dont assume I didnt google. Because I did and all I found was many complaining of the same thing the lack of control over the app. Chrome has its good points, but the down points currently make it unviable for me to use.

How do you know its a incredibly small amount of the userbase? How do you know people blindly click yes on security warnings? you dont.

googling the issue I found over 300 people complaining in a 10 minute search. You might say well millions use the app of course, but the majority affected since its a silent block wouldnt have a clue of whats going on.

Serving a so called dumb majority firefox is copying chrome, power user apps dont serve dumb majorities.

For your information firefox itself has more vulnerabilities against it than java. Same with internet explorer. All 3 apps have issues, nothing new there.

In this case a automatic background check wouldnt have fixed anything as firefox I repeat blocked the latest version.

If you want 100% security then disconnect the internet cable and lock the machine away in a vault. As I said before if software vendors use draconian methods to try and lock down software its counter productive because often the end user as a counter measure disables that protection, eg. people commonly disabled UAC on vista as it was over intrusive, and I (and others) disabled firefox plugin protection.

Whats funny is firefox doesnt block 2 year old flash versions. But blocks a 1 week old java version.

and yes I agree java is dieing but since the software is attached to no longer updated kvm kit, the devices I use will be java based forever until the hardware is replaced.

Also dont believe my browser is insecure, you assume wrong again I dont care. The difference is tho I also hold value to end user control and useability.

Microsoft dont automatically disable old versions of plugins. What they are moving towards is running plugins inside secure containers that dont have elevated permissions. Thats a much tidier solution than what mozilla have implemented. In fact firefox doesnt even have non elevation or built in sandboxing yet. Adobe had to make a special sandbox feature in flash to account for the firefox state.

--edit--

I can confirm now when trying to run a java web based app a prompt now pops up saying its out of date with an update button.

Edited by Chrysalis (Sat 02-Feb-13 11:37:06)

If there were a huge demand for features, they would be added to Chrome. In reality, the demand is tiny.

KVM is a niche market. It isn't as wide spread as something like Open Office. If you look at blackhole exploit kit statistics, you will find that Chrome users are just as likely to be exploited by a Java exploit, even when Chrome asks its users if they want to run Java. Users will often blindly click yes, just to get rid of notifications. They're used to being told the same thing by IT departments.

Click-to-play and plug-in blocking are new technologies, and will improve over time. It's never a smooth transition going from an insecure to secure environment. It took a while for people to get used to UAC after it was introduced in Vista.

In the wild exploits are more important than reported vulnerabilities. Chrome has vulnerabilities reported on a daily basis, this doesn't mean they're being exploited in the wild and put users at risk. Regular update ensure that users are protected.

Automatic background updates help to protect users. It's down to Firefox to sort out the plug-in white listing.

These steps are necessary because Oracle is lagging behind the competition. The majority of users won't notice a thing as more and more companies introduce automatic background updates. These features will improve over time, UAC is a good example of this.

Microsoft is always lagging behind the competition when it comes to security features, no surprise there. Adobe took advantage of plugin-container when they were working on the Flash sandbox. http://blogs.adobe.com/asset/2012/06/inside-flash-pl... -

IE has finally taken responsibility for Flash in the latest version and the new features in IE10 and Win8 are nice, but this doesn't help users stuck on older versions of the OS and browser. No wonder people are dropping IE!

Edited by Zadeks (Sat 02-Feb-13 12:40:19)

I am aware chrome is for the mass consumer market, which is why I dont like it. Not sure why we debating that plus its off topic.

I also have no issue with click to play.

No issue with whitelists.

I personally know noone who blindly clicks yes, my sister rings me up with aheart attack everytime it happens, my dad says no and emails me with screenshots. So whilst some people may blindly click yes not everyone does it, we cant handhold everyone , if people get infected tough.

Using firefox in its default state I wouldnt say is secure. Doing silly things like this isnt necessarily more secure either, patching software to close "fixed reported vulns" is just a small piece of the jigsaw.

By the way one reason I dont use chrome is the automatic background updates, and I disable it on firefox, am I an idiot for doing that and insecure? Since I heavily use my browser I have to test every new version, if it breaks something important then it doesnt get updated until I have a workaround or firefox themselves fix.

Network administrators in companies will often run outdated software for the reason they cant run incompatible apps, but it doesnt make them insecure, as they will lockdown systems in other ways to prevent successful exploitations. Patching is just part of the process.

Seems your idea is unless something is in widespread use it can be routinely made unusable (broken) and doesnt matter. This attitude is why users routinely disable security features which probably frustrates developers wondering why users do it. Since we going in circles I am stopping here.

To remind you on this final post, I wouldnt have had a real issue with it if there was a simple way to overide it and the app told me why the plugin wasnt working (instead of been sly about it and been silent), I would have just temporarily overriden for java and kept the blacklist function turned on.

Regarding automatic updates, the reason I dont approve silent updates is chrome and firefox are now merging security updates with feature updates, meaning one has to accept automatic feature updates which can easily introduce bugs, remove useability and break addons, features. If they had just automated security updates only but required human approval for feature updates I expect there would be much less hostility to it like people accepting automativ a/v updates.

So I am out of this thread now.

The point is that infection can be prevented through the use of white listing, click to play, automatic background updates, etc. We don't let people get infected just because they aren't technically minded.

i'm a Chrome power user and I've never experienced a bad update. You should probably look at another browser if FF really is as bad as you make it out to be. Maybe you're just a tad paranoid.

Running out of date software is insecure. Companies might attempt to lock down systems but in reality this usually just consists of installing anti-virus on the end points, which is why we see so many companies getting 0wned on a weekly basis.

Patching is an incredibly important part of the process. We've already started rolling out Secunia CSI because it makes management of Java & Adobe products so much easier.

You have Oracle to blame for the disabled plug-in. You wouldn't have to wait as long if they patched vulnerabilities quickly.

FF does tell users when and why plug-ins are blocked. Maybe you should direct your feedback at Mozilla.

Plenty of browser choice, feel free to jump ship if you don't like it. No sign of a mass exodus, seems most people couldn't give a damn.

so I am still here, browser choice is actually not great when they all copying each other especially firefox now starting to copy chrome. I have mad emy choice and firefox sadly is the best of a bad bunch.

Also one reason people arent educated is they are misinformed that as long as they have an a/v and update their software they are safe. Your message just reinforces that misleading message. Patched software is still vuln, just the vulns havent been disclosed yet.

Now i really need to get away from this thread as its sucking up my time.

The main misinformation is that AV keeps people safe. AV is snake oil, almost as bad as malware, because they use scaretatics to push it. The price of AV has dropped over the years because people are becoming wiser. Protecting against old threats is no good because it is so easy to obfuscate existing exploits.

If all software were kept up to date automatically, people would be far safer. The bad guys are still exploiting vulnerabilities that were patched years ago, just because people don't keep their systems up to date. Patched software is still vulnerable to what? Undiscovered vulnerabilities?

The bad guys don't waste 0day exploits on regular users when they can sell them for 100k to governments and other cyber criminals. They will often reverse engineer software patches and incorporate the exploit into their kits, sometime after the vendor has released a patch. There is nothing misleading about encouraging people to keep their systems up to date. It is free, doesn't hog system resources and takes little time. Secunia PSI FTW.

In reply to a post by Zadeks:

Plenty of browser choice, feel free to jump ship if you don't like it. No sign of a mass exodus, seems most people couldn't give a damn.

There are little differences between some, and it may be down to personal preference, but for example, I could never use Opera, as it doesn't do what I want.

Soon Chrome will be over the 50% share of the browser market in some website measuring data:

http://www.w3schools.com/browsers/browsers_stats.asp

Not because it's inherently better, but because it is better marketed. How else could it make such strides since its inception, if FF took far longer, and IE retained its grip for so long? We all agree there was a point that FF was the major competition to IE and it was a far better browser for standards, security and features?

So it takes around five years to overtake IE, while Chrome, a decent browser, but by no means head and shoulders above FF in the way it is to IE takes the big share in less than four years. Big company marketing, coupled with toolbars, add-ons and then browsers. If it's not the google toolbar, it's the yahoo toolbar.

No one has ever asked me to install a FF or Opera toolbar, and that will probably be why Chrome is now the top dog. Remember that. Marketing; not superior product (by that I mean I remain unconvinced that there's much difference between Chrome, FF and Opera for the user who has never used any of them...we all find the browser we prefer).

If we're talking pure HTML5 tests, Maxthon leads the way, and while Opera out scores FF, I find Opera lacking for me from time to time in usability. Safari is pretty much along the same lines in that sometimes it seems just the same, other times it's not so good (for me).

i'm a Chrome power user and I've never experienced a bad update.

Not sure the date of this, but it is probably in the '93-'95 era. I wonder how much has changed?

http://www.gnu.org/fun/jokes/power.users.html

I've seen bad updates for a multitude of products. It doesn't make the product bad. It just makes the update bad.