This article can also be found in the Premium Editorial Download "Information Security magazine: How to stop data leakage."
Download it now to read this article plus other related content.
We evaluated security features of beta versions of Internet Explorer 7.0 and Netscape 8.0, and Firefox 1.0.7 (Firefox 1.5 was released after our evaluation was complete). Each ran in a production environment on Windows XP with SP 2. While home-user security is crucial to maintain customer confidence in online commerce, our emphasis was on maintaining a secure browser configuration baseline across an enterprise. We focused particularly on the flexibility of critical configuration settings and the ability to manage them in a corporate environment.
We concluded that while the others may be acceptable for home users, IE 7.0 is the clear choice for corporate environments. The combination of innovative security features and--perhaps most important--IE's superior capability for administering granular security configuration controls makes it the best business choice.
Are They Safe?
Overall, Netscape, Firefox and IE all do a good job protecting against pop-ups, phishing schemes and scripting attacks, but we found several new capabilities that move IE 7.0 ahead of the pack. We analyzed, tested and compared the browsers in eight key areas:
Both Netscape and IE 7.0 feature the ability to allow or prohibit Java and ActiveX execution by individual site. Firefox users have to turn these controls on or off for all sites.
IE 7.0 has greater flexibility in configurations that can be set to control Microsoft languages to include ActiveX and the .Net Suite (ASP, VB and C#).
IE 7.0 alone has introduced controls against cross-site scripting (CSS/XSS) or cross-domain (XD) scripting attacks by preventing an attacker from redirecting a user or session to an untrusted resource from within a current browser object. We tested this feature by sending an XD attack to IE 7.0 and attempting--without success--to redirect a user to a foreign site and carry the current browsing cookie.
In light of the known vulnerabilities and exploits of SSL 1.0 and 2.0, all three browsers support the more secure SSL 3.0 and TLS 1.0. IE 7.0 goes a step further: TLS is enabled by default, and SSL 2.0 is no longer supported. Netscape and Firefox both enable SSL 2.0, along with TLS and SSL 3.0, by default.
This was first published in January 2006