Modernizing Authentication — What It Takes to Transform Secure Access
Its that time again. No, not (just) the holiday shopping season. Its time for some browser security wars.
Over the past few years, Ive compared the security of Internet Explorer and Firefox here several times. With both products well into their respective beta cycles, its time to revisit the question: which browser is a better choice for the security of an average user?
This month, I went into my lab and installed the latest beta version of each browser, and have updated the comparisons Ive made in the past. For the record, I tested Firefox 4.0 beta 7 on a Macbook Pro running Apples Snow Leopard operating system with all current patches installed. For Internet Explorer (IE), I used IE 9.0.7930.30.16406 (wow!) on Windows 7 Home Edition (32 bit) running in a Parallels version 6 virtual machine with 3.5 Gb of RAM. (I felt this was fair. After all, Im comparing security features, not browser speed )
The good news is that there truly is much to like about both browsers. Safe browsing features, privacy guards, and such, have never been more robust. The bad news is that, to be secure on todays Web, both browsers require some tweaking, as their default configurations are less than ideal. Even though I am someone who enjoys tweaking tools, surely thats not the case for the average consumer. I fear few users will ever take advantage of the security features theyre given.
Still, I feel I could use either Firefox or IE in a reasonably secure way, given some tweaking and fiddling time. In the case of IE, most everything Id need is built in, which is a good thing. In the case of Firefox, Id need a plug-in to feel safe. So lets dive in and take a look at the details.
Lower profile target
I feel a browser with a huge market share is not as safe as one with a miniscule market share. This is due simply to the fact that miscreants generally tend to write their malware to products that have large market shares. Its a simple matter of economics in most cases. Further, it in no way indicates which browser is more secureonly which one is safer because there are fewer attacks affecting it.
In our case of IE vs. Firefox, their respective market shares are looking more and more similar. In the past, IEs market share was so vastly bigger than Firefox and others that it was pretty easy to assume a lower profile browser was less likely to be targeted by miscreants.
But today, most statistics say that IE is at roughly 49% market share compared to Firefoxs 29%. Thats still a big difference, but not one Id be happy hiding behind in smug confidence.
Qualitative score: IE gets a "C" while Firefox gets a "B." Since I last compared them, IE gains a bit while Firefox loses a bit.
This remains one of my toughest criteria to compare between the two browsers, but it is one that can have a huge impact on the browsers relative security. I should emphasize that Im limiting my comparisons here to the base browsers, without any plug-ins installed (for now).
Like many Microsoft products, IE really provides a huge set of security features that can be adjusted to suit a users needs. IE uses security zones, such as Internet, Local intranet, Trusted sites, and Restricted sites to define what a site may or may not do.
This basic feature turns out to be exceptionally powerful and can be adjusted to the finest detail. Thats the good news. The bad news is that adjusting things to the finest detail is something that is vastly outside of the ability of a typical consumer. To its credit, Microsoft provides a security level slider bar (think high, medium, and low) for making most adjustments easily, without needing to know the fine details.
Although neither is perfect here, IE gets the nod for its capabilities. I do very much wish that theyd make it easier to designate sites as trusted zone sites, but thats a user interface issue, I suppose. Still, from the provided features, Id far prefer having IEs choices than Firefoxs simplicity.
Qualitative score: IE gets an "A-" while Firefox gets a "D+." IE is unchanged while Firefox loses ground for its stagnation.
Safe browsing features
Both browsers have substantial so-called safe browsing features. In both cases, they basically work from black lists of forbidden sitessites that are known to carry malware or other security dangers. Then, when a user directs the browser, quite likely inadvertently, to a dangerous site, the browser warns the user before allowing the action.
Its a simple enough feature, but I fear it is one that is doomed to eventual failure, just as anti-virus products relying on signatures of known viruses have become largely ineffective against the onslaught of todays malware.
IE uses a feature called SmartScreen to maintain its blacklist. Users can report questionable sites, and SmartScreen can be used to verify if a site is on the blacklist or not. Conceptually, this is similar to how Firefox has been doing its safebrowsing (via Google) for its past few releases.
Do they work? Well, I cant say Im a fan of the blacklist or negative validation way of doing things. It is prone to failure, doesnt scale particularly well, and generally slows down the users browsing experience as the browser checks each and every site against a centrally maintained list.
Still, the features are on by default, and most users will leave them on. If they prevent even one user from stepping on a landmine, then theres little harm done.
Qualitative score: IE gets a "C-" while Firefox gets a "C-." Essentially unchanged.
Although privacy is a separate issue than security, there are often times a few shared attributes. And, personal privacy is an area that both browsers have advanced in the last couple of years.
Both browsers now provide the means for a user to delete his browser history, cookies, etc. These features are generally good news for the privacy-minded, as well as for enhanced security.
In both cases, though, the features are largely not enabled by default, and its unlikely that most consumers would seek these sorts of features, as theyre often not aware of the security concerns surrounding browser histories and cookies.
Qualitative score: IE gets a "C+" while Firefox gets a "C-."
With those built-in features compared, I remain a firm believer in the use of security plug-ins like NoScript (see http://noscript.net) for Firefox. Although theyre not largely used outside of a small community, theyre well worth the effort. (NoScript provides a whitelist feature for which sites may run active content in the users browser. This largely replicates the capability that IE already has for trusted security zones, but is far easier for most people to use.)
So, which browser is right for your security? Will you spend some time setting the security features? If so, IE 9 gives you some pretty compelling options (if youre running Windows). If you prefer something a little simpler, Firefox is probably a better option, especially if youre willing to take the few seconds to install and run the NoScript plug-in.
The Web of 2010 has grown into a veritable mine field in many ways. Malware, identity theft, and all sorts of nastiness can be found readily, even on many otherwise reputable sites. A well-chosen and configured browser can go a long way to preventing those land mines from causing harm to you.
Kenneth R. van Wyk, CSIH is Principal Consultant and Founder of KRvW Associates, LLC, a small, highly-specialized, consulting and training company. He is a frequent contributor to the internet.com network.
Keep up-to-date with browser security news; follow eSecurityPlanet on Twitter @eSecurityP.