On 19/01/2008, Douglas A. Tutty <[EMAIL PROTECTED]> wrote:
> As for the security record of popular browsers, this is the question.
> Is a browser with a long history of few security bugs more or less
> secure than a browser with a long history of many security bugs?
> Someone suggested that Dillo, with a long history of few bugs, with a
> simple design, may be more secure.
>
> Also note that I'm specficially looking at graphical browsers here and
> "banking" may not be the best exemplar since hopefully the OBSD base
> Lynx will work for that.

You obviously can't generalise. Simply counting the number of
disclosed(!) vulnerabilities, and maybe the time till they're fixed,
can give you some indications, but even though it's frequently done,
and even though these numbers are frequently bandied about **cough**
Secunia **cough**, seriously or exclusively relying on them is
amazingly bad science.
You already observed that a larger number of disclosed bugs may be
indicative of more active and responsive development for a more
popular product (sometimes more popular for a reason), or the software
may just be very insecure. Which is it? You can't tell without looking
at the details, or asking somebody who has done so. Your specific
questions to this list about Dillo et al. are quite valid in that
regard, but your generalised question "Is a browser with a long
history of few security bugs more or less secure than a browser with a
long history of many security bugs?" really can't be answered. It
depends.

Thanks and regards,
--ropers

Reply via email to