It’s that time again. No, not (just) the holiday shopping season. It’s time for some browser security wars.

Over the past few years, I’ve compared the security of Internet Explorer and Firefox here several times. With both products well into their respective beta cycles, it’s time to revisit the question: which browser is a better choice for the security of an average user?

This month, I went into my lab and installed the latest beta version of each browser, and have updated the comparisons I’ve made in the past. For the record, I tested Firefox 4.0 beta 7 on a Macbook Pro running Apple’s Snow Leopard operating system with all current patches installed.  For Internet Explorer (“IE”), I used IE 9.0.7930.30.16406 (wow!) on Windows 7 Home Edition (32 bit) running in a Parallels version 6 virtual machine with 3.5 Gb of RAM.  (I felt this was fair. After all, I’m comparing security features, not browser speed…)

The good news is that there truly is much to like about both browsers. Safe browsing features, privacy guards, and such, have never been more robust. The bad news is that, to be secure on today’s Web, both browsers require some tweaking, as their default configurations are less than ideal. Even though I am someone who enjoys tweaking tools, surely that’s not the case for the average consumer. I fear few users will ever take advantage of the security features they’re given.

Still, I feel I could use either Firefox or IE in a reasonably secure way, given some tweaking and fiddling time. In the case of IE, most everything I’d need is built in, which is a good thing. In the case of Firefox, I’d need a plug-in to feel safe. So let’s dive in and take a look at the details.

Lower profile target

I feel a browser with a huge market share is not as safe as one with a miniscule market share. This is due simply to the fact that miscreants generally tend to write their malware to products that have large market shares. It’s a simple matter of economics in most cases.  Further, it in no way indicates which browser is more secure–only which one is safer because there are fewer attacks affecting it.

In our case of IE vs. Firefox, their respective market shares are looking more and more similar. In the past, IE’s market share was so vastly bigger than Firefox and others that it was pretty easy to assume a lower profile browser was less likely to be targeted by miscreants. 

But today, most statistics say that IE is at roughly 49% market share compared to Firefox’s 29%. That’s still a big difference, but not one I’d be happy hiding behind in smug confidence.

Qualitative score: IE gets a "C" while Firefox gets a "B." Since I last compared them, IE gains a bit while Firefox loses a bit.

Configurability

This remains one of my toughest criteria to compare between the two browsers, but it is one that can have a huge impact on the browsers’ relative security. I should emphasize that I’m limiting my comparisons here to the base browsers, without any plug-ins installed (for now).

Like many Microsoft products, IE really provides a huge set of security features that can be adjusted to suit a user’s needs. IE uses security “zones,” such as “Internet,” “Local intranet,” “Trusted sites,” and “Restricted sites” to define what a site may or may not do.

This basic feature turns out to be exceptionally powerful and can be adjusted to the finest detail. That’s the good news. The bad news is that adjusting things to the finest detail is something that is vastly outside of the ability of a typical consumer.  To its credit, Microsoft provides a “security level” slider bar (think “high”, “medium”, and “low”) for making most adjustments easily, without needing to know the fine details.

browsersecurity2.jpg

I have two gripes here. The first one is that the Internet (default) zone is defined as “medium-high” by default, and allows many forms of active content (e.g., Javascript) to run from completely untrusted sites. (I prefer a setting of “high” for Internet sites, which disallows all forms of active content. I can then add trustworthy sites to my “trusted sites” zone on a case-by-case basis, enabling them to run Javascript and such.)

By comparison, Firefox’s security choices are overly simplistic. You can tune whether a site can invoke active content, such as JavaScript, but it’s pretty much an all-or-nothing proposition. If it’s disabled for one site, it’s disabled for them all. (To be fair, a few Javascript capabilities can be restricted, but still not on a per-site basis.)

browsersecurity.jpg

Although neither is perfect here, IE gets the nod for its capabilities. I do very much wish that they’d make it easier to designate sites as “trusted” zone sites, but that’s a user interface issue, I suppose. Still, from the provided features, I’d far prefer having IE’s choices than Firefox’s simplicity.

Qualitative score: IE gets an "A-" while Firefox gets a "D+." IE is unchanged while Firefox loses ground for its stagnation.

Safe browsing features

Both browsers have substantial so-called safe browsing features. In both cases, they basically work from black lists of forbidden sites—sites that are known to carry malware or other security dangers. Then, when a user directs the browser, quite likely inadvertently, to a dangerous site, the browser warns the user before allowing the action.

It’s a simple enough feature, but I fear it is one that is doomed to eventual failure, just as anti-virus products relying on signatures of known viruses have become largely ineffective against the onslaught of today’s malware.

IE uses a feature called “SmartScreen” to maintain its blacklist. Users can report questionable sites, and SmartScreen can be used to verify if a site is on the blacklist or not. Conceptually, this is similar to how Firefox has been doing its safebrowsing (via Google) for its past few releases.

Do they work? Well, I can’t say I’m a fan of the blacklist or negative validation way of doing things. It is prone to failure, doesn’t scale particularly well, and generally slows down the user’s browsing experience as the browser checks each and every site against a centrally maintained list.

Still, the features are on by default, and most users will leave them on. If they prevent even one user from stepping on a landmine, then there’s little harm done.

Qualitative score: IE gets a "C-" while Firefox gets a "C-." Essentially unchanged.

Privacy features

Although privacy is a separate issue than security, there are often times a few shared attributes. And, personal privacy is an area that both browsers have advanced in the last couple of years.

Both browsers now provide the means for a user to delete his browser history, cookies, etc. These features are generally good news for the privacy-minded, as well as for enhanced security.

In both cases, though, the features are largely not enabled by default, and it’s unlikely that most consumers would seek these sorts of features, as they’re often not aware of the security concerns surrounding browser histories and cookies.

Qualitative score: IE gets a "C+" while Firefox gets a "C-." 

With those built-in features compared, I remain a firm believer in the use of security plug-ins like NoScript (see http://noscript.net) for Firefox. Although they’re not largely used outside of a small community, they’re well worth the effort. (NoScript provides a whitelist feature for which sites may run active content in the user’s browser. This largely replicates the capability that IE already has for trusted security zones, but is far easier for most people to use.)

So, which browser is right for your security? Will you spend some time setting the security features? If so, IE 9 gives you some pretty compelling options (if you’re running Windows).  If you prefer something a little simpler, Firefox is probably a better option, especially if you’re willing to take the few seconds to install and run the NoScript plug-in.

The Web of 2010 has grown into a veritable mine field in many ways. Malware, identity theft, and all sorts of nastiness can be found readily, even on many otherwise reputable sites.  A well-chosen and configured browser can go a long way to preventing those land mines from causing harm to you.

Kenneth R. van Wyk, CSIH is Principal Consultant and Founder of KRvW Associates, LLC, a small, highly-specialized, consulting and training company. He is a frequent contributor to the internet.com network.

Keep up-to-date with browser security news; follow eSecurityPlanet on Twitter @eSecurityP.