When more bugs can mean tighter security

The Mozilla Foundation is perhaps best known for its Firefox web browser, an open-source offering that was first developed to go head-to-head with Microsoft's Internet Explorer.

Tristan Nitot, the president of Mozilla Europe, has much to say on the differences between Microsoft's and Mozilla's approaches to browser development. ZDNet.co.uk caught up with Nitot at the Online Information conference in London this week to talk about the security of Firefox and Internet Explorer (IE), online privacy and the future of open source.

Q: A recent study by Jeff Jones, a Microsoft security strategy director, found Internet Explorer to be more secure than Firefox. Are you surprised?
A: I'm surprised that bug counting, which is a terrible metric, was used by Microsoft. It isn't easy to assess security, but bug counting definitely isn't the way to do it. I'd rather talk about time to fix the duration of the window where users are at risk, which in our opinion is a much better metric.

In a nutshell, Microsoft claimed that because Mozilla had fixed more vulnerabilities since 2004 than Microsoft, IE was more secure than Firefox. What do you think of that argument?
To quote Mike Shaver, [Mozilla's director of ecosystem development], just because dentists fix more teeth in America doesn't mean we have worse teeth than Africa. Just compare the number of high-security advisories over time between Internet Explorer, Firefox and Opera.

What is your opinion of the claim that the more vulnerabilities fixed, the less secure the browser?
It's false logic. If you have issues and don't fix them you will look good on the outside but in reality you still have the issues. There's a really good movie, Les Repos — in English, "The Rotten Ones" — about two cops, one old, one young, and the younger is in the process of being corrupted by the older. They find a bad guy, catch him, and the young one wants to take the bad guy to the police station. But the old one says: "You can't do that — if we take him to the station the crime statistics will increase, and we will look bad. Release the guy and take his money. That punishes him."

This is comparable — if you do the right thing you look bad, but people are safer. What really counts is that our users are secure, and that people count on us to do the right thing. People within the Mozilla community have a better-than-average understanding of this — we work together and have to trust each other. If people hide, it's no good for the community or overall motivation. But we're not building fixes for our teams, we're building them for our users.

Let me give you a recent example. Ten days ago we released Firefox 2.0.0.10. When we released it a couple of hours later we found we'd introduced a regression, and that some website extensions were broken. We quickly decided to do another release, 2.0.0.11, which we released on Thursday night, three-and-a-half days later, which is a good turnaround. We don't like asking our users to update twice in a week, but we don't like regressions.

I prefer Mozilla's approach — be transparent, and have our users secure, even if in terms of numbers that doesn't put us in a favourable light

So it doesn't work to compare the number of vulnerabilities between the browsers?
It's not good because it's comparing apples to oranges. Bug counting at Mozilla is very different to bug counting at Microsoft. We are open. We cannot hide or silently fix bugs — it would be betraying our community. We have to be transparent.

We like this, but it costs us in terms of PR. In Microsoft's world, people find bugs internally and will not publish or talk about security bugs. These bugs won't be counted by third parties, and can be silently fixed and pushed out in an update or service pack. And Microsoft service packs take a long time to come out — a year at least, maybe two. In the meantime, users are at risk.

I prefer Mozilla's approach — be transparent, and have our users secure, even if in terms of numbers that doesn't put us in a favourable light.

Microsoft's Jones criticised the length of time Firefox releases are supported, saying Mozilla drops its support before operating systems such as Ubuntu [which has committed to providing security support for Firefox 1.5 until 2009]. What is your response?
We are committed to providing a new major release every six months, but we are open source. You can port fixes from Firefox 2.2 and 3 to 1.5, if you like, or ask Ubuntu to do it for you. Microsoft still supports IE 5.01, which is an obsolete browser. IE6 is already obsolete, so — IE5 — come on!

The web is in its infancy, but we have already wasted a long time in terms of innovation because browsers aren't evolving. Five years to have IE6 is way too long. Why would we want to stick to very old browsers that prevent websites from innovating?

Do you use Windows yourself?
I used to use Windows, but now I use a Mac.

Why did you change?
It was because of the end-user licence agreement [EULA] in XP Service Pack 2. When SP2 came out, I read the EULA, because it's a contract. If you click "I accept", you've effectively signed a contract that binds you to Microsoft. When you sign something you've got to read it [beforehand]. But what I saw was so creepy I couldn't click on the "I accept" button.

The EULA says that some files on your hard disk will be encrypted, and you won't have the key, and have to ask Microsoft...