Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: How to stop data leakage."

Download it now to read this article plus other related content.

We evaluated security features of beta versions of Internet Explorer 7.0 and Netscape 8.0, and Firefox 1.0.7 (Firefox 1.5 was released after our evaluation was complete). Each ran in a production environment on Windows XP with SP 2. While home-user security is crucial to maintain customer confidence in online commerce, our emphasis was on maintaining a secure browser configuration baseline across an enterprise. We focused particularly on the flexibility of critical configuration settings and the ability to manage them in a corporate environment.

We concluded that while the others may be acceptable for home users, IE 7.0 is the clear choice for corporate environments. The combination of innovative security features and--perhaps most important--IE's superior capability for administering granular security configuration controls makes it the best business choice.

Are They Safe?
Overall, Netscape, Firefox and IE all do a good job protecting against pop-ups, phishing schemes and scripting attacks, but we found several new capabilities that move IE 7.0 ahead of the pack. We analyzed, tested and compared the browsers in eight key areas:

    Requires Free Membership to View

Netscape 8.0

Both Netscape and IE 7.0 feature the ability to allow or prohibit Java and ActiveX execution by individual site. Firefox users have to turn these controls on or off for all sites.

1. Scripting languages
IE 7.0 has greater flexibility in configurations that can be set to control Microsoft languages to include ActiveX and the .Net Suite (ASP, VB and C#).

IE 7.0 alone has introduced controls against cross-site scripting (CSS/XSS) or cross-domain (XD) scripting attacks by preventing an attacker from redirecting a user or session to an untrusted resource from within a current browser object. We tested this feature by sending an XD attack to IE 7.0 and attempting--without success--to redirect a user to a foreign site and carry the current browsing cookie.

Firefox fell short in site-by-site scripting configuration. It does not allow you to specify down to the scripting language level what permissions each site should have--a huge Netscape and IE advantage. Netscape and IE allow you to specify whether Java, ActiveX, JavaScript and even images should be run or displayed on specific sites. In addition, both Java and ActiveX are disabled by default--a prime example of Microsoft's secure by default philosophy; you must designate the site as trusted before it's allowed to run these scripts.

2. SSL
In light of the known vulnerabilities and exploits of SSL 1.0 and 2.0, all three browsers support the more secure SSL 3.0 and TLS 1.0. IE 7.0 goes a step further: TLS is enabled by default, and SSL 2.0 is no longer supported. Netscape and Firefox both enable SSL 2.0, along with TLS and SSL 3.0, by default.

This was first published in January 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: