When more bugs can mean tighter security

Mozilla Europe president explains why having fewer disclosed vulnerabilities doesn't mean Internet Explorer is safer than the open-source Web browser.

The Mozilla Foundation is perhaps best known for its Firefox Web browser, an open-source offering that was first developed to go head-to-head with Microsoft's Internet Explorer.

Tristan Nitot, the president of Mozilla Europe, has much to say on the differences between Microsoft's and Mozilla's approaches to browser development. CNET News.com sister site ZDNet UK caught up with Nitot at the Online Information conference in London this week to talk about the security of Firefox and Internet Explorer, online privacy, and the future of open source.

Tristan Nitot
Credit: Mozilla
Tristan Nitot

Q: A recent study by Jeff Jones, a Microsoft security strategy director, found Internet Explorer to be more secure than Firefox. Are you surprised?
Nitot: I'm surprised that bug counting, which is a terrible metric, was used by Microsoft. It isn't easy to assess security, but bug counting definitely isn't the way to do it. I'd rather talk about time to fix the duration of the window where users are at risk, which in our opinion is a much better metric.

In a nutshell, Microsoft claimed that because Mozilla had fixed more vulnerabilities since 2004 than Microsoft, IE was more secure than Firefox. What do you think of that argument?
Nitot: To quote Mike Shaver, (Mozilla's director of ecosystem development), just because dentists fix more teeth in America doesn't mean we have worse teeth than Africa. Just compare the number of high-security advisories over time between Internet Explorer, Firefox and Opera.

What is your opinion of the claim that the more vulnerabilities fixed, the less secure the browser?
Nitot: It's false logic. If you have issues and don't fix them you will look good on the outside but in reality you still have the issues. There's a really good movie, Les Repos--in English, The Rotten Ones--about two cops, one old, one young, and the younger is in the process of being corrupted by the older. They find a bad guy, catch him, and the young one wants to take the bad guy to the police station. But the old one says: "You can't do that--if we take him to the station the crime statistics will increase, and we will look bad. Release the guy and take his money. That punishes him."

This is comparable--if you do the right thing you look bad, but people are safer. What really counts is that our users are secure, and that people count on us to do the right thing. People within the Mozilla community have a better-than-average understanding of this--we work together and have to trust each other. If people hide, it's no good for the community or overall motivation. But we're not building fixes for our teams, we're building them for our users.

Let me give you a recent example. Ten days ago we released Firefox When we released it a couple of hours later we found we'd introduced a regression, and that some Web site extensions were broken. We quickly decided to do another release,, which we released on Thursday night, three-and-a-half days later, which is a good turnaround. We don't like asking our users to update twice in a week, but we don't like regressions.

So it doesn't work to compare the number of vulnerabilities between the browsers?
Nitot: It's not good because it's comparing apples to oranges. Bug counting at Mozilla is very different to bug counting at Microsoft. We are open. We cannot hide or silently fix bugs--it would be betraying our community. We have to be transparent.

If people hide, it's no good for the community or overall motivation. But we're not building fixes for our teams, we're building them for our users.
--Tristan Nitot, president, Mozilla Europe

We like this, but it costs us in terms of PR. In Microsoft's world, people find bugs internally and will not publish or talk about security bugs. These bugs won't be counted by third parties, and can be silently fixed and pushed out in an update or service pack. And Microsoft service packs take a long time to come out--a year at least, maybe two. In the meantime, users are at risk.

I prefer Mozilla's approach--be transparent, and have our users secure, even if in terms of numbers that doesn't put us in a favorable light.

Microsoft's Jones criticized the length of time Firefox releases are supported, saying Mozilla drops its support before operating systems such as Ubuntu (which has committed to providing security support for Firefox 1.5 until 2009). What is your response?
Nitot: We are committed to providing a new major release every six months, but we are open-source. You can port fixes from Firefox 2.2 and 3 to 1.5, if you like, or ask Ubuntu to do it for you. Microsoft still supports IE 5.01, which is an obsolete browser. IE6 is already obsolete, so--IE5--come on!

The Web is in its infancy, but we have already wasted a long time in terms of innovation because browsers aren't evolving. Five years to have IE6 is way too long. Why would we want to stick to very old browsers that prevent Web sites from innovating?

Do you use Windows yourself?
Nitot: I used to use Windows, but now I use a Mac.

Why did you change?
Nitot: It was because of the end-user license agreement (EULA) in XP Service Pack 2. When SP2 came out, I read the EULA, because it's a contract. If you click "I accept," you've effectively signed a contract that binds you to Microsoft. When you sign something you've got to read it (beforehand). But what I saw was so creepy I couldn't click on the "I accept" button.

The EULA says that some files on your hard disk will be encrypted, and you won't have the key, and have to ask Microsoft...if you want to read the files. This is digital rights management. This is my computer, my copy of Windows, this is my data. I don't want any company, and not just Microsoft, to dictate what I do with my files.

Since then, I've not used Windows on a regular basis. A computer is a fantastic tool for connecting to the Internet. My whole life is in there--songs, movies, pictures, text, my blog posts. It links my friends through instant messaging and social networks. For many of us it would be impossible to work without a computer.

I don't think Web 2.0 applications are particularly dangerous in terms of security. In terms of privacy they are, as seen on Facebook recently.
--Tristan Nitot, president, Mozilla Europe

This is a tool I want to keep control of. I had the choice of either not updating Windows with SP2, which wouldn't have been secure, or not accepting the contract. So I moved to Linux, and when that machine died I switched to a Mac.

What is the current state of play with open-source development?
Nitot: Open source is amazingly successful. I have a cracked iPhone running BSD, and a Nokia N80 tablet running Gecko 1.9. At home all my routers run Linux.

When I was younger I was fully addicted to computing, and I pictured myself in the future surrounded by Unix machines. I'm a bit geeky. But actually this has happened. Now we're surrounded by Unix and Linux machines, all connected to the Internet. We have open source everywhere.

What are the main future challenges for the open-source community?
Nitot: The open-source community needs to figure out the user experience part and the marketing part. With product quality and reliable operating systems, open source has won hands down. However, today, most open source is built by engineers for engineers, which makes the products not very user-friendly. This is something we've figured out in Firefox. Now this needs to be figured out in other projects.

So which distributions are user-friendly, and which aren't?
Nitot: Ubuntu is interesting--users can use Ubuntu. The tricky part is Windows power users, who get lost on Linux. The inner workings of Linux are not easy to understand if you're coming from XP.

Why is marketing a problem for open source?
Nitot: Open-source communities have way less marketing budget than proprietary software vendors, especially Microsoft, which reportedly spent $500 million launching Vista.

Mozilla released the first beta for Firefox 3 a month ago, and the second beta on Tuesday. You can work on Web applications offline with Firefox 3. Will this work for all Web applications?
Nitot: The Firefox 3 beta has an API (application programming interface) that tells the Web app that it's offline, so it can store things locally, and sync back later. This implies the Web app knows how to leverage the API, so (if it doesn't) it has to be updated.

How much is this a security feature? Do Web 2.0 applications open up new attack vectors?
Nitot: A browser is a window onto the Internet, which is why we take security so seriously. (But) I don't think Web 2.0 applications are particularly dangerous in terms of security. In terms of privacy they are, as seen on Facebook recently.

Are you talking about Beacon (Facebook's ad-tracking feature, which it withdrew), and if so, was it a bad idea? Nitot: Beacon was probably a bad idea, if the users think so. People see and adopt so-called "free services," but they do have a cost--a huge cost--to develop and run such systems. People are paying for them by giving up their privacy.

In many cases their privacy is more valuable than the service they get in return, because there's no price tag on privacy. It's hard to balance what you give with what you get. It's hard to understand whether you're getting a good deal. Right now I don't think users are getting a good deal.

There is a price per user to running a social-networking site, and social-networking site executives know that price--probably a couple of pounds per year. What you give in exchange is your age, your location, people you know, Web sites you visit, things you buy--this all gives a precise profile of you. It enables very variable targeted advertising, probably worth much more than a couple of pounds per year. With Beacon, I would have been the first to sign a petition (to stop it).

Tom Espiner of ZDNet UK reported from London.

Autoplay: ON Autoplay: OFF