![]() And as I mentioned in the OP Firefox was the one with the extra vulnerabilities, not Firefox-esr. ![]() Also I doubt Firefox is changing so rapicly as to present a completely new browser target every month thereby throwing hackers into disarray. I don't know why backported security patches would be less secure than normal patches. To be honest I don't think I buy this argument. This means that the ESR may be less secure than the release Also, as time moves on, the development team will have made many major functional and security changes to the release version. This is because security patches for the ESR version have to be specially developed for these versions, since the ESR may not be functionally the same as the release version.Īs time goes forward, the ESR has been available longer and longer, potentially giving hackers more time to develop exploits. Same origin policy was the first line of defense I was thinking of.ĮSR versions of any software are generally slightly less secure than the release versions. I was thinking of site isolation as the new security feature. I got side-loading side channel attacks confused with cross site scripting. I wonder how important these new security features are nowadays. A first line of defense was already in place. I remember some other new security feature guarding against cross site scripting. So in this case it was not a true vulnerability. there was no known exploit IRL, no POC, fission is just a sane concept, implemented in stable ESR after testing in Firefox. side channel attacks are already mitigated in CPU how we could know at the time of completely new and untested fission technology implementation it is not buggy? And so Firefox-esr 91.x was more vulnerable to side-channel attacks than Firefox until the 102 version-bump. It didn't get this site isolation until the 102.x series came around. I think they're both equal in security, it's just that the normal release has a more recent feature set.įirefox-esr at that time was the 91.x series. Firefox-esr is, after all, meant for universities and businesses, so it has to be more stable and reliable. They both get security updates as needed, but Firefox-esr is a more stable version as it doesn't include all the latest and greatest features that could end up making the browser less reliable and stable. I don't think it's that one is more secure than the other, it's that Firefox-esr is a more stable and reliable version. ![]() Just as a quick comparison here are the latest cves for Firefox and Firefox-esr. So is it just kind of a trade off? Sometimes Firefox-esr will be more secure and sometimes Firefox will be more secure? Or do you think that one will be generally more secure than the other over time? I read on a Reddit post that Firefox may have additional cve's because of when things change there will be additional holes. Now eventually Firefox is going to get some new security features that Firefox-esr doesn't have in which case I would expect that Firefox-esr will have some cve's that Firefox won't have. I checked all versions since 102.0 and over that time Firefox has not added any new security features. ![]() So at the moment Firefox-esr seems to be more secure than Firefox. So I checked the missing cve's in Debian's Security Bug Tracker and it turns out that the reason they were missing in Firefox-esr is because they weren't vulnerable in Firefox-esr. In each of them Firefox had more CVE's fixed than did the corresponding version of Firefox-esr. I've checked the last four major versions of Firefox and Firefox-esr. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |