Our organization hasn’t upgraded to IE9 because we haven’t finished our global Windows 7 upgrade, but we encourage the use of Firefox as an alternative for secure browsing. Is this a good policy, or are Firefox users just as likely to be compromised as IE users?
A browser has two main roles to play when it comes to secure browsing. First, it must protect the user from malicious sites and software. Second, it must protect itself from malicious attacks. Not long ago, Firefox was ahead of Internet Explorer (IE) when it came to the robustness of its design and its ability to protect itself, while IE was plagued with countless vulnerabilities.
However, since the release of IE7, Microsoft has narrowed the gap considerably. This is borne out by Secunia's browser security fact sheets. Although there are only results covering the second quarter of this year for IE9 and Firefox 4, IE9 does marginally better. Between the older versions -- IE8 and Firefox 3.6 -- Internet Explorer, again, has had fewer vulnerabilities.
Both vendors have a good record of making patches available within 30 days of a vulnerability disclosure. If you accept vulnerabilities will be found in both browsers, you need to assess which will do a better job of protecting users from online threats, such as malicious sites and scripts, in order to choose the most secure Web browser. The good news here is the battle for the title of safest browser means all vendors are working hard to add more security features to their latest releases.
Both Firefox and IE run reputation-based URL filtering. This means reputation information for any URL a user requests is checked against a cloud database, and a warning is presented to the user if the URL’s content is flagged as potentially dangerous. IE9 has a new feature called SmartScreen Application Reputation, which warns users when it suspects a file about to be downloaded is dangerous. If it ranks the file as unknown based on criteria such as download traffic, download history, past antivirus results and URL reputation, it warns the user if he or she tries to run or save it.
The recently released Firefox 5 is the first browser to support Do Not Track privacy on multiple platforms. Every time a user requests data from the Web, Do Not Track sends an HTTP header telling the site the user wants to opt out of any online behavioral tracking. When enabled, Do Not Track does away with the impossible task of having to set cookie options for every site visited, but it does rely on sites respecting Do Not Track requests. As you can see, both browsers are looking for ways to improve the protection they provide users while surfing the Net.
If you’re looking to provide secure browsing at this particular point in time, I think it’s very much down to personal preference between Firefox versus IE. If users are allowed to use either IE or Firefox, you will, of course, have two browsers to maintain and keep up to date. You will need to be sure you control both through Group Policy, and you may want to take into account Mozilla’s plan to release smaller incremental updates for Firefox at a faster rate. Versions 6, 7 and 8 are all scheduled to be released before the end of 2011, which will be a lot of work to roll out across an organization of your size.
This was first published in October 2011