Modernizing Authentication — What It Takes to Transform Secure Access
Editor's Note: With the release of Firefox 4 and IE9 almost together we've decided to revisit this issue in a new article Firefox 4 vs. Internet Explorer 9: Which is Safer? (Original, I know, but if the shoe fits ... !) Thanks for reading!
Its been nearly 2 years since I wrote Mozilla Firefox vs. Internet Explorer: Which is Safer?, and much has changed in that time.
Major releases from both popular browsers are out, and its time for a rematch.
This month, I went into my lab and installed the latest version of each browser Firefox 3.5 and Internet Explorer 8 and have revisited the statements I made in September 2007. What I found is that although much has changed, a lot of things have remained the same.
I have to say I still firmly believe Im safer using Firefox than IE, and thats not just because Im principally a Mac user. I believe Firefox is a more secure choice for the average user, especially with just a little bit of tweaking.
So, lets revisit my earlier conclusions and see how theyve changed with the latest releases.
Lower profile target. This remains largely true. Even with Firefox gaining significant market share recently, its still a lower profile target than Microsofts Internet Explorer. At some level, that fact does buy a modicum of security, at least from the perspective of how safe (or unsafe) an end user is. Note, however, that this does not make either browser more secure per se.
Further to that, Firefox is an add-on for any operating system. That means that there are naturally more users of IE than Firefox on any platform.
And the fact remains that malware authors, just like other software authors, are in large part writing software to market share. That makes Microsoft/IE popular targets by the bad guys. There is indeed a bit of safety in small numbers.
Qualitative score: IE gets an F while Firefox gets a B+. Unchanged.
Configurability. This remains one of the toughest criteria to compare between the two browsers. And Im limiting my comparisons here to the base browsers, without any plug-ins installed.
IE truly provides a hugely rich set of security features that can be configured and tweaked. Microsoft defines security zones such as Internet, Local intranet, Trusted sites, and Restricted sites. Although each of these categories is fairly loose, each can be finely tuned to suit the users needs.
In fact, the level of tuning options in IE is almost daunting. I dont like to penalize a product for having too many security options, but I think this is a case of menu-itis in giving the end user too many options.
Despite IEs sea of choices, I have to give it the nod here. Theyve helped obfuscate the confusion by creating the security zones, and its pretty darned easy to put sites into one of the zones based on how much trust they should get. Businesses you want to trust, for example, should go into Trusted sites, while all unknowns should fall into the Internet or even Restricted sites zones. Further, the default zone should be fine tuned a bit to disallow all active content.
The average user should be able to do that without too much fuss. One fairly easy way to achieve this is to set Restricted sites as the default, and then add trustworthy sites to either the Internet or even Trusted sites zones on a case-by-case basis. I just wish this had been the default setting.
Qualitative score: IE gets an A- while Firefox gets a C+. IE gains some ground, while Firefox has remained largely stagnant.
Safe browsing features. This is a new category this time around. Both browsers have touted new safe browsing features recently, so I wanted to give them both a test run. Theres good and bad news to report for both.
Both browsers provide features that are meant to protect users from going to (arguably) dangerous sites. Both browsers optionally protect the users privacy by not storing browser histories when asked not to.
IE has a Content Advisor feature that lets you define by policy what sites or types of sites the user shouldnt visit. These settings are entirely at the discretion of the user, but could be helpful in preventing inadvertently visiting a site that could be objectionable. I admit Im not a big fan of this sort of protection, as it is invariably easy to bypass.
Firefox goes one step farther in content protection by providing a site blacklisting service that prevents the user from visiting sites that have been flagged for serving malware, phishing, etc. Theres a bit of a performance hit to this, however, as each newly visited site must first be (externally) compared against a blacklist of known bad actors. Again, this can be useful, but easy for a determined user to bypass.
In the end, I have to say I find both browsers safe browsing features to be largely for show, and not all that helpful in providing real security to the end user. Perhaps these features will improve in subsequent releases.
Qualitative score: IE gets an C- while Firefox gets a C+.
Security-minded plug-ins. This one is mostly unchanged. As I wrote previously, this is where Firefox really shines, at least for my needs. Im a huge fan of the popular and free plug-in, NoScript (available from noscript.net). NoScript provides a script whitelisting capability in the entire Mozilla family of browsers, including Firefox.
With NoScript, I can allow individual sites that I have some level of faith in to run script content in my browser, while defaulting to disallowing scripts for all others. I find this approach to be very workable, as I only have to teach NoScript once per site I visit.
To be fair, however, some people find NoScript to be very annoying for the same reasons that I find it liberating. And its certainly not perfect. It provides trust per domain, not per IP. That means that, for example, I could allow, say, me.com to run scripts in my browser, and anything within that entire domain space would be allowed to run clearly something that I want to avoid.
My only complaint about NoScript is that it isnt included and enabled by default with Firefox. (I also wish it were available for other browsers, like Safari.)
Qualitative score: IE gets a D while Firefox gets an A-. Unchanged.
So I remain a Firefox (+ NoScript) guy. In fact, on my Macs, it is pretty much the only browser I use, despite the fact that it does a lousy job at integrating into the operating system features in the same way that Safari (and other Apple software) does. Were there a NoScript for Safari, Id jump on it. But to my knowledge, there isnt, so I stick with Firefoxand I feel pretty confident in my browsing security on the Internet.
Im still careful about the sites I visit, of course, but I have a lot of faith in NoScript stopping nasty stuff from happening if I stray from the sites Im familiar with.
ALSO SEE: Seven Firefox Add-Ons for Security