ie, is Gecko 1.9.2.x still supported with security updates? When one runs Firefox 3.6.28 (1.9.2.28 Gecko/20120306), one gets this message:
"This version is out of date. For the latest security, performance and feature enhancements get the newest version instead."
Or does the security enhancements only refer to security features?
Is it still safe to use Camino?
Moderator: Camino Developers
-
Uncle Asad
- Camino Developer
- Posts: 3957
- Joined: July 24th, 2004, 1:38 pm
- Location: بين العالمين
- Contact:
Re: Is it still safe to use Camino?
Firefox stopped fixing security issues on 1.9.2.x in March (although they didn't make that clear until their May releases); we are going to release at least one more Camino update with backported security fixes (although this has been slower to happen than we'd like due to time constraints).
As to whether it's still "safe" to use Camino, safety isn't really a binary condition, it's a spectrum. You're most at risk from vulnerabilities that hackers know of and product vendors do not (or have not yet fixed); these are sometimes known as "zero-days" when the exploit is in the wild. With these types of vulnerabilities, pretty much everyone is at risk/"unsafe".
Following that, you're more at risk for patched vulnerabilities in software whose userbase doesn't update quickly/regularly (where there would be a significant-enough vulnerable userbase to make it worth exploiting). Examples of these types of vulnerabilities include Flash vulnerabilities (Flash 10.0- and 10.1-based attacks are part of common vulnerability toolkits, since Flash didn't have any sort of update story until Flash 11.x) and the recent "Flashback" attack, which exploited holes in Java that Oracle had patched but which Apple had not shipped to users. Generally speaking, there's good uptake for Gecko updates, so there's lesser likelihood of fixed holes in Gecko being worth exploiting; it's also possible that the malware protection in Camino may stop you from visiting known sites that vend malware, possibly offering some additional degree of mitigation (I don't know how effective this was in, e.g., the Flashback outbreak). It's not a guarantee that these fixed bugs will not be exploited, though.
So, would you be safer using another browser that is still getting regular security updates? Yes. How much safer? It's hard to say exactly, given the above. It's probably still reasonably safe to use Camino 2.1.2 until we get 2.1.3 out, but you should evaluate your situation, knowledge level, etc., and make a choice you're comfortable with.
As to whether it's still "safe" to use Camino, safety isn't really a binary condition, it's a spectrum. You're most at risk from vulnerabilities that hackers know of and product vendors do not (or have not yet fixed); these are sometimes known as "zero-days" when the exploit is in the wild. With these types of vulnerabilities, pretty much everyone is at risk/"unsafe".
Following that, you're more at risk for patched vulnerabilities in software whose userbase doesn't update quickly/regularly (where there would be a significant-enough vulnerable userbase to make it worth exploiting). Examples of these types of vulnerabilities include Flash vulnerabilities (Flash 10.0- and 10.1-based attacks are part of common vulnerability toolkits, since Flash didn't have any sort of update story until Flash 11.x) and the recent "Flashback" attack, which exploited holes in Java that Oracle had patched but which Apple had not shipped to users. Generally speaking, there's good uptake for Gecko updates, so there's lesser likelihood of fixed holes in Gecko being worth exploiting; it's also possible that the malware protection in Camino may stop you from visiting known sites that vend malware, possibly offering some additional degree of mitigation (I don't know how effective this was in, e.g., the Flashback outbreak). It's not a guarantee that these fixed bugs will not be exploited, though.
So, would you be safer using another browser that is still getting regular security updates? Yes. How much safer? It's hard to say exactly, given the above. It's probably still reasonably safe to use Camino 2.1.2 until we get 2.1.3 out, but you should evaluate your situation, knowledge level, etc., and make a choice you're comfortable with.
Mac OS X 10.3.9 • PowerBook G4 17" 1.33 GHz | Mac OS X 10.5.x • MacBook Pro 15" 2.2 GHz
Snow7's Camino Forum FAQ Search the Forum Camino. Help Troubleshoot Camino
Snow7's Camino Forum FAQ Search the Forum Camino. Help Troubleshoot Camino
-
manuchao
- Posts: 96
- Joined: December 4th, 2007, 10:01 am
Re: Is it still safe to use Camino?
Thanks, in particular for the details of the timeline including the heads up for one more Camino update. Camino is still my favourite browser, Firefox is just plain ugly in comparion (and lacks the OS keychain integration), thus I guess I will move to Safari at some point which looks nice enough (my online banking already happens there), though it might be more resource hungry.