Security Updates

[Doelli]

Hi Folks!

I wondering how long will Pale Moon "secure" because, Firefox has so much changes since Quantum was published.
Is it possible for Moonchild, to implement all Security-Updates which was released for Firefox Quantum or is this not neccessary?

Kind Regards,

Dölli

[HaleSun]

Pale Moon development is independent of Mozilla and has been for quite a while now. If Firefox disappeared tomorrow, Pale Moon will still receive security updates. The same cannot be said for Waterfox, as Waterfox is not a true fork.

[Isengrim]

Security updates from Firefox are applied if what it fixes is applicable to Pale Moon. If not, then not.

[Moonchild]

Mozilla's development introduces a steady stream of new vulnerabilities by constantly rewriting and refactoring code, regularly with blatant disregard to safeguards in code (I've seen many things being refactored incompletely, introducing a sec vulnerability as a result only to need the safeguard to be reinstated that was in the original code -- somehow this very regularly slips through the reviewing process at Mozilla).
Many things have changed with Quantum, indeed. As such, many things will not apply to our code, some things need to address the principle behind the bug if it applies and need custom fixes written for them, and some things will apply directly. Quantum may have changed many things, but many things are also still the same. it's not a brand new program/platform.

Each cycle an audit is made what of the sec bugs is applicable to our code, and relevant code changes are ported. More often than not, there are more bugs discarded as N/A than actually in need of porting, because we won't have the vulnerabilities, that are addressed in those bugs, to begin with.
Aside from that, our own development will include sec updates unrelated to Mozilla or their code.

[Doelli]

Thank you for the fast answers!

With this in mind, many thanks to Moonchild and all those who are working on this project!

[Doelli]

I just found it by chance, but I'll still be using Pale Moon!

https://www.howtogeek.com/335712/update ... -basilisk/

[Moonchild]

Don't believe everything you read in articles, especially if they immediately set a precedence and bias in their title.

[ron_1]

Moonchild wrote:
Don't believe everything you read in articles,

And, I would add especially don't believe everything you read in the comments section.

[HaleSun]

I just found it by chance, but I'll still be using Pale Moon!

https://www.howtogeek.com/335712/update ... -basilisk/

It's unfortunate that the same misconceptions and misinformation keeps being spread around especially by places that should know better. All of this stems from the fact that so many people simply refuse to acknowledge that Pale Moon is its own browser and is in no way tethered to Firefox. It's an inconvenient reality that some forks forever remain in the shadow of their source. Perhaps years from now people will still think of Pale Moon as "that browser that's actually old Firefox underneath" when it's simply not the case and hasn't been for so many years now. The "outdated" stigma is hard to correct, but the proof is in the code, and I believe that history will one day clearly show that not only is Pale Moon as secure as Firefox, but is in many ways more secure.

Even if you don’t completely trust some of Mozilla’s business decisions, your browser is just too important to be left to a small community of enthusiasts.

The author loses all credibility to me after that line. Why place your trust in a gathering of competent, like-minded individuals who share your values, when you can place your window to the greatest human resource to ever exist in the hands of a corporation who doesn't care about their users? Such brilliant logic!

[vannilla]

and I believe that history will one day clearly show that not only is Pale Moon as secure as Firefox, but is in many ways more secure.

Hopefully one day Firefox will get an outstanding security issue caused by some of their "modern" features, then people might realize that there's a reason why that bug would not affect Pale Moon or Basilisk.

[Phantom]

God, Mozilla is an asinine company. Just reading what Moonchild said about their code is unreal. Then you have asshats in blogs and websites say crap like Pale Moon is outdated, etc. Nothing could be further from the truth. The code in PM is proabbly very much different than that of FF, and as such certain patches are applied to that code base as needed. No two are the same. It's analogous to the differences between Linux patches and Windows patches. They are both different and require different patches for that code.

The only bad ting I see with PM is the UA. Since so many websites want to see a Chrome or a FF UA, the whole damn site gets rendered sometimes like a piece of crap or doesn't work right at all. Pretty stupid that some sites use UA sniffing. I solve this by using the add-on UAControl with a Linux x64 Firefox UA. I stay abreast of all FF releases and update my UA accordingly. Other than that, I've had not too many issues with Pale Moon.

[Pelican]

I have always been an advocate of Firefox from down the Netscape line, but more and more disappointments keep popping such as dropping support for NPAPI, and then dropping support for Java and then dropping support for Flash. In the end, what do you have? Just another whining browser that keeps complaining that although I updated only 1 week ago, that it is insecure because I don't have the latest version. Yet version 43 works fine on most websites.

Firefox has become a useless tool for my needs, and Google is responsible for that

[DrKnow]

I've asked previously if Palemoon is worth switching to viewtopic.php?f=3&t=19232

This topic is about security and have even more concerns.

It's unfortunate that the same misconceptions and misinformation keeps being spread around especially by places that should know better. All of this stems from the fact that so many people simply refuse to acknowledge that Pale Moon is its own browser and is in no way tethered to Firefox.

Except that Palemoon relies on the security updates from Mozilla to fix issues. Not all are relevant from what I can see, but the simple fact that Palemoon accesses, and in some cases applies, these updates means it most definitely tethered to Firefox or there would be no need for them. What happens when the version of Firefox that Palemoon is based on is no longer security maintained by Mozilla? Is Palemoon going to be a security risk? If the underlying Mozilla code is still receiving fixes, why will it suddenly be risk free when mozilla stops supporting it?

our own development will include sec updates unrelated to Mozilla or their code.

Pale Moon development is independent of Mozilla and has been for quite a while now. If Firefox disappeared tomorrow, Pale Moon will still receive security updates.

Based on audits by whom? How are these security issues discovered?
Other than the core devs of Palemoon, does any organisation audit the code? How many security issues have been reported by 'outside' orgs for Palemoon in the past year, if any?
Please don't reply "we write secure code" Everyone tries to.

There seems to be a great deal of trust from users in this thread, however, from what I can see they aren't contributing to the development so are more likely just basing replies on a 'good will' gesture rather than having concrete knowledge.

I'd be interested to hear replies from the devs that look at security rather than users that probably can't answer the questions I've posed in this reply.

[SpockFan02]

I think Phantom is exaggerating Pale Moon's difference from Firefox; they're definitely more similar than Windows and Linux, and a lot of problems that Mozilla finds are directly relevant. Although continued divergence from the Mozilla codebase does mean that changes, including sec fixes, can get harder to port (when they apply to Pale Moon at all, of course), as you say, DrKnow, I do trust Moonchild and the other devs. I can't speak to independent audits; I don't know, Moonchild will.

[HaleSun]

Except that Palemoon relies on the security updates from Mozilla to fix issues. Not all are relevant from what I can see, but the simple fact that Palemoon accesses, and in some cases applies, these updates means it most definitely tethered to Firefox or there would be no need for them.

These are exactly the misconceptions I was talking about. Let me clarify the current situation:

1. Pale Moon receives security updates specific to Pale Moon.

2a. Firefox receives security updates.
2b. If the above Firefox security patches are applicable to Pale Moon, then those patches are ALSO ported over, ADDING to the browser-specific security patches that Pale Moon ALREADY receives, and will CONTINUE to receive should Firefox development cease.

I am deliberately emphasizing the mutual exclusivity of these two SEPARATE processes. Pale Moon doesn't "need" Firefox's security developments, but to put this another way, if a benefit exists it would be dumb to not take advantage of it. Pale Moon can take advantage of some Firefox patches to further increase its own security, but the key distinction here is that the relationship is beneficial, not dependent.

What happens when the version of Firefox that Palemoon is based on is no longer security maintained by Mozilla?

If the underlying Mozilla code is still receiving fixes, why will it suddenly be risk free when mozilla stops supporting it?

Technically this has already happened, so what's "going to happen" is what's already happening RIGHT NOW (It's actually very old news at this point). This again goes back to what I said previously about how people simply refuse to acknowledge that Pale Moon is its own browser. It is the nature of a true fork to diverge further from its source and at this point Pale Moon is already very far away from what Mozilla "maintains".

Is Palemoon going to be a security risk?

Going back to the previous answer, if Pale Moon was going to become a security risk it would have already happened a long time ago. The fact that it hasn't happened yet means that there is no plausible reason for it to happen in the future barring some drastic deviation in Pale Moon's development ethos.

The thing about browser security is that it doesn't happen in isolated "islands". All browsers have certain traits in common by nature of sharing a common set of protocols. This means that outside of browser-specific security, there is also "general security" which affects all browsers equally, and in this area in particular Pale Moon is not lagging behind even the slightest bit. For example, when news broke of the punycode exploit Pale Moon very quickly released a countermeasure. I have never heard of a case where Pale Moon had a vulnerability that other browsers did not, but I have seen many instances where other browsers were affected by security exploits that couldn't work on Pale Moon such as the numerous WebRTC vulnerabilities.

[Moonchild]

HaleSun, thank you for your clear post! It states in completely different wording what I have tried to get across many times myself, which I hope can only clarify things for people if they do not or did not understand the way I explained it previously.

[Phantom]

Off-topic:

I have always been an advocate of Firefox from down the Netscape line, but more and more disappointments keep popping such as dropping support for NPAPI, and then dropping support for Java and then dropping support for Flash. In the end, what do you have? Just another whining browser that keeps complaining that although I updated only 1 week ago, that it is insecure because I don't have the latest version. Yet version 43 works fine on most websites.

Firefox has become a useless tool for my needs, and Google is responsible for that

I used to love Firefox as I'm sure at least 99.9% of every user here has as well. I used the Mozilla browser prior to Firefox. Actually, I think it was called Phoenix back then. It wasn't until they tried to copy Chrome that I ditched it. As to lack of support for Flash. Well, Flash is dying in place of HTML5 and thank God for that. Flash is a nightmare on the CPU and has more security holes in it than Swiss cheese. YouTube already went full blown HTML5. Java on the other hand is a security nightmare too. I don't run across too many websites requiring it and I've just opted not to install Java. And if I find a program on Sourceforge that uses Java I just avoid it. I know it will burn through the CPU and I don't want its browser plugin.

[Phantom]

Those that don't know where the security updates come from should Google three little letters: CVE.

[satrow]

Those that don't know where the security updates come from should Google three little letters: CVE.

It would be better to stay on topic and try to be more constructive; the above doesn't feel very helpful.

[DrKnow]

From the comments, Palemoon has had so many changes it should be considered separate and independent from Firefox. Fair enough.

Given that, I'll ask again about security fixes applied to Palemoon that aren't derived from Mozilla.

How are these secuirity issues discovered? Based on audits by whom?
Other than the core devs of Palemoon, does any organisation audit the code?

Additionally, who constitutes the security team investigating security issues. I can't find any information on the Palemoon site and searching the web leads me to some discussions that suggest there isn't any.

Is this the case? And further, what testing is done to ensure Palemoon is secure?