On 19/01/2008, Douglas A. Tutty <[EMAIL PROTECTED]> wrote: > As for the security record of popular browsers, this is the question. > Is a browser with a long history of few security bugs more or less > secure than a browser with a long history of many security bugs? > Someone suggested that Dillo, with a long history of few bugs, with a > simple design, may be more secure. > > Also note that I'm specficially looking at graphical browsers here and > "banking" may not be the best exemplar since hopefully the OBSD base > Lynx will work for that.
You obviously can't generalise. Simply counting the number of disclosed(!) vulnerabilities, and maybe the time till they're fixed, can give you some indications, but even though it's frequently done, and even though these numbers are frequently bandied about **cough** Secunia **cough**, seriously or exclusively relying on them is amazingly bad science. You already observed that a larger number of disclosed bugs may be indicative of more active and responsive development for a more popular product (sometimes more popular for a reason), or the software may just be very insecure. Which is it? You can't tell without looking at the details, or asking somebody who has done so. Your specific questions to this list about Dillo et al. are quite valid in that regard, but your generalised question "Is a browser with a long history of few security bugs more or less secure than a browser with a long history of many security bugs?" really can't be answered. It depends. Thanks and regards, --ropers