Security/privacy implications of outdated browser/addons?

[paranoid201]

I use very old versions of Firefox and several addons, including NoScript, RequestPolicy and CookieSafe. I don't like updating things, because reviewing changelogs and adjusting settings accordingly is time-consuming, especially for Firefox updates.

I know this behavior exposes me to many theoretical security risks. But I figure that the actual chance of running into problems is low. What do you think? (I have a very small whitelist in NoScript and RequestPolicy, and I only temporarily allow scripts when there's a good reason. I use a different browser for sites that require personal information.)

Also, this behavior makes my browser vulnerable fingerprinting. According to Panopticlick, only one in 3000 browsers have the same fingerprint as mine. Is this something you would be concerned about?

[dhouwn]

Fingerprintability should be the least of your concerns, you should rather take a look at the vulnerabilities your outdated Firefox has: http://www.mozilla.org/security/known-v ... fox36.html

And concerning theoretical vs. real risk, is it worth taking the theoretical risk? Also, the real risk of being infected with something when using a fairly outdated system rather than a little outdated one might be actually lower because when something is very old and exotic then even malware authors might not care about it.
So why don't you rather use Phoenix 0.4 on Windows 98?

[paranoid201]

"is it worth taking the theoretical risk?"

That's what I'm trying to decide. It certainly could be worth the risk. I've seen that vulnerability list before. I'm not an expert, so most of the summaries are meaningless to me. But it seems that often, vulnerabilities listed as critical aren't very easy to exploit, and have not actually been exploited, as far as the developers know.

[dhouwn]

Still, is laxness worth it? I fail to see how the little effort it takes to apply minor updates could justify behaving laggardly in this regard.

[therube]

You're running 3.6.3.
Why in the world would you not at least update to 3.6.22?

At least you would be current with that older branch - which is still supported at this point.

> this behavior makes my browser vulnerable fingerprinting

Big deal (IMO).

[mikeyarde]

today we see the many browser and addons, this browser and addons are invented for the purpose of solving the problem face through the outdated version of it. we have to face many problem with it so we have to use the new browser or addons . Also we need some security against the outdated browser and addons. so we have some security like as follows
1: finger print recognition.
2: face recognition.
3: voice call recognition.

[Tom T.]

I use very old versions of Firefox and several addons, including NoScript, RequestPolicy and CookieSafe. I don't like updating things, because reviewing changelogs and adjusting settings accordingly is time-consuming, especially for Firefox updates.

Since this got bumped by an irrelevant post (possibly future spammer, but this one was innocuous, not spam), I'd like to point out what was (surprisingly, to me) not pointed out by the others.

If you update within the Firefox 3.x line, all of your current settings should be saved and be fine. So no excuse not to go to what is now 3.6.24.

Add-ons shouldn't need to be changed or reconfigured to your new 3.6.x; at most, a "compatibility update" will be applied, at no effort on your part.

NoScript and Request Policy updates rarely require any user action, especially in the above scenario. NS settings should be preserved, and if you don't want to look at changelogs, be assured that for any new settings, the default set by Giorgio is almost always good for the majority of users. Only if you want to fine-tune it do you need to do that.

New features, as when Force HTTPS first came out, would require you to enter your list of desired sites: Bank1.com, Bank2.com, CreditCardCo.com, etc.
But if you don't, you're not any worse off than if you never updated. So again, no excuse not to update.

If you go from Fx 3 to brand new versions of Firefox, like 8.0, then yes, it's a pain to learn the new GUI, find all the new about:config settings, etc.

But while they keep threatening that "Support for 3.6.x will be maintained only for a short time", it's now been almost a year, IIRC, that they've been saying that. And yet, they continue to update Fx 3.

Which tells me that a lot of people are rejecting the rapid-release policy and the continued complicating of simple things, like "Clear History", "Organize Bookmarks", etc. .... Including yours truly.

I do need to keep a working copy of the latest stable release on a Flash drive, so that in doing tech support here, I can check issues on it as well as on 3.x. But you don't.

The browser fingerprint will change with every update of Firefox, including within-branch updates like 3.6.3 to 3.6.24.
Depending on your ISP, there are ways to change your IP every so often, too, even without resorting to proxies.

Agree with the others that that is a lower priority than security. But if you want to be really paranoid, put F5, 6, 7, and 8 on a Flash drive, *run them in a sandbox or virtual machine to contain any exploitation of their unpatched security flaws*, and alternate their use. But that's a lot more work than you've indicated you're willing to do, and on safety grounds, I really cannot recommend this.

I keep a copy of Fx 2.x for diagnostic purposes. I doubt anyone's actively writing new exploits for it, but a lot of existing viruses and worms float around the Net. So it is sandboxed, and the machine as a whole is very heavily locked down, with a lot of changes that most non-tech, non-paranoid users wouldn't want to bother with. Cheers.