Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Opera Screeches at Mozilla Over Security Disclosure

ScuttleMonkey posted more than 6 years ago | from the did-too-did-too dept.

Mozilla 208

The Register is reporting that Mozilla's handling of a recent security exploit that affected both browsers has drawn an unhappy response from the Opera team. "Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. [...] Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk."

cancel ×

208 comments

Sorry! There are no comments related to the filter you selected.

All Things Considered... (5, Insightful)

neonmonk (467567) | more than 6 years ago | (#22468448)

At least Mozilla told them of the issue. I personally don't think it's their ultimate responsibility. Definitely obligated to do something... but imagine the kind of action Opera would have if Microsoft found the security flaw.

Re:All Things Considered... (5, Insightful)

allcar (1111567) | more than 6 years ago | (#22468502)

I agree that they probably fulfilled their minimum obligation, but it would be great to see a much higher degree of co-operation between the vendors of minority browsers. By all means attack MS in this way, but play nice amongst the good guys.

Re:All Things Considered... (5, Insightful)

moderatorrater (1095745) | more than 6 years ago | (#22468698)

I don't see it as an attack. It sounds like Opera didn't respond to Mozilla's notification at all. In addition, it's not Mozilla's obligation to make sure that Opera's secure, and it is their obligation to be open with the community to the extent that they can be while still being secure. Sometimes waiting to disclose can bite you in the end like it did with php a few months back. Add to that the bullshit excuse that you can't evaluate a security risk in one day and I think that Opera's just lashing out because they're embarrassed that they have a security flaw.

Re:All Things Considered... (4, Insightful)

Anonymous Coward | more than 6 years ago | (#22469086)

> it's not Mozilla's obligation to make sure that Opera's secure

True, but surely Mozilla has a moral obligation to ensure that other browsers (and ultimately, users) have as much time as possible to prepare for when the exploit becomes public domain?

Re:All Things Considered... (4, Insightful)

bigdavesmith (928732) | more than 6 years ago | (#22469332)

Agreed, and I think it's a very poor way to handle the situation, from Opera's side. If I were Mozilla, and got this kind of junk after reporting the bug to them, next time around I wouldn't even bother. Someone at Opera owes someone at Mozilla an apology.

Re:All Things Considered... (1)

Dan541 (1032000) | more than 6 years ago | (#22469652)

I don't see it as an attack. It sounds like Opera didn't respond to Mozilla's notification at all. In addition, it's not Mozilla's obligation to make sure that Opera's secure, and it is their obligation to be open with the community to the extent that they can be while still being secure. Sometimes waiting to disclose can bite you in the end like it did with php a few months back. Add to that the bullshit excuse that you can't evaluate a security risk in one day and I think that Opera's just lashing out because they're embarrassed that they have a security flaw.
I say well done Mozilla

They are looking out for the end users of both system even when they are only obligated to look after their own.

Opera needs to stop winging and be thankful they had the flaw pointed out to them.

~Dan

Re:All Things Considered... (5, Insightful)

pthisis (27352) | more than 6 years ago | (#22468792)

I agree that they probably fulfilled their minimum obligation, but it would be great to see a much higher degree of co-operation between the vendors of minority browsers. By all means attack MS in this way, but play nice amongst the good guys.

Full public disclosure of security bugs is generally considered the best way to get rapid fixes, and was the entire reason that places like BugTraq were founded. Following standard protocol is not an "attack". Vendors like to assume that you're just maliciously publishing things that would be no problem for their users until you did so. That's untrue.

Many bugs are well-known by black hats before they are found by the good guys. The safest thing for users is to assume that all severe bugs are well-known by the bad guys; when you disclose publically, you give the users a chance to protect themselves even if the software is not yet fixed. I'm not sure of the details of this exploit, but they may be able to protect themselves by limiting their surfing to well-known trusted sites, using an alternate browser, or turning off javascript or whatever. In other cases, some sort of external wrapper or proxy, tighter firewall rules, limiting access to DMZs, or other external steps can help prevent big security problems even without a full vendor fix available yet. It may even be worth it to some users just to forgo using an application for a few days until it's fixed.

Keeping silent until the vendor fixes things might just hurt the user's security situation, and certainly doesn't give the user the option of evaluating the risk and determining whether it's worth ignoring it or not--it forces them to make their usage decision without good information.

Re:All Things Considered... (1)

kesuki (321456) | more than 6 years ago | (#22469326)

The single best thing you can do for web exploits is to get a list based firewall, such as Peerguardian, iplist.sourceforge.net , or moblock the latter 2 are linux based, peer guardian 1 was released for mac os, and peer guardian 2 is for windows still, so no matter what os you use, there is a peer guardian application, if you just want the 'web exploit' sites blocked they have a separate list for that, i realize they were started as a 'blacklist' against people making p2p applications not work (seeding bad data, etc) but they are also really good for making web browsing safer. obviously some web exploits can be carried out without needing a special web server, as some exploits can be posted as bad links on social networking sites etc.

Re:All Things Considered... (1)

mdwh2 (535323) | more than 6 years ago | (#22468856)

Agreed. My thought was that the Opera guys could get their own back at Mozilla next time it's a bug that they discover first.

But then I thought, is that what we really want?

Re:All Things Considered... (3, Insightful)

WhatAmIDoingHere (742870) | more than 6 years ago | (#22469110)

Yes, because it means that people look HARDER for the bugs in both browsers and release information about them to the public faster, meaning they'll be patched MUCH faster than a bug report sent through some behind the scenes emails.

Re:All Things Considered... (2, Insightful)

mdwh2 (535323) | more than 6 years ago | (#22469182)

Fair enough. I think there are arguments to make on both sides - but whichever one's point of view is, both sides are reasonable positions I think. I just don't understand why one side of the argument here seems to get such contempt, just because Opera's involved.

Re:All Things Considered... (3, Insightful)

saltydog56 (1135213) | more than 6 years ago | (#22468980)

Attack? How did any of the Mozilla devs attack Opera - from what I can see no public mention was ever made about Opera having the same issue.

Further, why would you encourage others to "attack MS in this way?" - that is stupid and unprofessional. I am a committed Linux user, in my free time I build and test each kernel snapshot as it is released. Why, because I love to get into the guts of the system.

Am I a Windows lover? Not really, but I do bring up an XP image from time to time as a guest on my Linux system. I have an older IBook running OSX which is the central core of my music system.

I even have a system up and running IBM's MVS 3.8 for those days when I really miss the old days of mainframes punch cards.

Each of these systems has its good points and its bad points, I stick with Linux because I CAN get into the guts of the system. I keep my thumb on the pulse of all these Operating Systems because I love being close to the hardware.

That said I have NEVER seen any vendor come out and invite an attack on a rival OS by detailing a security hole in public. Balmer may be a fool with his rants on Microsoft's perceived superiority but even he doesn't come out and discuss the details of anyones security issues.

So why would you encourage it?

Re:All Things Considered... (1)

RonnyJ (651856) | more than 6 years ago | (#22468902)

The best thing to do here would be to compare how both Opera and Mozilla notify each other about exploits they find in other browsers.

Re:All Things Considered... (0)

Anonymous Coward | more than 6 years ago | (#22468908)

Uh, if you actually took a look at the thread in question [opera.com] , you'd see that Microsoft has notified them in the past. Of course, since the issue is relevant to Firefox and Seamonkey too, it isn't as bad as many people in that thread make it out to be/interpret it. Cause Mozilla is of course allowed to fix problems with their software as soon as they want and as they see fit.

Re:All Things Considered... (0, Flamebait)

webmaster404 (1148909) | more than 6 years ago | (#22469646)

Exactly, Opera isn't Open Source so it isn't like Mozilla can just go in and patch the code. I honestly don't think how Opera can manage to stay in the browsers war without an open source browser or rendering engine. Although, their deals with Nintendo probably made them some cash.

First... (5, Funny)

hsdpa (1049926) | more than 6 years ago | (#22468452)

to fix the exploit wins!

Oh bitch, bitch, bitch! (3, Interesting)

Enuratique (993250) | more than 6 years ago | (#22468464)

Listen, would you rather they give you no advanced warning? Like chivalry, professional courtesy is all but dead these days. What are they supposed to do? Wait until you get your ass in gear to address the issue? Perhaps letting the weakness be known might actually give you the incentive to make it a top priority bug fix - which is good for everyone.

Re:Oh bitch, bitch, bitch! (2, Funny)

smitty_one_each (243267) | more than 6 years ago | (#22468544)

s/bitch/advertise/

Re:Oh bitch, bitch, bitch! (0, Troll)

police inkblotter (1228830) | more than 6 years ago | (#22468948)

Why do you think Opera bitched about it? Do people still have to pay for that crap?

Re:Oh bitch, bitch, bitch! (1)

MobileTatsu-NJG (946591) | more than 6 years ago | (#22469054)

"Do people still have to pay for that crap?"

Wrong on both counts, for several years actually.

Sheesh... (3, Interesting)

TripMaster Monkey (862126) | more than 6 years ago | (#22468470)

From TFA:

Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. "They did not wait for us to come back with an ETA for a fix: they kept their bug reports containing the details of the exploits closed to the public for a few days, and now opened most of them to everybody," Santambrogio writes.

I'm finding it a bit difficult to feel bad for Opera. Exactly how long does it take to "evaluate" a security issue, especially when someone else goes to the trouble of finding it in the first place, and then notifies you of the issue?

Opera had ample opportunity to roll out a fix...but they dragged their feet (as is their habit). This time, their habit got them burned. Perhaps next time they'll take a notification of a security issue more seriously.

Re:Sheesh... (5, Informative)

xactoguy (555443) | more than 6 years ago | (#22468580)

From the Opera developers' description [opera.com] it appears that the Mozilla foundation could have handled things more professionally - Opera was only notified the day before a public advisory was published, and since that time the Mozilla foundation have opened most of the bug reports containing exploitation details to the general public. Judging from the emoticons on Opera's blog, the latter action by the Mozilla foundation is the primary issue here, not that they published the advisory.

Re:Sheesh... (4, Insightful)

drinkypoo (153816) | more than 6 years ago | (#22468620)

Opera was only notified the day before a public advisory was published, and since that time the Mozilla foundation have opened most of the bug reports containing exploitation details to the general public. Judging from the emoticons on Opera's blog, the latter action by the Mozilla foundation is the primary issue here, not that they published the advisory.

I think we all know already that disclosing the exploit is what brings the motivation to fix the hole.

The fact that they hid the bug reports at all should be enough to make the Opera kids grateful. After all, the Mozilla foundation operates in a pretty open and transparent fashion. The most honest (and destructive) way to go would be to never hide the bug reports.

But just to cover that old ground once again; when code changes, diffs happen automatically, and people know just precisely what changed. You can be sure that some of those people are malicious hackers looking for new ways to screw us all; there's good money in it. So by hiding the details of the exploit, you make sure that only the more skillful and malicious hackers have the exploit. Does that sound like a good idea to you?

Re:Sheesh... (5, Insightful)

NMagic (982573) | more than 6 years ago | (#22468750)

You know, looking at Mozilla's release, they didn't seem to mention anything to anybody about Opera having a problem too. Looks more like Opera screwed themselves.

Re:Sheesh... (1)

xenocide2 (231786) | more than 6 years ago | (#22468756)

Mozilla takes security seriously, so, like many other systems, allows people to mark things as security vuln's, so that intelligent disclosure techniques can be applied. They will publish things in due time, and maybe not on a schedule that Opera deems acceptable. But never hiding bugs is silly. For example, if you provide an strace of ssh crashing, you'd want to mark that private at least.

Re:Sheesh... (5, Insightful)

pthisis (27352) | more than 6 years ago | (#22468872)

But never hiding bugs is silly. For example, if you provide an strace of ssh crashing, you'd want to mark that private at least.

Maybe, maybe not. You never know what the black hats already know; as a _user_ of ssh, if you disclose then I can take steps to limit damage--e.g. if I'm allowing full ssh access from outside my network (so that employees can work on the go), I may decide that the small benefit of doing so doesn't merit the risk. I'd rather turn off external ssh access for a few days until there's a fix.

When you hide the bug, you're hiding the ability for the users to take steps to protect themselves. You're forcing me to run with exposed systems for several days, and hoping that nobody "bad" knows about the bug. And you're making that judgement for your users rather than giving them the ability to make that call themselves; that's almost impossible given that the judgement might hinge heavily on whether I'm a large financial institute or a personal blog site that backs up daily. Just guessing that most users are happy with your security through obscurity is bound to be wrong in some cases, and those cases are likely to be some of the more financially significant ones.

(That's on top of the pressure to issue a real fix that full disclosure brings. Before things like BugTraq, it was common for people to sit on severe security bugs for literally _years_.)

Re:Sheesh... (2, Insightful)

Jugalator (259273) | more than 6 years ago | (#22469474)

When you hide the bug, you're hiding the ability for the users to take steps to protect themselves.
Yes, it's definitely a case of finding an equilibrium when being curteous in giving software developers around the world affected by the same vulnerability a reasonable time to adapt.

Re:Sheesh... (2, Insightful)

Jeff DeMaagd (2015) | more than 6 years ago | (#22468798)

But allowing only one day is excessive. Can you track down and fix security problems in your software within one day of notification?

I think we all know already that disclosing the exploit is what brings the motivation to fix the hole.

You haven't given a specific example of Opera needlessly hiding an exploit.

Re:Sheesh... (5, Interesting)

drinkypoo (153816) | more than 6 years ago | (#22468950)

But allowing only one day is excessive. Can you track down and fix security problems in your software within one day of notification?

Now, wait a second. If I am developing software package "A", and you develop competing package "B", and I find a hole in A and fix it, then just for laughs test to see if your product has the same hole and then I am kind enough to let you know that it does, then I announce that there is a hole in A, how am I responsible for the security of B at all? I've done you a favor by performing the test and giving you a heads up in the first place! I don't owe you anything.

I think we all know already that disclosing the exploit is what brings the motivation to fix the hole.
You haven't given a specific example of Opera needlessly hiding an exploit.

I'm not sure what you think that has to do with anything. The Mozilla foundation didn't even announce to the public that there was a hole in Opera. The announcement is that there is a hole in Firefox. Why not try reading the advisory [mozilla.org] ? There is NOTHING in there about Opera's susceptibility. You can't even view the bug report [mozilla.org] without a Mozilla bugzilla account with the proper access - I just logged into my account, and that doesn't include me, so it's not like even the report is generally available. Also, as per the advisory:

These bugs are variations on earlier problems reported by Charles McAuley and Michal Zalewski which were fixed in Firefox 2.0.0.4, as well as an issue reported by hong which was fixed in Firefox 2.0.0.8.

So it seems as though the Opera team has had some warning about problems similar to these in the past - along with the rest of the world.

Could I find and fix a bug in one of my pieces of software in a day? Probably, because all of them are very simple. If I had a development team and a security response team (they do have one of those, don't they?) then I bet "I" could find and fix known security problems in larger software products in a day, too.

Actually, a number of security holes in the Linux kernel have been found, announced, and fixed on the same day, now that I think of it.

Re:Sheesh... (1)

Jugalator (259273) | more than 6 years ago | (#22469500)

I've done you a favor by performing the test and giving you a heads up in the first place! I don't owe you anything.
Opera was never claiming Mozilla was bound by law and did anything wrong per se; they just wished to have seen it handled a bit differently because apparently it usually is in this business, even for being Mozilla.

Re:Sheesh... (1)

zIRtrON (48344) | more than 6 years ago | (#22468966)

Probably not, but always a possibility.
Evaluation though - that is immediate action when it comes to security.
Wanna be sued?

Re:Sheesh... (0)

zIRtrON (48344) | more than 6 years ago | (#22468910)

With the two siblings posts here and the parent post, it looks like OSS Projects are well positioned to form some sort of guild/co-operative/etc/business-procudure

Transpose this into another context:
    a) Border patrol catches a vessel - they notify other defense teams and work in a procedural manner
    b) A musician can hear something out of tune, go and let the other muso know

Harmony. Utopia.

Mozilla did the right thing. One day is enough for security announcements - I haven't RTFA - If Mozilla said, "we've got all these millions from Google - can we have a meeting in 3 hours time to discuss how to allocate it amongst minority browsers" - they'd be down there in a hurry....

Just fix the damn thing.

Re:Sheesh... (0)

Anonymous Coward | more than 6 years ago | (#22468998)


> a) Border patrol catches a vessel - they notify other defense teams and work in a procedural manner ... but first notifies all the smugglers to take a different route ...

Re:Sheesh... (1)

Jugalator (259273) | more than 6 years ago | (#22469452)

So by hiding the details of the exploit, you make sure that only the more skillful and malicious hackers have the exploit. Does that sound like a good idea to you?
No, of course the details should be revealed in time. This is just a discussion of how long said time should be out of courtesy.

Re:Sheesh... (4, Insightful)

moderatorrater (1095745) | more than 6 years ago | (#22468816)

Unless for some reason they use the same engines, what's the problem with this practice? Opera's security isn't Firefox's responsibility. The fact that they notified opera at all went above and beyond what they needed to do, and asking firefox to be less open with their community is asking them to risk their image for the sake of opera and its users. Unless I'm missing something here, Firefox was being polite and Opera's throwing a world class hissy fit.

Could a coder please weigh in? (1)

BeeBeard (999187) | more than 6 years ago | (#22468810)

What I'm hoping is that a helpful Slashdot reader who actually patches security holes in widely-used software on the clock can opine as to the practicality of having a one day turnaround. Otherwise, the rest of us are just guessing about what is and isn't reasonable.

So, is having one day to evaluate and fix a security hole reasonable? And also, is having the source code open and available to others advantageous at all in meeting so short of a deadline?

Re:Could a coder please weigh in? (4, Insightful)

Allador (537449) | more than 6 years ago | (#22469012)

The problem usually isnt coding time. It's organizational response and resource allocation issues.

For example, Opera is on a very differen timezone from the US, so initial publication may happen overnight from the POV of the Opera staff.

So then a day starts. When people start their day, they have a pile of things to respond to. The incoming messsages have to be triaged. Someone has to make a decision that this is important enough to escalate or take action on.

Then you have to find people with the capability to test whether its a real problem. This may take a couple hours. People go on vacation, get sick, etc.

Then you have to take the time to do the research, test whether this is a real problem, what versions it affects, etc. This takes a couple hours.

Then yuou have to stop a coder from working on something else, bring them up to speed on the problem (if its not the same person doing the testing), and get them started on the fix.

Then even with a fix you have to do regression tests. Not sure about Opera, but many mature apps have full test suites that can take a couple hours.

Then you have to write release notes, update the web page, do a new deploy package, and update your update servers to notify Opera that there is a new update.

As you can see, very little of the time here is coding.

Many large orgs have taken steps to create a 'short path of decision making' to streamline this process, always have one coder on call who can do this work, etc. But even then if anything is out of whack or the wrong person is sick or on vacation or on another urgent item, a whole day could pass without response.

Re:Sheesh... (1)

Translation Error (1176675) | more than 6 years ago | (#22469282)

It probably doesn't take more than a few hours to "evaluate" a security issue. If you want to throw out a half-assed patch that may very well break other things or make the problem works, that is.

I see lots of people coming down on Opera, saying they're just whining and that it's ridiculous for them expect Mozilla to hold off on fixing their browser until they could fix their own... but maybe they're just peeved that instead of telling them about the exploits they were working on earlier, Mozilla waited until the day before they publicly released the details.

I must be missing something here... (4, Insightful)

moderatorrater (1095745) | more than 6 years ago | (#22468492)

As far as I can tell, Firefox had a flaw, they fixed it and notified Opera that they had the same flaw the day before Firefox's fix was announced. Sounds to me like the only thing that Firefox did wrong was notice that it affected Opera at all, because if they hadn't Opera would have been left with egg on their face and nothing to bitch about.

Re:I must be missing something here... (5, Funny)

Jester998 (156179) | more than 6 years ago | (#22468546)

Clearly, the Mozilla team should be performing full regression testing on every bug they fix against every browser known to man. What if the bug affects NCSA Mosaic?

Hmm, there's something wrong with my sarcasmeter, it seems to be off the scale...

Re:I must be missing something here... (3, Funny)

i.of.the.storm (907783) | more than 6 years ago | (#22468692)

(Sorry, I couldn't resist) His sarcasmeter- it's OVER 9000!!!!!!!!!

Re:I must be missing something here... (3, Insightful)

Otter (3800) | more than 6 years ago | (#22468702)

Clearly, the Mozilla team should be performing full regression testing on every bug they fix against every browser known to man.

I think the point is that they *did* know that this particular vulnerability affected Opera and took their time about telling them.

It still doesn't seem like a huge deal, but on the other hand if you read what the Opera guy actually wrote, it also doesn't seem like a huge deal. "Screeches" seems a bit excessive.

Re:I must be missing something here... (1)

BeeBeard (999187) | more than 6 years ago | (#22468898)

It still doesn't seem like a huge deal, but on the other hand if you read what the Opera guy actually wrote, it also doesn't seem like a huge deal. "Screeches" seems a bit excessive.
Agreed, but if minor quibbles between software groups weren't overplayed and sensationalized, then what exactly would we be reading on Slashdot? Plus, you must be new here, because what business do you have reading the article anyway? You're supposed to just read the inaccurate summary and then "wing it."

Anyways, here, the use of the word "screeches" is not descriptive of the communication that took place, it just means that somebody needs to have their Roget's confiscated. I'm inclined not to think that Santambrogio's ":(" sad faces on his blog aren't exactly the same as "screeching" at somebody.

Re:I must be missing something here... (1)

Paradise Pete (33184) | more than 6 years ago | (#22469064)

Anyways, here, the use of the word "screeches" is not descriptive of the communication that took place, it just means that somebody needs to have their Roget's confiscated.

I assumed he was trying to play on unpleasant noises coming from the "opera."

Re:I must be missing something here... (0, Insightful)

Anonymous Coward | more than 6 years ago | (#22468578)

No, what Mozilla did wrong was immediately announce it in some sort of lameass attempt to smear Opera as being as insecure as Firefox has proven to be.

Proper security response has always been to NOT release data until the vendor has had a chance to response. Mozilla DIDN'T DO THAT, and released the information anyway.

The should have given Opera time to fix the flaw BEFORE announcing it to the world.

If Microsoft did the same thing to Firefox, people would be calling for blood. The same standards should apply to open source projects!

Re:I must be missing something here... (5, Insightful)

sholden (12227) | more than 6 years ago | (#22468642)

So mozilla should have left their users open to the big for longer, by delaying the fix so that Opera can catch up?

Or are you saying they should have released the fix and not mention what it was fixing - making it less likely people would apply the fix (plus it's open source not saying what it's fixing doesn't really keep it secret)?

Note that mozilla never mentioned Opera in the advisory anyway.

So what you're really saying is that Mozilla should pass all it's security fixes past Opera and IE and Safari and Konqueror and etc and not release them until all of those competitors have said "OK we've fixed it too".

Re:I must be missing something here... (5, Insightful)

saltydog56 (1135213) | more than 6 years ago | (#22468812)

You know, maybe I am blind, or perhaps just a little slow today, but I looked at the actual advisory (did you?) and I see no mention of the fact that the same bug impacted the Opera browser.

What I seem to get from the article is that a problem was found with Firefox, a fix was developed, and sometime prior to wrapping things up and deploying the fix, someone at Mozilla cared enough about the Internet environment we all share to do a quick regression test of Opera and when a problem was discovered, they PRIVATELY notified the Opera team.

What more could you ask for in the way of good citizenship?

Re:I must be missing something here... (1)

adona1 (1078711) | more than 6 years ago | (#22468814)

Um...if they'd given Opera time to fix the flaw, then what would be the point of announcing it?

"Attention, Opera once had a security hole but doesn't any more. News at 11"

Re:I must be missing something here... (0, Offtopic)

rapidweather (567364) | more than 6 years ago | (#22468834)

I think it's been a while since Opera updated their browser. I'm running Opera version 9.25 now in my Knoppix remaster. [geocities.com]
I like Opera when running on older computers, it does seem faster. Not so much on my remaster, but if I run Ubuntu 7.10 on this same box, a HP Pavilion 8250, Firefox seems very slow, and Opera is a welcome relief. I actually had to install Opera in Ubuntu for that reason, really. It's the 2.6 kernel, I have a 2.4 kernel in my remaster, and that runs much better on older boxes. Here is a screenshot [rapidweather.com] of Ubuntu on that box, and here is a screenshot [rapidweather.com] of my remaster running on that box.
(I put these in here just to make this post more interesting)
But, neither screenshot shows the current topic, Opera vs Firefox, performance on older boxes... (sorry).

I do wish Opera would take this update opportunity to fix their toolbar so it looks similar to IE and Firefox, in that the blank space, where Opera used to have their advertisement bar, is removed, and filled with browser controls like the others have. To me, the greatest thing is Firefox having the toolbar editor, so the user can set it up like they want.

Re:I must be missing something here... (1, Informative)

Allador (537449) | more than 6 years ago | (#22469068)

I do wish Opera would take this update opportunity to fix their toolbar so it looks similar to IE and Firefox, in that the blank space, where Opera used to have their advertisement bar, is removed, and filled with browser controls like the others have. To me, the greatest thing is Firefox having the toolbar editor, so the user can set it up like they want.
Do you realize that Opera's entire GUI is completely user-configurable, without any plugins?

You just right click on the toolbar, click Customize, then drag and drop to your heart's content. Couldnt be easier.

I'm not sure what blank space you're talking about. My Opera (on windows) have no blank space. And even if it did, you just re-organize the toolbars to eliminate it.

Heck, you can even put the tabs (or any toolbar or menu bar) on the side of the screen or the bottom (where I prefer) if you want.

In my opinion, Opera has a much cleaner toolbar than either Firefox (very amateur, blocky) or IE (schizophrenic, why are half the buttons on one side, half on the other?).

Firefox's GUI in particular always looks very amateurish. Like it was done by 'this guy' that someone knew who 'is good with graphics'. Whereas the other browsers actually hired professionals.

overreaction (2, Insightful)

kongit (758125) | more than 6 years ago | (#22468500)

While I do not know all of the details behind this I suspect that Mozilla did not have to notify Opera of any bug, in other words they did it as a heads up but were not obligated, I could be wrong though. The article is rather short and does not explain anything. For all I know Mozilla gave Opera the info as soon as they knew it, I highly doubt this, but just from the article it is hard to tell. While Mozilla could have waited, I would bet that people with malevolent intent are not overly concerned with the small Opera user base. I think that the over all the risk to the end user of the Opera browser is not much, and that the developer needs a chill pill. I know that Mozilla is not perfect, but I think that they had a good reason for releasing details about the problem. I do not know the reason, but knowing that there is a problem and that there is an update might make people more inclined to update to the safer version. So Opera fix the problem on your browser too, guess what you can look at Firefox's source code to see how the Mozilla developer's fixed theirs, and the developer with an pineapple stuck up somewhere needs to take a laxative or something.

Re:overreaction (4, Interesting)

Fweeky (41046) | more than 6 years ago | (#22468674)

I don't see how expressing dipleasure at something on a blog is an overreaction. "Screeching" is stretching it pretty fucking far, since it's basically saying what happened. Where in the blog entry is there screeching, perhaps the bold on "responsible", or maybe the ":("? Wouldn't it be better to link to the blog entry directly and not some dumb opinionated elreg article? Really, did you even read the original source before deciding "the developer needs a chill pill"?

At the end of the day, Mozilla would have acted better by keeping the exploits closed for a few more days, as they would hope anyone else would do for them. By not doing so, they upset people, and others expressing that upset is perfectly understandable. There's no mass outcry at Opera, no press release or open letter saying the Mozilla team are dicks, there's a few words saying what happened and a couple of emoticons on a developer blog entry.

Re:overreaction (0)

Anonymous Coward | more than 6 years ago | (#22468766)

Fuck that. As a Firefox user I want them to release the fix as soon as they can. Opera was notified of the problem and if they can't keep up that's just too bad. Someone in the Opera blog wrote that there was "active exploits for Firefox" and that it was "safe to say that the malware authors already knew about this security vulnerability". I don't know if that's true but either way I see nothing wrong in what Mozilla did.

Re:overreaction (1)

mdwh2 (535323) | more than 6 years ago | (#22468882)

Indeed, if anything it's the response to this blog post which is the overreaction.

(And I agree with your comments about the register, I used to read it, but it really does seem to be the tabloid of the geek world - if they're not picking on some blog post, they're trying to run a scare story based on a bogus Wikipedia edit they found in the history three years ago...)

Re:overreaction (1)

AySz88 (1151141) | more than 6 years ago | (#22469200)

...except that the blog entry, especially the whole "we believe in responsible disclosure" snark, implies that Mozilla publicly disclosed the *Opera* problem. According to the other /. comments, Mozilla didn't say anything publicly about Opera - it sounds like the Opera people saw something in the release that wasn't actually there. I don't know about you, but that sounds pretty silly to me.

Agreed, though, on linking to the original blog instead. I don't like the register's unnecessary coloring.

See this? (3, Funny)

imipak (254310) | more than 6 years ago | (#22468520)

>>>>> . It's the world's smallest violin...

Re:See this? (1)

calebt3 (1098475) | more than 6 years ago | (#22468662)

-->...... And here is a whole symphony.

the alternative being...? (4, Insightful)

rsw (70577) | more than 6 years ago | (#22468550)

Let's imagine that the Mozilla developers had modified the release notes for 2.0.0.12 so that it wasn't obvious what they'd fixed. Would that have been any better? Of course not. I can grab the code, diff against 2.0.0.11, take note of the changes, and presumably figure out why they were made. Now I can craft a working exploit against 2.0.0.11. After testing it on Firefox, what's the first thing I might try? How about... see if other browsers have the same problem?

So keeping in the fix but not mentioning it in the release notes is out. What, then... not patch the flaw? Yeah. Right.

Opera might be a nifty browser, but apparently its authors are whiny bitches.

-=rsw

Re:the alternative being...? (1)

Otter (3800) | more than 6 years ago | (#22468804)

the alternative being...?

The alternative being to inform Opera as soon as they realized it was affected, not at the last minute before public disclosure. (Presuming they didn't first test in in Opera right before public disclosure, which might have been the case.)

Re:the alternative being...? (1)

morgan_greywolf (835522) | more than 6 years ago | (#22469358)

Right. Because the Mozilla developers are sitting around, working secret. They keep their code all locked up tight and no one can see it. They don't keep a source repository [mozilla.org] online, updated hourly. They don't publicly discuss the code on any mailing lists or news groups [mozilla.org] , have a public irc channel [irc] where they discuss development, nothing! The Opera developers and everyone else are kept totally in the dark, right up until release! Why, you'd think Mozilla wasn't an open source project, but was instead developed by Microsoft!

26% decrease in comments per hour since /. change (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#22468560)

According to Microsoft Research Tools... up from the over 500% decrease after the initial implementation, but still worrisome. The ratio of -1:5-rated comments hasn't budged.

Did Slashdot shoot itself in the foot with this forced format change?

Re:26% decrease in comments per hour since /. chan (1)

Hucko (998827) | more than 6 years ago | (#22468660)

what change is that? I haven't noticed anything.

Apologies! (3, Funny)

Jester998 (156179) | more than 6 years ago | (#22468574)

As a Firefox user, I'd like to apologize to Opera users (both of you) for leaving you exposed.

Next time we'll just let you figure it out on your own.

Re:Apologies! (1)

Harin_Teb (1005123) | more than 6 years ago | (#22468744)

As one of the many disguised Opera Users (currently identifying as IE 7), I accept your apology.

Seriously though I think the complaint here is alleging (whehter justly or unjustly) that the Firefox team knew of the bug in BOTH Opera and Firefox, spent a lot of time, then the day before releasing their fix (and telling the world about the exploit) told Opera "Oh, by the way, we've been working on this fix for a while, and it seems you have the same problem. Good luck fixing it by tomorrow when we tell everyone about it."

Re:Apologies! (0)

Anonymous Coward | more than 6 years ago | (#22469026)

I use Opera too. Can you explain why you want websites/people to think you're using IE when you're using Opera? How does that help?

Re:Apologies! (1)

Harin_Teb (1005123) | more than 6 years ago | (#22469124)

Because I frequently visit websites (such as www.cvs.com) that expressly disallow Opera users to access the website for no apparent reason. Leaving on "ID as IE" saves me hassle... plus I'm not a super hardcore must evangelize [X] browser person, Opera is the best I've found, so it is what I use. I could care less waht other people use.

OT: User agent (1)

InvisiBill (706958) | more than 6 years ago | (#22469386)

Because I frequently visit websites (such as www.cvs.com) that expressly disallow Opera users to access the website for no apparent reason. Leaving on "ID as IE" saves me hassle... plus I'm not a super hardcore must evangelize [X] browser person, Opera is the best I've found, so it is what I use. I could care less waht other people use.

I'm not sure if Opera lets you customize the UA string to whatever you like, but I find it best to add whatever string the page is looking for into my Firefox UA. For example, Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8.1.12; .NET CLR 2.0.50727; not MSIE 6.0) Gecko/20080201 Firefox/2.0.0.12. The idea is that it gets you in without much trouble, while still letting the site know that you prefer a different browser and they should fix their site (or browser detection). Wouldn't it be great if every poorly coded site out there realized they were blocking browsers that worked just fine and fixed their code to allow them? Maybe the CVS site is done by a parent company which also does the sites for their other companies - pointing out the mistake on one site might lead to several sites getting fixed. The end result is simply more sites that "just work" which results in less time spent making 15 different versions of a website so that it works in all browsers, and more time spent making the website functional.

Re:Apologies! (1)

bhtooefr (649901) | more than 6 years ago | (#22469678)

I'll note that at least since Opera 9.2, and maybe earlier, preferences such as that can easily be set per site. Another useful per-site one is disabling plugins (I'm sorry, sometimes I don't want Flash on your site,) or enabling pop-ups.

Some sites I have it set to mask as Firefox, some are ID as IE (with Opera in the string,) some are ID as Firefox, and I default to IDing as Opera.

Re:Apologies! (1)

bky1701 (979071) | more than 6 years ago | (#22469134)

If they didn't tell that at all, Opera would have nothing to whine about.

Maybe that's what should happen next time.

Re:Apologies! (1)

LingNoi (1066278) | more than 6 years ago | (#22469370)

They published the Firefox flaw and didn't mention Opera at all. That's hardly "announcing to the world that Opera has this problem".

What did you expect them to do? Not fix Firefox for a few days?

Big deal (0)

Anonymous Coward | more than 6 years ago | (#22468594)

There's like 3 guys in the office closet that use opera. Who cares anymore? IE rules the online world with an iron fist.

Streisand effect? (4, Interesting)

Epsillon (608775) | more than 6 years ago | (#22468598)

Seems if they'd kept their whiny mouths shut, nobody would have realised from the vulnerability disclosure [mozilla.org] that the issue affects Opera. Now EVERYONE knows, from the kiddie scripting 'sploits to the IT manager planning the software deployment for the next few months, who is now seeing why closed-source Opera isn't really such a great choice after all. Even the CVE entry [mitre.org] doesn't disclose Opera's vulnerability to this bug. Still, it makes good comedy if nothing else...

Re:Streisand effect? (2, Insightful)

Hatta (162192) | more than 6 years ago | (#22468634)

Exactly. Not only does this story bring to light the fact that there's a bug in Opera, but it illustrates how Opera prefers to handle security bugs: by covering them up.

insightful?? (1)

Racemaniac (1099281) | more than 6 years ago | (#22468832)

no offence, maybe opera overreacted, but where does it say opera covers up things? opera apparently expected to get a bit more time to fix the bug before mozilla disclosed it to the world... although it appears they didn't really say opera was also affected, so it's an overreaction but saying that they cover up things -_-. i think it's fairly normal not to spread around that there's a vulnurability until it's either fixed, or is obviously in the wild...

Re:insightful?? (4, Interesting)

Epsillon (608775) | more than 6 years ago | (#22468984)

They've had twelve days to fix it. Have they? If you RTFA, you'll see not only have they not, they've expended a greater amount of energy trying to whip up support for their malcontent with Mozilla. So, in reply, yes it does seem that they would rather cover this up than fix the issue in a timely manner. Their actions scream it, even if TFA doesn't.

Re:insightful?? (1)

Racemaniac (1099281) | more than 6 years ago | (#22469218)

where does it say they had twelve days to fix it? i just read tfa, and see that a.they didn't expend much effort complaining about it, there's a link to a post on an opera blog where they complain about it, that's about it it seems... b.apparantly they just expected from mozilla for them to have a chance to reply on it, or to agree with mozilla on how to disclose it if they would disclose the bug before opera had a chance to fix it. i don't see anything outrageous or cover up going on here. it may be lame that they complain, that's about it... okay, i use opera, so i'm biased, but it seems the bias against opera is far worse here -_-

Re:insightful?? (3, Informative)

Rudolf (43885) | more than 6 years ago | (#22469662)

where does it say they had twelve days to fix it?

From TFA:

Mozilla fixed the flaw, along with other more serious bugs, with the release of Firefox 2.0.0.12 on 7 February. Opera, which is yet to plug the moderate risk flaw, objected to the Mozilla team publishing an advisory on the issue.
Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory.


Opera was notified the day before the February 7 release - that would be February 6. Today is February 18. Is that not 12 days?

Re:insightful?? (2, Informative)

Epsillon (608775) | more than 6 years ago | (#22469710)

where does it say they had twelve days to fix it?
God's teeth, man! Have you really read the article? The vulnerability was reported to Opera a day before Fx 2.0.0.12 was released with full disclosure of Fx and Seamonkey bugs (no mention whatsoever of Opera) on the 7th. It is now the 18th. 18th - 6th = 12. Instead of keeping schtum and coding a fix, they chose to shoot themselves in the foot by disclosing that Opera had this vulnerability and it was the big, bad Mozilla Foundation's fault that it was disclosed because they fixed the browser that has 27% market share [platinax.co.uk] and growing [1] in Europe and told people what they had fixed. Nowhere did Mozilla, or anyone else, mention that Opera was vulnerable. I didn't even know, despite being subscribed to a number of vulnerability reporting lists, until they opened their mouths and took a swipe at Mozilla. I know now, of course. Why do you think that is?

The whole point of this entire debacle is that Opera themselves disclosed this and, by complaining about full disclosure, showed their true colours when it comes to vulnerabilities in their flagship browser. Mozilla reported the vulnerability in a professional manner to a competitor to whom they owe nothing but felt ethically it was the right thing to do, then fixed their own product. Opera's actions in this matter show me quite clearly what they would have preferred to do but perhaps I'm just a raving zealot or a tin-foil hatter seeing conspiracies where none exist. There again, perhaps not. Feeling lucky? I hope you are, since you're betting, with apparently very little information, that Opera fixes the bugs in its software instead of simply sitting on reports from security experts trying to do the right thing. Security experts and competitors who may just think twice before submitting findings to Opera in the future.

[1] 94% of statistics are pulled from someone's behind. Suffice to say a significant portion of the web browsing public use Fx. My analog shows it to be much, much higher but my web server hosts predominantly open source software, so that's to be expected.

Re:Streisand effect? (0)

mdwh2 (535323) | more than 6 years ago | (#22468996)

closed-source Opera

Not to disagree with your main point, but why is it important to stress that it's closed source, apart from making a cheap dig at it?

I don't understand why this appears to come up everytime with Opera, and only Opera. I never hear Firefox fans talking down the closed-source MacOS, for example.

This closed-sourced software company brought me an IE alternative long before it became trendy, not to mention useful things like Opera Mini for my phone. Firefox is cool too, but I don't see why there has to be some competition between them, when the real enemy is IE.

Re:Streisand effect? (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22469316)

Central to the argument. Open source Firefox has to disclose the fix in order to fix it, closed-source Opera doesn't and the users could be unaware that anything even happened. Side note: Why is the real enemy IE? The enemy of my enemy is not always my friend.

Re:Streisand effect? (1)

Epsillon (608775) | more than 6 years ago | (#22469334)

OK, I hold my hands up to the cheap dig and I apologise for it. However, in mitigation, I personally feel more comfortable with open source simply because, while I may not understand all of it nor will I ever have the time to read the entire source of, for example, Konqueror, I am sure that people far more skilled than I who would never have seen the code had it been proprietary HAVE seen it collectively. That makes me more confident in that code and the resulting binary.

As this shows, it's not perfect, but large projects rarely are. It does get fixed quickly, though, which is another advantage of open source: You don't have to beg the one guy who understands that bit of the parser (who happens to be on vacation, has slipped on the ski slope and won't be back until the bones knit) to fix it when you have the source. You can file a patch with the bug report.

WebKit [webkit.org] , upon which Safari is built, isn't closed source. It grew from the KDE project's KHTML and parts of both keep going both ways. MacOS X, yes, you have another valid point, but we're not talking about OSen here, we're talking about web browsers.

It wasn't a deliberate cheap shot. I have thought about the issues long and hard but I shouldn't assume what works for me is universally acceptable so, again, I apologise.

Fanboys (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22468612)

Anyone else read the comments on the Opera blog? Pretty embarassing stuff.
http://my.opera.com/desktopteam/blog/2008/02/14/9-26-coming-soon [opera.com]

"Well those Mozilla guys think that openness is the answer to everything. :-/"

"Mozilla never knows when to keep their mouths shut...
Of course, considering that there are active exploits for Firefox, it's safe to say that the malware authors already knew about this security vulnerability."

"I'm not surprised about the Mozilla Corporation. Maybe they pretend they never have security issues with their code? There are still security issues with Firefox and with *any* software developed by humans, so they should be more humble and responsible. They're not harming Opera Software ASA, they're putting the Opera users in jeopardy, this is not a good way to have them to use Firefox. This is evil, irresponsible and antiethical at the very least. Shame on Mozilla!"

"Nevermind, guys, let the Mozilla devs have more secure browser for at least few days (-;E"

Re:Fanboys (3, Insightful)

mdwh2 (535323) | more than 6 years ago | (#22469302)

Yeah, it's not like Firefox has any fanboys...

So I took a look at the last story [slashdot.org] about Firefox bugs. And guess what - you have people criticising the person for making the bug public in a way not helpful to the developers [slashdot.org] . And do I hear "crybaby"? No, instead it gets modded up to +4.

Opera users (2, Funny)

Tumbleweed (3706) | more than 6 years ago | (#22468618)

it places Opera users at unnecessary risk

Yeah, both of them.

Re:Opera users (2, Insightful)

bmartin (1181965) | more than 6 years ago | (#22469634)

I don't see why this is so funny. Opera's not that bad, and it does offer some things that aren't available by default in Firefox. Sure, it doesn't have the 400 extensions that FF does, but you don't have to screw around with it much. Opera has some really nifty features enabled OOTB that most people would overlook otherwise. It's also fast and it does a really good job with adhering to web standards.

Yours is really a flamebait comment, and if there were a considerable number of Opera users with moderation points out there, I'm sure they'd overlook objectivity and mod you down.

Re:Opera users (1)

Tumbleweed (3706) | more than 6 years ago | (#22469712)

It's just a joke. There aren't many Opera users compared to Firefox users. If you can't tell the difference between a joke and flamebait, that's unfortunate. Are you from Norway?

Opera has a lot of nifty features, but to my mind, it's crippled by an interface that makes it take forever to figure out how to configure the thing to do what you want. I'd _love_ for the Opera folks to take the Firefox code and rewrite it to their standards. FF would be SOOO much faster. I just don't want the Opera interface.

Oprah screeches at Godzilla over Security! (5, Funny)

jameskojiro (705701) | more than 6 years ago | (#22468646)

Best episode of Oprah ever!

Only on the internet (1)

7-Vodka (195504) | more than 6 years ago | (#22468686)

Only on the series of tubes of the Interwebs does someone Piss and Whine when another person does them a favour.

I hereby declare Opera a whiny bizznatch. [carcino.gen.nz]

Opera users? (1, Flamebait)

BeeBeard (999187) | more than 6 years ago | (#22468724)

Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk.

In other words, it puts nobody at risk. ;)

Was there an obigation? (2)

deadmongrel (621467) | more than 6 years ago | (#22468730)

Why is Mozilla obligated to wait and release an advisory because Opera couldn't get off their asses fast enough to respond to something. Also, opera users were already at risk and not just because of the advisory.

Offtopic: Did that opera guy ever swim from US to Norway? speak about obligations.

Whats the big deal, just go fix it (2, Interesting)

KevMar (471257) | more than 6 years ago | (#22468772)

Whats the big deal. Just go fix it.

I know you don't have any people committed to different projects.
I know you have your code at a stable point so its easy to slip in a change
I know this only takes one guy 5 min to go change a few lines of code
I know its ready to ship the moment its changed
I know you coded it right and didn't break anything else

Remember this is open source. so you should be able to fix all security issues quickly. I bet someone else had already done it for you. Just ask someone for it.

Whats the point of being open source if you don't do what the community expects of you.

END RANT

OK, i bet the underlying issue is they expected to have a Little time. Emails went out to a few people that would look at and identify how big of an issue it was. Once they reported back, only the resources needed would be pulled off other projects to fix this.

The next day they see the advisory without warning and now they scramble to figure it out. Probably pulled a lot of people off other stuff that they didn't need to in order to rush out a minimally tested release.

...it places Opera users at unnecessary risk? (3, Funny)

iamacat (583406) | more than 6 years ago | (#22468802)

I would say it places Opera users at unnecessary risk of becoming Firefox users :-)

What do you say if someone gives you free popcorn? (1, Funny)

Anonymous Coward | more than 6 years ago | (#22468824)

Scream murder that he forgot to add the butter.

Fix for Opera users released. (1, Troll)

siesindallerscheisse (1238976) | more than 6 years ago | (#22468846)

Here. [mozilla.com]

Well, I can understand (1)

Secret Rabbit (914973) | more than 6 years ago | (#22468930)

Everything that I've read on the topic of disclosure says wait at least a week. Hell, even some mail to the security focus lists have histories in them that go back a couple months! So, I can understand that Opera is rather pissed at the Mozilla people for not giving them ample time to respond. Quite frankly, I find the whole thing rather rude.

That being said, "Opera's" response wasn't exactly professional either. At least it should have been better worded and cited industry standard ways of working to solve an issue.

Screeching Simpson's Quote (1)

Sponge Bath (413667) | more than 6 years ago | (#22468940)

"We had another fight over the inflatable bath pillow. I kept screeching and screeching at him, but..."
-- Agnes Skinner, describing her latest fight with her son, Seymour

Crap article (4, Insightful)

Tridus (79566) | more than 6 years ago | (#22468964)

Somebody posting to Slashdot says that somebody at The Register says that an Opera blogger screeches about Mozilla. Even for Slashdot, this is a pretty weak title.

What they actually say is that they only had a day between notification and public disclosure. He's actually happy that Mozilla told them at all (hence the :) ), but not happy that there was only a day before it was made public. Nobody is particularly happy when they only have a day from learning there's a security hole to everybody else learning about it, thats not enough time to get a fix rolled out, so this is hardly surprising.

I know Mozilla can do no wrong around here, but come on. Even the Mozilla devs would be happier getting more then one day before public disclosure of a security hole.

Full disclosure (0)

Anonymous Coward | more than 6 years ago | (#22469556)

I'm sorry, they shouldn't have had any time at all to respond. Next time, publish it as soon as you've got working exploit code. Oh, and make a nice GUI exploit for the skiddies.

But however. (0, Flamebait)

trouser (149900) | more than 6 years ago | (#22469704)

At the risk of offending Opera users and gay people I'd have to say that Opera is gay. Also, Mozilla has the giant lizard monster. What does Opera have? A big letter 'O'. And maybe some dried fish. And Norway? You can't get there from here.

unacceptable level of risk for Opera users (0)

Anonymous Coward | more than 6 years ago | (#22469708)

And both of them are rightfully outraged!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?