SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
In the dim past I added Slackware Linux to my Firefox user agent by adding a string named general.useragent.slackware (and a couple of others) via about:config.
I do not follow Firefox updates closely, but recently updated all my boxen to Firefox 11. But I just noticed that my little blue Slackware icon was missing from recent posts and found that Firefox no longer appended my extra user agent strings...
Well, 11 was the "latest" when I upgraded - then I began to get "Your browser needs updating!" messages within about a week. That couldn't have been more than a couple of months ago, maybe three, I think.
Frankly, I don't worry about it too much and only "upgrade" when I have some good reason to do so.
BTW - I also use Opera on occassion - I think I am using 10.x now - thanks for your part with that! Maybe I'll update that while it is on my mind as well - what is the latest?
I would think that fixed security holes are one of the best reasons to upgrade.
While I am security conscious, it seems to me that any given upgrade is about as likely to introduce some new security hole as it is to fix an existing one. Otherwise, by now there would be very few security holes left!
I think the biggest factor in browser security is how and where the browser is used, not the browser version number.
While I am security conscious, it seems to me that any given upgrade is about as likely to introduce some new security hole as it is to fix an existing one.
So you mean that it is better to have known but unfixed security holes that to have unknown security holes?
Quote:
I think the biggest factor in browser security is how and where the browser is used, not the browser version number.
That is true, but it doesn't make the other factors disappear.
So you mean that it is better to have known but unfixed security holes that to have unknown security holes?
HAHA! Well, when I read that sentence out loud, I almost have to say yes!
But upgrading for security fixes implies that security-wise, each successive release is "better", and that is simply not true. So I stick with what is working, familiar and configured for my use.
I am paranoid about many things, but browser security on a Slackware box is not one of them.
WOW! I am sorry that my browser update habits seem to be so upsetting to some of you!
I know the internet is a nasty place, and through this thread I probably seem more naive about security than is the actual case. But what is so illogical about the reasons I have given?
Do you trust Mozilla or anyone else absolutely 100% to improve security with each releaase? No? Yes?
If not, then is there not some logic in being cautious about updates? No? Yes?
Things change and things break with each update - the use of my user agent string for example!
I count 4 releases since my last update no more than 3 months ago. For each of those releases, consider:
1. What immediate vectors-of-harm would each of those updates have saved me from?
2. What new immediate vectors-of-harm would each of those updates have exposed me to?
I say again, how and where I use a browser is the MAJOR security factor, incremental browser version is a relatively minor security factor by comparison (with some acknowledged exceptions).
Like Captain Dallas told Ripley, "I don't trust anybody". So I look after the major items myself, and monitor the minor ones as my own judgement dictates.
I do not jump under the covers when DHS screams "Terrorist!", and I don't auto-update software every time someone says "New and improved!".
It's easy to take a relaxed view of security while nothing happens. When something does happen, then it's too late. The browser is probably the one piece of software that should be kept as current as possible -- it is constantly being exposed to foreign content, containing client-side scripts and document formats that can act as a vehicle for attack. If there is a vulnerability in your browser, simply visiting a website could be enough to cause malicious activity. While such severe vulnerabilities are rare, the longer they go unpatched, the more time is available to really exploit the vulnerability to cause real damage. Every time a vulnerability is patched up, a new route of entry must be identified and re-exploited. It has been said many, many times that security is a process, not a product. It is much easier to produce an exploit based on a known vulnerability than to find an unknown one and exploit it (which requires at least twice the work, and usually more). Malware producers usually rely on poor system administrators that fail to update software -- the easy targets -- rather than trying to find 0-day vulnerabilities. I have personally seen a server (not mine) that was compromised due to unpatched software using a known vulnerability that had been fixed in newer versions. If it had been kept up to date, the server would not have been compromised.
I remember a severe bug in Uzbl (a goofy minimalist webkit browser) that allowed foreign code to be run just by visiting a specially crafted web page. Although most vulnerabilities are not *that* easy to exploit, I cannot believe that anyone could produce the sort of logic in this thread without an element of sarcasm. No one is saying that you are 100% secure when keeping software up to date, but at least the known vulnerabilities should be sealed up. Security is a cat-and-mouse game, and if the mouse just decides to relax and take a break...it won't survive for very long.
[edit] There is a difference between using new, untested software just for the sake of using new, untested software, and using new software because it fixes security vulnerabilities. Many projects offer two lines of support -- new versions with new features and the latest security patches, and old versions that remain functionally immobile but are patched for security vulnerabilities. I don't think Firefox, or any other major web browsers, offer comprehensive security updates for older versions. If they did then maintaining the old version but keeping up with patches would be a viable alternative to keeping 100% current -- but since that is not really an option then it is advised that you keep up with current versions of Firefox even if there is a change in functionality.
Thanks for your comments T3slider, I did not intend this thread to be anything other than a test of my user agent - and certainly hope I have not seemed argumentative! I have just been a little surprised at the direction this took. I do appreciate the time you have taken to respond.
And I have used this time to re-consider my outlook on browser update urgency, but have arrived back where I started.
I am sure this does not apply to everyone, but for my use, habits, exposure, etc... I will probably continue to update every six months or so, or when a notable vulnerability comes to my attention. But for what it is worth, I'll update Firefox and Opera within the next few days - just because :-)
Of course, what will probably happen is that I will be severely compromised in the near future due to a lagging browser version, and it will be the worst exploit possible! If that happens, I'll be honest enough to post it here for my public flogging...
BTW - I also use Opera on occassion - I think I am using 10.x now - thanks for your part with that! Maybe I'll update that while it is on my mind as well - what is the latest?
Opera 12.0 was a beta release in my opinion. Very, very poor. Too many problems to list. Very disappointed but it doesn't happen too often, although rumours about a Facebook takeover of Opera fill me with dread.
Don't bother with version 12.0 - wait until an update comes out.
Hmmm... this also kind of makes my point about lagging behind in updates, glad I did not automatically update to 12!
Something I have forgotten to say in earlier posts when it crossed my mind - one other reason, the main reason I do not try to stay current with browser releases is that I NEVER auto-update anything, and I ALWAYS try to validate everything front-to-back when I do update. In this context, I have judged that the consequences of too frequent updates are generally worse for me than the risk of less frequent updates.
I have enjoyed almost uninterrupted stability in my systems for so long that I am always reluctant to rock that boat!
Facebook huh? Yea, that would probably end my Opera use. I have the following lines in all my hosts files:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
