General > General Technical Chat

How to permanently disable FireFox updating...

<< < (10/11) > >>

soldar:

--- Quote from: m12lrpv on March 04, 2024, 08:23:05 pm ---No there aren't. The days of serious exploits are long gone. Take the hysteria elsewhere.
--- End quote ---
I am with you on this. There are three programs I do not update any more and have not updated them in years.
Firefox, Thunderbird and Brave. All three
(1) want to update way too frequently,
(2) are massive, not just a small patch, they reinstall the whole thing and I am on a metered data connection with several computers, no way and
(3) they change things in the GUI and often cause other problems or annoyances.
Nope. I am not updating.

I see no need to change things in the GUI and I get the impression this is pretty much all they are doing to justify their existence.
If they need to patch security holes every few days it means it is really crappy software and software writers. Screw them.
I have never had a malware issue. I'll take that risk.
I will continue to not update.

tom66:

--- Quote from: m12lrpv on March 04, 2024, 08:23:05 pm ---
--- Quote from: tom66 on March 04, 2024, 11:17:46 am ---Please ... why are you disabling updates.  Just don't.  There are huge security implications.

--- End quote ---

No there aren't. The days of serious exploits are long gone. Take the hysteria elsewhere.

Even the minor security holes that do exist aren't genuinely exploitable to the degree you imply. Security updates just appear so companies can claim they're looking after your security.

The constant updates BS comes from dev companies not wanting to support lots of different versions which in all fairness as a dev for 30 plus years it's understandable.

--- End quote ---

Not even slightly true.  CVE-2023-4863 was released only out about 6 months ago, and that allows for heap buffer overflow, which allows for session keys, credit card info, saved passwords etc to be stolen from a running browser by using a modified WebP image!  (This impacts all browsers.)  It also allows for malicious code to be embedded into your browser creating the possibility of exploits like stealing bank details by forging a login page and SSL authentication.

https://nvd.nist.gov/vuln/detail/CVE-2023-4863

There will be others, humans are not infallible when it comes to software.  If you do not keep your software up to date, you are explicitly acknowledging that you will be vulnerable to third party attack from sophisticated organisations.  Now, if you think that is an acceptable risk, that is YOUR risk, but others should not do this unless they are absolutely certain they can tolerate this risk. 

You can use an Extended Support Release from Firefox if you are concerned about appearance changes to the software but still need to maintain security updates.

EPAIII:
I don't understand. I have used Firefox and Thunderbird for years and have had almost no problems.

What is everyone doing that causes such a ruckus?

soldar:

--- Quote from: EPAIII on March 05, 2024, 01:21:50 pm --- I don't understand. I have used Firefox and Thunderbird for years and have had almost no problems.

What is everyone doing that causes such a ruckus?
--- End quote ---
While I am with you in principle I find your argument, which is widely used, to be quite poor. It is the same as "I have never made backups and I have never had a problem".

We need a bit more profound risk analysis.
What is the cost (effort, etc) of implementing security measures?
What is the cost if the bad things happen?
What is the probability of those things happening?  Etc.

There is always an element of prevention, an element of risk, etc and you have to weigh everything.

I have used PCs since before the Internet days. I have never, ever, used any kind of antivirus software. I have never, ever, had any malware. I have been very careful with my practices. I have always been reasonable good at having backups.

When software is released so full of vulnerabilities and has to be updated so frequently to me it means the makers are being very careless and maybe should be subject to civil liability when their software causes damages. That would probably change things for the better. It is very shoddy software if it has to be updated so often for security.

In my case I have decided to not update the browsers for the reasons I have stated above. The risk for me is minimal and the hassle is just not worth it.

But maybe for someone with nuclear codes which could start WW3 in their computer the case is different. It's not my case though.

tom66:

--- Quote from: soldar on March 05, 2024, 04:33:34 pm ---When software is released so full of vulnerabilities and has to be updated so frequently to me it means the makers are being very careless and maybe should be subject to civil liability when their software causes damages. That would probably change things for the better. It is very shoddy software if it has to be updated so often for security.
--- End quote ---

I disagree with this statement.  If you look at what a web browser did 20 years ago, that was...
* decode SGML markup
* maybe parse basic CSS
* limited or no JavaScript support
* limited image file formats
* only HTTP

Now what does a web browser have to do?
* XHTML + HTML 4.0 support + SVG, XSL, JSON and others
* video decoding in multiple formats (YouTube, Netflix, etc.) (WebM encapsulation, codecs AV1, VP9, H264/H265... up to 4K rendered on graphics cards directly)
* multiple types of new file formats, such as WebP, JPEG2000, MNG/APNG...
* support a vastly more complicated HTML and CSS standard
* support complex JavaScript environments including JIT compilation
* support vastly more protocols such as HTTP2.0,  HTTPS,  multiple new forms of SSL (TLS 3.0), async HTTP requests and so on

There is a much larger attack area.  This is necessary to support the modern web.  If you do not want these features that is fine, but you would need to disable them or find a very old secure build of Firefox or something that did not have them.  This would probably break most of the things you use on the internet.

Many older browsers did have serious security flaws.  For instance, IE5.5 had a bug in it which allowed remote code execution via a maliciously crafted PNG image.  It took Microsoft ages to patch that.  Companies, including Microsoft, are far better now.  For instance in shared libraries they cooperate to disclose a fix at the same time to avoid an attacker having the opportunity to exploit one system before others have had a chance to patch it.

The modern way is not to necessary exploit your system to put an annoying virus on it, either.  Some exploits can be essentially hidden and be used to exfiltrate data such as passwords or CC data to a server somewhere. 

The idea of attaching any civil liability to free open source software is laughable in the courts.  If you read the GPL, the "No Warranty" part is very clear, it is literally in all caps.  Nonetheless, even commercial software usually excludes liability for losses.  Only in B2B services do you tend to find liability put on the supplier, but you can bet that will be baked into the cost of the software and service.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod