this month on its scheduled Patch Tuesday update offering, Microsoft released MS15-124, a cumulative update for Internet Explorer, and MS15-125, a near-identical patch for Edge. Of the 15 flaws patched in Internet Explorer, 11 of those were also patched in Edge.
According to a Microsoft blog post earlier this year, the software giant's newest browser, an exclusive for Windows 10, is said to have been designed to "defend users from increasingly sophisticated and prevalent attacks."
In doing that, Edge scrapped older, insecure, or flawed plugins or frameworks, like ActiveX or Browser Helper Objects. That already helped to cut a number of possible drive-by attacks traditionally used by attackers. EdgeHTML, which powers Edge's rendering engine, is a fork of Trident, which still powers Internet Explorer.
[...] Older versions of Internet Explorer will be retired by mid-January, giving millions of users about a month to upgrade to Internet Explorer 11, or to Edge on Windows 10.
(Score: 0) by Anonymous Coward on Wednesday December 16 2015, @11:07PM
Are you saying sandboxes are fundamentally flawed and untrustworthy,
Where the fuck did you get that from? I'm saying the browser concept as it exists right now is flawed.
or that there is something special about both flash and the web platform that makes the latter as bad as the former?
"[...] complexity is the bane of all software, simplicity is the most important quality" --Uriel [cat-v.org].
What about the differences: Flash was almost exclusively implemented as a single proprietary plugin. The web (which I mean here as a shorthand for html+css+js) has several independent, open source implementations that compete with each other for users,
Now this is comedy. Do you do stand-up? Welcome to reality, my friend. [wikipedia.org]
How many is 'several'? There are essentially two browser rendering engines: Webkit and Gecko. All the others have negligible market share. Why are there only two rendering engines? Simple: it's because creating a web browser has become a task in the same order of complexity as creating an entire operating system.
In fact, the complexity of creating a web browser is bigger than that of creating an operating system, because the Web is a moving target. Once you've got all the current stuff implemented the big guys have come up with something newer and shinier that all the hipster web devs will start to rely upon.
Unless you're backed by a large tech company (The Goog and Mozzarella, respectively) it's not feasible.
and there are regular, formal competitions to find and exploit security holes.
The fact that that is even possible should alarm you.
Secondly, all those elaborate things you listed that browsers are expected to support now, on top of the original html spec, have become (or in some cases are becoming) official standards because that's what people want them to do. It's extremely convenient if I can download and run a video, an animation, an image, some text, a databse interface, etc, within seconds through a single interface that tracks the source, identity, logins etc.
Again: this is what an operating system is for. "But I want to do it online, that's completely different!" Bullshit.
Your browser shouldn't render video or animation. That's what video players are for. If you want to play video "but this time, it's online!", then embed a video player into your web browser. Separation of concerns [wikipedia.org] is not a new thing.
(Score: 2) by prospectacle on Thursday December 17 2015, @12:07AM
Ok let me put it another way, if you are saying that the browser concept is flawed, not simply that there have been some implementation problems or bugs (which of course there are in every piece of software), but that the concept itself is flawed, then what speifically is this flaw? Also, why is it a flaw, just saying "x shouldn't be used for y" doesn't, by itself, explain anything.
A few other points in response to your last post:
The fact that finding security holes is possible does not alarm me because it's true of every category of software. I'd have to walk around being alarmed all the time. I'm concerned, as I am with my operating system, word processor, email client, but only sometimes alarmed. It's impressive that there are regular, well published competitions and bounty programs to try to minimise these security issues.
Secondly of course it's different online. Networking of any kind adds its own challenges, features, risks, etc. There are lots of ways of dealing with them and the web-browser is one of them. What makes you say that certain file types (e.g. video) "shouldn't" be accessed using this system?
Thirdly that map you linked to shows that there is a clear leader in popularity. No one's forcing people to use chrome. The market shares have changed dramatically many times over the last few decades. There is more than one implementation of webkit, and of javascript engines there is v8, javascriptcore, spidermonkey and chakra all of which are open source.
Chrome is currently winning and it is also probably the hardest to compromise. Even then it has still been compromised multiple times but so has every other major piece of networking software, so perfection is not a realistic expectation. What matters is relative risk vs relative reward. Why do you think people use web-browsers so much?
If a plan isn't flexible it isn't realistic
(Score: 2) by Runaway1956 on Thursday December 17 2015, @01:42AM
Cross site scripting is the first, and probably the worst part of the whole concept. Just stop it. Visit your favorite news site (MSM) or Facebook, or whatever. Start counting how many sites you implicity trust, by loading the pages. Do you REALLY trust all those sites, most of which you have no idea who owns or operates them? Before you say that you trust them, think back to all the exploits third party sites have been subjected to.
The browser should be communicating with one server at a time. That server should be hosting all the resources necessary to render the page.
(Score: 2) by prospectacle on Thursday December 17 2015, @02:04AM
I don't *really* trust most of the sites I visit, which is the point of a sandbox.
There are also browser settings or plugins to block ads, block scripts that aren't on a whitelist, block plugins or require click-to-load, block cookies, clear cookies on exit, etc.
I would guess the browser is far and away the most used application so it's going to have the widest impact when a security problem is found but that doesn't mean there's no reasonable level of security.
If a plan isn't flexible it isn't realistic
(Score: 2) by Runaway1956 on Thursday December 17 2015, @02:16AM
And, I think it a legitimate complaint that I have to use a boatload of addons to make the browser useful. All of my addons are fighting tracking, advertising, and cross site scripting, all of which overlap.
Advertising, I could probably live with, if it were sensibly done, and didn't hog bandwidth. Tracking, I can't live with at all. The cross site scripting is just plain stupid.
The level of security that I acquire after installing my addons should be the level that less tech savvy people see out of the box. Browser makes should offer security by default, not as an afterthought with addons.
And, that last statement isn't even accurate - the browser makers don't offer these addons, but third party developers offer the addons. Security is an after thought.
(Score: 2) by prospectacle on Thursday December 17 2015, @05:46AM
You're right it's a very legitimate complaint. I agree these should be out of the box feastures turned on by default, instead of plugins or obscure settings. No doubt commercial pressures play an undue part in these decisions. I don't think that in any ways affects whether the web browser in general is a flawed concept. Here's the difference:
Popup blockers and other window-control limiters (e.g. moving windows around, resizing them) used to be unheard of, then it they were done with either add-ons or settings that weren't defaults. Then they became built options or commonly known where they had already been built in, and then they become the default. I'm sure you remember how annoying it was for windows to pop up (or under), especially when it opened a new window as you tried to close the first one. People had abused a useful feature and so tighter control was added.
In technical terms this is quite a small change to the browser. In terms of user experience, however, it's massive. The same is true of having whitelist or blacklist of domains, disabling autoplay, cookies, images, sound, or javascript; with an option to whitelist for certain sites.
These are all minor changes to the default settings. They don't change the basic model and purpose of a web-browser.
Almost all of the web has been an afterthought, both the good and bad parts. Its current state is far from perfect but it has a lot of advantages and continues to evolve.
Also it's not like those plugins are an obscure hack to get around the fundamental flaws in the evil browser model, they are an officially supported way to configure or enhance the browser the way you want. Some plugins become built-in after a while.
If a plan isn't flexible it isn't realistic
(Score: 2) by TheRaven on Thursday December 17 2015, @10:05AM
Cross site scripting is the first, and probably the worst part of the whole concept. Just stop it. Visit your favorite news site (MSM) or Facebook, or whatever. Start counting how many sites you implicity trust, by loading the pages.
When I visit a news site, I implicitly trust zero sites. The tab that I'm using is sandboxed and nothing inside it contains any data that I care about. The big problem is something like gmail, where you're trusting the ads and any embedded content rendered in emails in the same compartment as all of your private communication.
sudo mod me up
(Score: 0) by Anonymous Coward on Thursday December 17 2015, @09:22AM
I somewhat agree with the GP that browsers have become too big and do stuff that really belongs in an OS. Here's one example of this that affects me personally:
When I try to play a video or steam on the web, then if I am lucky, it sends me to a page with a html5 video player, with controls implemented in javascript. (or if I'm unlucky, then they are still using flash)
This means that each website's video player looks and functions differently. There is no guarantee that I will be able to adjust the volume simply by pressing the up or down keys, as I'm used to. Similarly there is no guarantee that I will be able to switch to full-screen with the press of a key. This means in that case I am forced to take my hands away from the keyboard and use the mouse. Even ff those keys do work, there is no way for me to remap them to the keys I prefer, without diving into javascript hacking.
I cannot use my own system installed video player, and I cannot simply install a different video player when the current one no longer satisfies my needs. I can not use any features that my native video player supports but the web player does not. This means I cannot easily do things like fast-forward, or play the video in slow-motion, or add subtitles sourced from elsewhere.
I have always wanted to make a piece of software to aggregate all the media I am interested in online or on my local storage through a unified interface, make it easily navigable with a gamepad or remote control or a single finger on the keyboard. Developing something like this is almost impossible because everyone wants you to go through their bloody website or mobile app, and you'll have to scrape them, likely breaking terms of service if you want the raw data. For Youtube I have bookmarked a page with stuff I'm subscribed to, but the video titles and thumbnails are too small when I'm far away from the screen. Same situation for Crunchyroll. Twitch also has their own interface problems. Netflix is probably similar, but I haven't used it yet. None of this would be a problem If I could just get some kind of feed for videos (much like rss exists for news articles) allowing me to load the video into my own player.
I'm aware that this focus on presentation over function is there for branding, marketing/ads, monetization and other non-technical reasons, but I don't have to like it. It's so limiting.
And this rant is from an able bodied person. Imagine how frustrating issues like these must be for people with disabilities.
(Score: 2) by prospectacle on Thursday December 17 2015, @10:12AM
I agree it would be better to have more control, to have the option to easily download videos and watch them locally. I think it's important to ask though: if these various streaming services didn't have the control to present and limit the content in the way they wanted, would they be providing it at all, or as cheaply? Secondly, if someone wants to provide a video for download, does the web make that harder or easier?
If we were choosing between a world were all the videos were in web players and you couldn't download them, and all the same videos were downloadable (or at least streamable through your video player of choice) and you could play them however you wanted, then I would choose the latter. However we can't really separate the control given to the "content-provider" (I know it's a ugly phrase, i apologise) with the number and variety of things provided.
I take the attitude that (like ads on tv) I get to watch a lot more stuff for free by putting up with the provider's system, and anyway at least online there are ad-blockers and quite a few videos can in fact be saved offline if you want.
The media-library thing is certainly harder for online content but a lot of sites allow direct linking or embedding so it is not completely hopeless.
If a plan isn't flexible it isn't realistic
(Score: 0) by Anonymous Coward on Thursday December 17 2015, @03:52PM
I haver always been confused by that.
With streaming video, you still download the video. The only difference is that your computer automatically deletes it for you.