Firefox 3.5 vs. Internet Explorer 8: Which is Safer?


Editor's Note: With the release of Firefox 4 and IE9 almost together we've decided to revisit this issue in a new article Firefox 4 vs. Internet Explorer 9: Which is Safer? (Original, I know, but if the shoe fits ... !) Thanks for reading!

It’s been nearly 2 years since I wrote Mozilla Firefox vs. Internet Explorer: Which is Safer?, and much has changed in that time.

Major releases from both popular browsers are out, and it’s time for a rematch.

This month, I went into my lab and installed the latest version of each browser – Firefox 3.5 and Internet Explorer 8 – and have revisited the statements I made in September 2007. What I found is that although much has changed, a lot of things have remained the same.

I have to say I still firmly believe I’m safer using Firefox than IE, and that’s not just because I’m principally a Mac user. I believe Firefox is a more secure choice for the average user, especially with just a little bit of tweaking.

So, let’s revisit my earlier conclusions and see how they’ve changed with the latest releases.

Lower profile target. This remains largely true. Even with Firefox gaining significant market share recently, it’s still a lower profile target than Microsoft’s Internet Explorer. At some level, that fact does buy a modicum of security, at least from the perspective of how safe (or unsafe) an end user is. Note, however, that this does not make either browser more secure per se.

Further to that, Firefox is an add-on for any operating system. That means that there are naturally more users of IE than Firefox on any platform.

And the fact remains that malware authors, just like other software authors, are in large part writing software to market share. That makes Microsoft/IE popular targets by the bad guys. There is indeed a bit of safety in small numbers.

Qualitative score: IE gets an F while Firefox gets a B+. Unchanged.

Configurability. This remains one of the toughest criteria to compare between the two browsers. And I’m limiting my comparisons here to the base browsers, without any plug-ins installed.

IE truly provides a hugely rich set of security features that can be configured and tweaked. Microsoft defines security “zones” such as “Internet,” “Local intranet,” “Trusted sites,” and “Restricted sites.” Although each of these categories is fairly loose, each can be finely tuned to suit the user’s needs.

In fact, the level of tuning options in IE is almost daunting. I don’t like to penalize a product for having too many security options, but I think this is a case of “menu-itis” in giving the end user too many options.

Firefox, on the other hand, has a powerful but simplistic set of choices. You can tune whether a site can invoke active content such as JavaScript, but it’s an all-or-nothing proposition. If it’s disabled for one site, it’s disabled for them all.

Despite IE’s sea of choices, I have to give it the nod here. They’ve helped obfuscate the confusion by creating the security zones, and it’s pretty darned easy to put sites into one of the zones based on how much trust they should get. Businesses you want to trust, for example, should go into “Trusted sites,” while all unknowns should fall into the “Internet” or even “Restricted sites” zones. Further, the default zone should be fine tuned a bit to disallow all active content. 

The average user should be able to do that without too much fuss. One fairly easy way to achieve this is to set “Restricted sites” as the default, and then add trustworthy sites to either the “Internet” or even “Trusted sites” zones on a case-by-case basis. I just wish this had been the default setting.

Qualitative score: IE gets an A- while Firefox gets a C+. IE gains some ground, while Firefox has remained largely stagnant.

Next Page: safe browsing features, security-minded plug-ins

Safe browsing features. This is a new category this time around. Both browsers have touted new “safe browsing” features recently, so I wanted to give them both a test run. There’s good and bad news to report for both.

Both browsers provide features that are meant to protect users from going to (arguably) dangerous sites. Both browsers optionally protect the user’s privacy by not storing browser histories when asked not to.

IE has a “Content Advisor “ feature that lets you define by policy what sites or types of sites the user shouldn’t visit. These settings are entirely at the discretion of the user, but could be helpful in preventing inadvertently visiting a site that could be objectionable. I admit I’m not a big fan of this sort of protection, as it is invariably easy to bypass.

Firefox goes one step farther in content protection by providing a site blacklisting service that prevents the user from visiting sites that have been flagged for serving malware, phishing, etc. There’s a bit of a performance hit to this, however, as each newly visited site must first be (externally) compared against a blacklist of known bad actors. Again, this can be useful, but easy for a determined user to bypass.

In the end, I have to say I find both browsers’ safe browsing features to be largely for show, and not all that helpful in providing real security to the end user. Perhaps these features will improve in subsequent releases.

Qualitative score: IE gets an C- while Firefox gets a C+. 

Security-minded plug-ins. This one is mostly unchanged. As I wrote previously, this is where Firefox really shines, at least for my needs. I’m a huge fan of the popular and free plug-in, NoScript (available from NoScript provides a script whitelisting capability in the entire Mozilla family of browsers, including Firefox.

With NoScript, I can allow individual sites that I have some level of faith in to run script content in my browser, while defaulting to disallowing scripts for all others. I find this approach to be very workable, as I only have to teach NoScript once per site I visit.

To be fair, however, some people find NoScript to be very annoying for the same reasons that I find it liberating. And it’s certainly not perfect. It provides trust per domain, not per IP. That means that, for example, I could allow, say, to run scripts in my browser, and anything within that entire domain space would be allowed to run – clearly something that I want to avoid.

My only complaint about NoScript is that it isn’t included and enabled by default with Firefox. (I also wish it were available for other browsers, like Safari.)

Qualitative score: IE gets a D while Firefox gets an A-. Unchanged.

So I remain a Firefox (+ NoScript) guy. In fact, on my Macs, it is pretty much the only browser I use, despite the fact that it does a lousy job at integrating into the operating system features in the same way that Safari (and other Apple software) does. Were there a NoScript for Safari, I’d jump on it. But to my knowledge, there isn’t, so I stick with Firefox—and I feel pretty confident in my browsing security on the Internet.

I’m still careful about the sites I visit, of course, but I have a lot of faith in NoScript stopping nasty stuff from happening if I stray from the sites I’m familiar with.

ALSO SEE: Seven Firefox Add-Ons for Security

AND: The Dangers of Short URLs