Security Updates
Moderator: trava90
Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
Security Updates
Hi Folks!
I wondering how long will Pale Moon "secure" because, Firefox has so much changes since Quantum was published.
Is it possible for Moonchild, to implement all Security-Updates which was released for Firefox Quantum or is this not neccessary?
Kind Regards,
Dölli
I wondering how long will Pale Moon "secure" because, Firefox has so much changes since Quantum was published.
Is it possible for Moonchild, to implement all Security-Updates which was released for Firefox Quantum or is this not neccessary?
Kind Regards,
Dölli
Re: Security Updates
Pale Moon development is independent of Mozilla and has been for quite a while now. If Firefox disappeared tomorrow, Pale Moon will still receive security updates. The same cannot be said for Waterfox, as Waterfox is not a true fork.
Re: Security Updates
Security updates from Firefox are applied if what it fixes is applicable to Pale Moon. If not, then not.
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story
Re: Security Updates
Mozilla's development introduces a steady stream of new vulnerabilities by constantly rewriting and refactoring code, regularly with blatant disregard to safeguards in code (I've seen many things being refactored incompletely, introducing a sec vulnerability as a result only to need the safeguard to be reinstated that was in the original code -- somehow this very regularly slips through the reviewing process at Mozilla).
Many things have changed with Quantum, indeed. As such, many things will not apply to our code, some things need to address the principle behind the bug if it applies and need custom fixes written for them, and some things will apply directly. Quantum may have changed many things, but many things are also still the same. it's not a brand new program/platform.
Each cycle an audit is made what of the sec bugs is applicable to our code, and relevant code changes are ported. More often than not, there are more bugs discarded as N/A than actually in need of porting, because we won't have the vulnerabilities, that are addressed in those bugs, to begin with.
Aside from that, our own development will include sec updates unrelated to Mozilla or their code.
Many things have changed with Quantum, indeed. As such, many things will not apply to our code, some things need to address the principle behind the bug if it applies and need custom fixes written for them, and some things will apply directly. Quantum may have changed many things, but many things are also still the same. it's not a brand new program/platform.
Each cycle an audit is made what of the sec bugs is applicable to our code, and relevant code changes are ported. More often than not, there are more bugs discarded as N/A than actually in need of porting, because we won't have the vulnerabilities, that are addressed in those bugs, to begin with.
Aside from that, our own development will include sec updates unrelated to Mozilla or their code.
Last edited by Moonchild on 2018-05-28, 03:38, edited 2 times in total.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Security Updates
Thank you for the fast answers!
With this in mind, many thanks to Moonchild and all those who are working on this project!
With this in mind, many thanks to Moonchild and all those who are working on this project!
Re: Security Updates
I just found it by chance, but I'll still be using Pale Moon!
https://www.howtogeek.com/335712/update ... -basilisk/
https://www.howtogeek.com/335712/update ... -basilisk/
Last edited by Doelli on 2018-05-28, 22:06, edited 1 time in total.
Re: Security Updates
Don't believe everything you read in articles, especially if they immediately set a precedence and bias in their title.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Security Updates
And, I would add especially don't believe everything you read in the comments section.Moonchild wrote:
Don't believe everything you read in articles,
Re: Security Updates
It's unfortunate that the same misconceptions and misinformation keeps being spread around especially by places that should know better. All of this stems from the fact that so many people simply refuse to acknowledge that Pale Moon is its own browser and is in no way tethered to Firefox. It's an inconvenient reality that some forks forever remain in the shadow of their source. Perhaps years from now people will still think of Pale Moon as "that browser that's actually old Firefox underneath" when it's simply not the case and hasn't been for so many years now. The "outdated" stigma is hard to correct, but the proof is in the code, and I believe that history will one day clearly show that not only is Pale Moon as secure as Firefox, but is in many ways more secure.Doelli wrote:I just found it by chance, but I'll still be using Pale Moon!
https://www.howtogeek.com/335712/update ... -basilisk/
The author loses all credibility to me after that line. Why place your trust in a gathering of competent, like-minded individuals who share your values, when you can place your window to the greatest human resource to ever exist in the hands of a corporation who doesn't care about their users? Such brilliant logic!Even if you don’t completely trust some of Mozilla’s business decisions, your browser is just too important to be left to a small community of enthusiasts.
Re: Security Updates
Hopefully one day Firefox will get an outstanding security issue caused by some of their "modern" features, then people might realize that there's a reason why that bug would not affect Pale Moon or Basilisk.HaleSun wrote:and I believe that history will one day clearly show that not only is Pale Moon as secure as Firefox, but is in many ways more secure.
Re: Security Updates
God, Mozilla is an asinine company. Just reading what Moonchild said about their code is unreal. Then you have asshats in blogs and websites say crap like Pale Moon is outdated, etc. Nothing could be further from the truth. The code in PM is proabbly very much different than that of FF, and as such certain patches are applied to that code base as needed. No two are the same. It's analogous to the differences between Linux patches and Windows patches. They are both different and require different patches for that code.
The only bad ting I see with PM is the UA. Since so many websites want to see a Chrome or a FF UA, the whole damn site gets rendered sometimes like a piece of crap or doesn't work right at all. Pretty stupid that some sites use UA sniffing. I solve this by using the add-on UAControl with a Linux x64 Firefox UA. I stay abreast of all FF releases and update my UA accordingly. Other than that, I've had not too many issues with Pale Moon.
The only bad ting I see with PM is the UA. Since so many websites want to see a Chrome or a FF UA, the whole damn site gets rendered sometimes like a piece of crap or doesn't work right at all. Pretty stupid that some sites use UA sniffing. I solve this by using the add-on UAControl with a Linux x64 Firefox UA. I stay abreast of all FF releases and update my UA accordingly. Other than that, I've had not too many issues with Pale Moon.
Last edited by Phantom on 2018-05-29, 08:21, edited 2 times in total.
Re: Security Updates
I have always been an advocate of Firefox from down the Netscape line, but more and more disappointments keep popping such as dropping support for NPAPI, and then dropping support for Java and then dropping support for Flash. In the end, what do you have? Just another whining browser that keeps complaining that although I updated only 1 week ago, that it is insecure because I don't have the latest version. Yet version 43 works fine on most websites.
Firefox has become a useless tool for my needs, and Google is responsible for that
Firefox has become a useless tool for my needs, and Google is responsible for that
Re: Security Updates
I've asked previously if Palemoon is worth switching to viewtopic.php?f=3&t=19232
This topic is about security and have even more concerns.
Other than the core devs of Palemoon, does any organisation audit the code? How many security issues have been reported by 'outside' orgs for Palemoon in the past year, if any?
Please don't reply "we write secure code" Everyone tries to.
There seems to be a great deal of trust from users in this thread, however, from what I can see they aren't contributing to the development so are more likely just basing replies on a 'good will' gesture rather than having concrete knowledge.
I'd be interested to hear replies from the devs that look at security rather than users that probably can't answer the questions I've posed in this reply.
This topic is about security and have even more concerns.
Except that Palemoon relies on the security updates from Mozilla to fix issues. Not all are relevant from what I can see, but the simple fact that Palemoon accesses, and in some cases applies, these updates means it most definitely tethered to Firefox or there would be no need for them. What happens when the version of Firefox that Palemoon is based on is no longer security maintained by Mozilla? Is Palemoon going to be a security risk? If the underlying Mozilla code is still receiving fixes, why will it suddenly be risk free when mozilla stops supporting it?HaleSun wrote: It's unfortunate that the same misconceptions and misinformation keeps being spread around especially by places that should know better. All of this stems from the fact that so many people simply refuse to acknowledge that Pale Moon is its own browser and is in no way tethered to Firefox.
Moonchild wrote:our own development will include sec updates unrelated to Mozilla or their code.
Based on audits by whom? How are these security issues discovered?HaleSun wrote:Pale Moon development is independent of Mozilla and has been for quite a while now. If Firefox disappeared tomorrow, Pale Moon will still receive security updates.
Other than the core devs of Palemoon, does any organisation audit the code? How many security issues have been reported by 'outside' orgs for Palemoon in the past year, if any?
Please don't reply "we write secure code" Everyone tries to.
There seems to be a great deal of trust from users in this thread, however, from what I can see they aren't contributing to the development so are more likely just basing replies on a 'good will' gesture rather than having concrete knowledge.
I'd be interested to hear replies from the devs that look at security rather than users that probably can't answer the questions I've posed in this reply.
- SpockFan02
- Astronaut
- Posts: 535
- Joined: 2017-09-24, 16:35
- Location: Mak pupulusšum, California
Re: Security Updates
I think Phantom is exaggerating Pale Moon's difference from Firefox; they're definitely more similar than Windows and Linux, and a lot of problems that Mozilla finds are directly relevant. Although continued divergence from the Mozilla codebase does mean that changes, including sec fixes, can get harder to port (when they apply to Pale Moon at all, of course), as you say, DrKnow, I do trust Moonchild and the other devs. I can't speak to independent audits; I don't know, Moonchild will.
Re: Security Updates
These are exactly the misconceptions I was talking about. Let me clarify the current situation:DrKnow wrote:Except that Palemoon relies on the security updates from Mozilla to fix issues. Not all are relevant from what I can see, but the simple fact that Palemoon accesses, and in some cases applies, these updates means it most definitely tethered to Firefox or there would be no need for them.
1. Pale Moon receives security updates specific to Pale Moon.
2a. Firefox receives security updates.
2b. If the above Firefox security patches are applicable to Pale Moon, then those patches are ALSO ported over, ADDING to the browser-specific security patches that Pale Moon ALREADY receives, and will CONTINUE to receive should Firefox development cease.
I am deliberately emphasizing the mutual exclusivity of these two SEPARATE processes. Pale Moon doesn't "need" Firefox's security developments, but to put this another way, if a benefit exists it would be dumb to not take advantage of it. Pale Moon can take advantage of some Firefox patches to further increase its own security, but the key distinction here is that the relationship is beneficial, not dependent.
DrKnow wrote:What happens when the version of Firefox that Palemoon is based on is no longer security maintained by Mozilla?
Technically this has already happened, so what's "going to happen" is what's already happening RIGHT NOW (It's actually very old news at this point). This again goes back to what I said previously about how people simply refuse to acknowledge that Pale Moon is its own browser. It is the nature of a true fork to diverge further from its source and at this point Pale Moon is already very far away from what Mozilla "maintains".DrKnow wrote:If the underlying Mozilla code is still receiving fixes, why will it suddenly be risk free when mozilla stops supporting it?
Going back to the previous answer, if Pale Moon was going to become a security risk it would have already happened a long time ago. The fact that it hasn't happened yet means that there is no plausible reason for it to happen in the future barring some drastic deviation in Pale Moon's development ethos.DrKnow wrote:Is Palemoon going to be a security risk?
The thing about browser security is that it doesn't happen in isolated "islands". All browsers have certain traits in common by nature of sharing a common set of protocols. This means that outside of browser-specific security, there is also "general security" which affects all browsers equally, and in this area in particular Pale Moon is not lagging behind even the slightest bit. For example, when news broke of the punycode exploit Pale Moon very quickly released a countermeasure. I have never heard of a case where Pale Moon had a vulnerability that other browsers did not, but I have seen many instances where other browsers were affected by security exploits that couldn't work on Pale Moon such as the numerous WebRTC vulnerabilities.
Re: Security Updates
HaleSun, thank you for your clear post! It states in completely different wording what I have tried to get across many times myself, which I hope can only clarify things for people if they do not or did not understand the way I explained it previously.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
Re: Security Updates
Those that don't know where the security updates come from should Google three little letters: CVE.
Re: Security Updates
It would be better to stay on topic and try to be more constructive; the above doesn't feel very helpful.Phantom wrote:Those that don't know where the security updates come from should Google three little letters: CVE.
Re: Security Updates
From the comments, Palemoon has had so many changes it should be considered separate and independent from Firefox. Fair enough.
Given that, I'll ask again about security fixes applied to Palemoon that aren't derived from Mozilla.
How are these secuirity issues discovered? Based on audits by whom?
Other than the core devs of Palemoon, does any organisation audit the code?
Additionally, who constitutes the security team investigating security issues. I can't find any information on the Palemoon site and searching the web leads me to some discussions that suggest there isn't any.
Is this the case? And further, what testing is done to ensure Palemoon is secure?
Given that, I'll ask again about security fixes applied to Palemoon that aren't derived from Mozilla.
How are these secuirity issues discovered? Based on audits by whom?
Other than the core devs of Palemoon, does any organisation audit the code?
Additionally, who constitutes the security team investigating security issues. I can't find any information on the Palemoon site and searching the web leads me to some discussions that suggest there isn't any.
Is this the case? And further, what testing is done to ensure Palemoon is secure?