3

Why open-source is better in plain words?

Yesterday I had a talk at a DIY bicycle workshop. There is a PC (running XP) that main application is checking emails (nothing really serious).

I found it excetpionally hard to explain why open-source security standards are better, that security-thru-obscurity is not the right approach, that you cannot rely on algorithm being secret...

Any other ideas coming across - how to explain in plain words why open-source is more secure?

(or maybe not, maybe bicycle fixers were right - I should use IE)

Mars Robertson
  • 555
  • 4
  • 14
  • 2
    I wouldn't necessarily say that IE is security through obscurity. Security through obscurity is the case where details of the protection mechanisms are kept secret as a specific security policy. In this case, the source code is proprietary, but the methods of security are based mainly on well known standards. – logicalscope Dec 25 '11 at 19:46
  • 2
    To be honest, IE has a poor security track record because Microsoft is still very Nieve. People report very serious vulnerabilities to M$, and they refuse to patch them. – rook Dec 25 '11 at 21:47
  • @Rook explain, please. – Steve Dec 26 '11 at 00:42
  • @SteveS it took over two years for Microsoft to path the "drag and drop" remote code execution vulnerably because... well they disregarded it. The US CERT run by the DHS rates this bug in the top 500 most dangerous vulnerabilities **of all time**. Personally I have reported ways of bypassing IE's xss filter, and even after staring at an alert box on Microsoft.com they refuse to patch the issue even though the fix is trivial. Its not stupidity, its Naivety. If you care about security you should never use anything by Microsoft, period. – rook Dec 26 '11 at 02:49
  • Open source software is not better. It can be better. Chrome is more secure then Internet Explorer because of its ability to change very quickly. IE9 is a perfectly secure browser. Rook..Naivety isn't the word you are looking for. – Ramhound Dec 27 '11 at 15:24
  • Michael - I think we'll need to change the title here, as your premise (that open source is better) is misleading. It might also be worth merging with http://security.stackexchange.com/questions/97/is-google-chrome-more-secured-browser or http://security.stackexchange.com/questions/4441/open-source-vs-closed-source-systems – Rory Alsop Dec 29 '11 at 12:24
  • or in fact http://security.stackexchange.com/questions/5433/security-vulnerabilities-in-firefox-vs-chrome or http://security.stackexchange.com/questions/5467/what-is-the-validity-of-the-article-which-claimed-that-ie-is-more-secure-than-ch or http://security.stackexchange.com/questions/5671/how-do-chrome-firefox-and-ie-compare-in-terms-of-browser-security – Rory Alsop Dec 29 '11 at 12:25
  • Agreed; The title should be changed, and the question should be merged. – makerofthings7 Dec 29 '11 at 14:49
  • You can refer to [Linus' Law](http://en.wikipedia.org/wiki/Linus'_Law): _"Given enough eyeballs, all bugs are shallow."_ – ceving Jan 02 '12 at 19:55
  • @Rook XSS has nothing to do with browser vulnerability. XSS is a vulnerability introduced by the author of the website. The fact that Microsoft.com might have XSS attack vectors available is entirely coincidental and has nothing to do with the Internet Explorer development team. – Dan Jun 09 '14 at 19:10
  • @Dan both Crome and IE have reflective XSS filters that must be bypassed in order for an reflective XSS vulnerability to be of any use to an attacker. – rook Jun 09 '14 at 20:57

7 Answers7

10

Open source software is not necessarily better or more secure.

Where open source has an advantage is the potential for independant security minded individuals to examine the source code and hopefully the conceptual model for a given software project. This advantage is contingent on:

  • review by qualified individuals
  • feedback from the reviewer to the project about potential weaknesses or vulnerabilities in the source code, algorithms, and procedures
  • the project fixing the reported weaknesses and vulnerabilities
  • the project becoming better educated as to what makes software more secure

Given enough itterations of the above, any software, not just open source becomes more secure than the average. Many closed source companies perform software security reviews. Some even bring in third parties to ensure indepent and objective reports. A project providing open source allows a wide audience to review any part of the software bringing transparancy to the review process and the software implementation. The difference with most closed source programs is that the process and implementation is inaccessible to the users. A user can not determine whether a piece of closed source software has been security reviewed. And in most cases a user can not determine whether a piece of open source software has been security reviewed. The only difference is that, given a capable enough user, that user can check on the status of the open source process, but they can not check on the status of the closed source process.

this.josh
  • 8,843
  • 2
  • 29
  • 51
5

The reason they should use chrome vs IE does not boil down to open source vs proprietary. Chrome is a modern browser. IE6&7 aren't, IE8 is almost a modern browser, and IE9 is not going to be released on Win XP, but Chrome will periodically update itself to the latest stable version. By not using a modern browser that's kept up to date, your browsing experience will be slower, you will have more security vulnerabilities and more browsing issues. IE 8 is the first IE browser to pass ACID2 (compliance with web standards), but still fails miserably on ACID3 tests (20/100) while Chrome/Safari/Firefox/Opera/etc all pass.

Furthermore, Chrome has a lot of security features that weren't present in older version of IE.

The question of "is open source more or less secure than proprietary" is not going to be answered by argument. There are good arguments both ways -- having full access to source code allows both white and black hats to probe for vulnerabilities more easily, so vulnerabilities will be found more easily -- good when its the white hats and bad when its the black hats. People are still pretty good at reverse engineering/finding holes in closed source apps; but its much easier when the source is available.

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • ... and this answer got proven correct several years later when Microsoft had to kill off IE and start a whole new browser project: Edge. – NH. Mar 02 '18 at 15:46
4

I like @this.josh's answer where he says Open Source is not automatically better or more secure. It's the development process and the QA that matters most, the rest is a matter of personal preference.

Here are a few thoughts that come to mind when I consider using IE that was created with a proprietary development process

Considering the amount of transparency that MSFT has put forth, I would consider Microsoft to be a modern role model in how secure software is developed (not to exclude other reputable vendors).

Sure individuals may dispute the risk/threat of a particular vulnerability (as @Rook does in the comments above). When such a security issue is found in the FOSS world is that a "fork" (or patch) is created by a contributor. This individual may be a skilled developer or a novice. The problem is that these one-off patches are often created outside of a SDLC process and therefore increase risk from a process/compliance perspective. Is this a risk worth taking? That's often a business/personal decision depending on who owns and manages the computer.

Since you mentioned they are using XP (an OS that is 10+ years old) it's likely that they haven't maintained the PC. Regardless of the OS, patches and updates are needed to maintain a secure system. This applies to open source and closed source software and both IE, and Chrome have addressed this particular issue.

Bottom line / TL;DR

Open Source or closed source development doesn't change much about the security of a piece of software. Each approach has positive and negative aspects, and in most cases personal bias on which approach is "correct".

As long as computer software is written by humans, there will be security flaws.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • 1
    Nice point about the skill and experience of the patch contributer impacting the quality of the patch. – this.josh Dec 31 '11 at 23:28
  • 1
    Totally agree - back in the old days Microsoft was a shining example of how not to do security, but they are a leading light now. For their codebase size they are astonishingly good at fixing issues. – Rory Alsop Jan 02 '12 at 20:54
2

Measuring the security of a specific piece of software is not an easy task. There are tools which do this, however mostly depend on access to the source code. In the case of a browser the situation is a bit simpler since it is easier to test against fuzzing tools - however this will be part of standard testing for mainstream software so the results may be inconclusive.

The arguments regarding open versus closed source have raged for years - and a strong argument put forward by the closed source incumbents is that since their products are much more widely used, then they will therefore attract much more attention from people trying to compromise the product. However this is an argument which no longer applies to MSIE vs Chrome vs Firefox. And MSIE's historical record on security shows it have had many more reported and serious vulnerabilities than Chrome and Firefox.

But while it's difficult to measure the security of a piece of software, it's simpler to measure many other aspects of the quality of a piece of software - especially where it has been written to a well defined standard. Again MSIE (historically) compares poorly on both performance and standard conformance when compared with Chrome and Firefox.

A further consideration is the effort required to ensure that vulnerabilities in the software are fixed. That doesn't just mean the vendor providing a fix, that means getting it installed across the user base. Chrome is particularly good at upgrading itself transparently.

As others have mentioned, MSIE is deeply tied into the underlying operating system. Which makes patching a complex process.

And of course there is the underlying economic model. While MSIE, Firefox and Chrome are all free (as in free beer) the underlying financial models are very different. It just does not make sense for Microsoft to maintain products for a long term - especially so when it's as tightly integrated with a whole operating system. And Windows XP is getting to the end of its support lifecycle. Upgrading an operating system is a lot more painful than upgrading a browser - and the software architecture of Chrome and Firefox make it much easier to have the most recent (and therefore the most secure) product available for use.

Dr. E. D. V. Nunez' letter discusses the wider economic and social importance of free, open-source software far more eloquently than I can.

Then there's the question of all the other components which go into making a browser. One which has been discussed quite a lot recently is root CA's bundled with a browser. IMHO, all the major vendors serve their customers poorly in this area. However in Microsoft's case there is far greater likelihood of a conflict between it's interests and those of the user than for Chrome and Firefox.

A further consideration is the bundling of services with the product. In the case of a browser, particularly one used for webmail, good phishing detection should be a prime concern. IME, Google's service (implemented in both Firefox and Chrome) is much more comprehensive and more quickly updated than that of MSIE.

At the end of the day, while experience has taught me to be very careful about ipse dixit, if your opinion is being sought, then there are limits to which you should go in justifying that. Just as conversely, I wouldn't tell a heart surgeon what the best kind of stent is, I assume that she has some knowledge of the subject which is part of her value to society and would be difficult for her to impart to me without a great deal of time spent on this by both of us.

Where we don't have enough information to fully evaluate opposing arguments, then a reasonable solution is to look at the people arguing the cases and consider how they would benefit or lose out by presenting a misleading case. We're back at economics again: it costs a lot of money to write a browser, Google and Mozilla get no direct benefit from doing so. Microsoft does.

symcbean
  • 18,278
  • 39
  • 73
2

If it is open source than it is probably free (as in "free beer"). If it is free, you are much more likely to get your money worth out of it.

A piece of software, especially one as complex and network-oriented as a Web browser, will be secure only insofar as it is maintained: there must be people somewhere, patiently looking for bugs and correcting them and promptly publishing patches and establishing and enforcing development policies which discriminate against the appearance of new bugs or at least make tracking bugs easier. For that matter, the track record of Chrome/Google appears to be slightly better than that of IE/Microsoft (especially on the "prompt publishing" part). I would personally favour Chrome over IE for that reason, not because of the source openness.

When the software is open source, you can potentially take part in the bug tracking effort yourself. But unless you actually do it, openness of the source makes little difference to security. The open/closed dichotomy is quite orthogonal to actual security. This is not as obvious as it seems: there is (was) a widespread school of thought which asserts that being open source reduces security, on the basis that showing the source code makes it easier for potential attackers to find exploitable holes. The current state of software products, especially Web browsers and operating systems, has shown this idea to be false.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
1

I've never framed it as an open-source is better than proprietary question.

Internet Explorer hooks into the operating system and therefore increases the surface area that can be attacked when exploitable vulnerabilities are found. Some of these can be lower level hooks into the operating system allowing compromise at a base level that will affect all user accounts.

That being said, Microsoft has done a lot of work since Version 6 (Exploit Master?) that has paid off mightily towards bringing it to parity with the security offered by the alternates.

Firefox and Chrome operate in user space and therefore their exploit vulnerabilities should only affect the user account. Though that in recent years has proved to be sufficient to do exactly what the malware writer intends to do. Lots of desirable goodies exist in user space so it's not as necessary to take over the OS.

So the supposed payoff is which do you wish to disinfect? The whole OS which is usually a "nuke from orbit" proposition, or the contaminated user profile/account which can after backup of data be deleted in the worst case scenario, leaving the OS intact.

IRL under corporate operations, you truly trust neither IE or the alternates, backup user data and reimage the compromised machine as you can never be certain that the disinfection worked or that there wasn't a multilevel compromise possible where userspace got compromised allowing for a local exploit that allowed compromising the OS. This is how most malware works now. It comes loaded for bear, cracks the outside hull and then looks for broken welds in the inner hull to get to the soft, juicy center.

We started using Firefox because we were locked into Windows 95 by our ERP software and the biweekly exploits in IE6 were too much to keep up with. Firefox requires an administrative login for upgrade, so now, it's a tossup between Internet Explorer which will be patched once a month by MS or Chrome which just updates itself in the background as problems are found and fixed. Security updates, their timely release (software maker's responsibility) and their timely installation (your responsiblity) are what's important at being secure. While it can be said that Microsoft lags, Firefox and Chrome have dropped the ball multiple times as well. They're all run by humans that underestimate vulnerabilities. Open Source can be quicker to patch if they put their mind to it. I've used lesser known packages that make Microsoft seem really fast at doing this.

As a real need for focus if you're interested in raising security consciousness it's more important to educate people that most of the malware has shifted to Adobe products, Java and other third party plugins.

Fiasco Labs
  • 1,557
  • 10
  • 12
  • "Internet Explorer hooks into the operating system" - I think this is a strong point against! – Mars Robertson Dec 27 '11 at 09:01
  • @MichalStefanow - There are tons of examples of security exploits within Firefox and Chrome that allow complete and total control over the system. Fiasco forgets to point out the fact Microsoft is going to auto-update IE in the future. – Ramhound Dec 27 '11 at 15:19
  • @Ramhound - Auto-update as in the Automatic Microsoft Update cycle or an auto-update like Chrome currently does? – Fiasco Labs Dec 27 '11 at 21:21
  • @FiascoLabs AFAIK, like Chrome does – MatthewSot Dec 31 '11 at 01:46
-1

For closed source: Q: is this safe? A: I don't know Q: how can I find out? A: You can't. You have to trust Microsoft (or whomever).

For open source: Q: is this safe? A: I don't know Q: how can I find out A: ask an expert's opinion, Google for a list, ...

ddyer
  • 1,974
  • 1
  • 12
  • 20
  • correct me if I'm wrong, but you're still going to have to trust the expert you're asking if it's open source. unless you're willing to go thru the source code (and know what you're doing), just 'asking an expert' IMO isn't really enough. BTW, Microsoft actually does provide source for Windows (and I believe IE) to governments and schools, so you could ask a professor or something their opinion. just my 2 cents ;) – MatthewSot Dec 31 '11 at 01:49