Thumbs down for Netscape 8
What’s wrong with Netscape 8
Ah, now we come to the important bits!
The hurried release of Netscape 8.0.1
Not sure how many people caught it, but Netscape had a mad dash to fix up their brand new browser on day 1 of its release. Since it’s based on Firefox (more on that later), it shared the same problems that the Mozilla people fixed two weeks before Netscape 8.0 was released.
They reportedly just took someone’s word that it didn’t affect the Netscape browser instead of testing it themselves. slaps forehead
In case you didn’t notice, there’s a glimmer of hope here: a Netscape vulnerability that didn’t take 9 months to fix!
Netscape’s enhanced security
Hang on, you say. How can “enhanced security” be a bad thing? When it’s implemented as naïvely as it is in Netscape 8.
The fact that Netscape uses Internet Explorer at all is opening the browser (and computer) up to all manner of vulnerabilities that are outside the control of the team who will update the browser in the future. Using IE to browse is unsafe at the best of times, and should be limited to only the most critical of uses, like Windows Update.
But I digress. What about these new “security options”?
Netscape 8 uses a security scenario that bears more than a passing resemblance to Internet Explorer’s Security Zones. The idea behind this is that the browser refers to a list of websites to see if they’re safe or otherwise, then sets an appropriate security level according to the site’s potential for danger. By default, the browser is set to automatically update this “Trust List” by downloading a new list from the Netscape site. Netscape calls this mechanism “Site Controls“.
— Netscape Site Controls
- Netscape continuously updates the browser with a list of trusted and suspected sites, so it will automatically apply your security settings to make you safer and more compatible.
- User receives frequent updates of trusted and potentially dangerous sites.
- Warns users of insecure web sites before they enter them.
Sounds good in theory.
The problem with this is that the list of “trusted and suspected” sites is simply a list of websites that display the TRUSTe “Web Privacy Seal”. This is hardly a mark of actual trustworthiness, as it only concerns a website’s privacy policy. Even if a scumware website had a clean privacy policy (questionable at best) and actually adhered to it (very unlikely), the policy itself probably doesn’t cover any of the software that it imposes upon users’ computers through back-door vulnerabilities and confusing licence agreements. Basically, Netscape have created a “security” system that allows them abrogate their responsibility in providing reliable classifications for trusted and dangerous websites.
Which pretty much makes Netscape’s “security options” worse than having none at all.
The problems with this “security” system have been further (and better!) discussed by Ben Edelman, Sunbeltblog and Spyware Warrior.
