Neil Turner's Blog

Blogging about technology and randomness since 2002

Security by obscurity

Wired News has an article about the rising popularity of Firefox, brought on by IE’s recent security problems (which were patched today – visit Windows Update). But, to some extent, I have to take issue with this statement:

But some security experts believe that Mozilla’s biggest security benefit is that the browser is not in wide use yet.
“It is not so much a question that one browser is inherently safer than another, but the fact that so many people use Explorer,” said Carole Theriault, security consultant at Sophos, a security software vendor.

This argument holds some water but there’s one big example where this perhaps isn’t the case. The Guardian yesterday published what share of the market the various web server platforms had, with Apache taking 71% of the market. Microsoft’s IIS was in second place, yet, as far as I know, there have been more exploits targeted at IIS than Apache despite it only having a fraction of the share that Apache enjoys. Now it’s fair to say Apache has had its fair share of vunerabilites and there have been some worms that have exploited these, but not nearly as many as IIS. John Gruber has often used the same argument when talking about the Mac platform – while there have been flaws and a few proof of concept viruses, the platform still has a 3-4% share of the OS market and yet has had no major malware problems yet. And this is despite OS X having some of the most arrogant, stuck-up users that I’ve ever seen 😉 .
While the ‘security by obscurity’ argument does hold some weight, I don’t think it is the only reason why hackers do not target Mozilla et al. If anything, they’re more likely targets as their open source nature makes it easier to find exploits, yet there’s still no known malware that exploits flaws in Mozilla products’ code to do harm.

One Comment

  1. No, no, no… Take a look at Zone-H.org. They have a stats page that shows web servers popularity vrs. attacks. Be warned, the stats page has problems loading, however, if it does load, it’s quite revealing. It did load while I was writting this, but it took about 3 minutes. It shows that Apache has many more attacks than IIS.
    I’ve delt with John Gruber before. He claimed that Mac’s are more secure because they use a Linux engine. There was a lot of other garbage in his “article”. He claimed that the argument that MS has 95% of the market in computers was irrelevant.
    What really irritates me about this argument is when Apple had a larger market share. They had pretty much as many viruses as Intel based systems. This was back in the mid 80’s. I can remember spending hours a week removing viruses off of floppies on Macs thanks to the place I was working didn’t want to put an anti-virus program on the system. Sheesh.
    It’s very possible that as FireFox get’s more and more popular, that vulnerabilities will be found and exploited.