IE 7.0, Firefox, Netscape: One browser is at The Peak of Security. We'll tell you which comes out on top.
The Web browser has evolved into one of our most important desktop applications--and an enormous security concern. Shaken by years of one critical vulnerability after another, businesses are demanding better security in the nearly ubiquitous Microsoft Internet Explorer, or taking a hard look at alternatives, such as the popular newcomer Firefox.
Browsers are responsible for everything from security application management interfaces to Internet access to our brick-and-mortar bank accounts to MP3 players. Organized criminals exploit the Web to access corporate systems and databases and steal passwords and credit card numbers from individual users.
Users have switched to the open-source Firefox in large numbers since its release in late 2004, cutting IE's market share. Driven by the perception that it's more secure--as well as having cool features like tabbed windows--Firefox has garnered an estimated 8 to 11 percent of worldwide browser use. Other browsers, such as Netscape, are barely on the radar, with less than 1 percent market penetration.
Microsoft's response, IE 7.0, which is still in beta (no release date has been announced), will be the latest major release in the company's four-year-old Trustworthy Computing initiative. One version of the browser will be released for XP SP2, and another with Microsoft's forthcoming Vista operating system. It embraces Redmond's secure-by-default mantra and introduces additional security controls.
So which browser takes security to new heights? Information Security put that question to the test.
We evaluated security features of beta versions of Internet Explorer 7.0 and Netscape 8.0, and Firefox 1.0.7 (Firefox 1.5 was released after our evaluation was complete). Each ran in a production environment on Windows XP with SP 2. While home-user security is crucial to maintain customer confidence in online commerce, our emphasis was on maintaining a secure browser configuration baseline across an enterprise. We focused particularly on the flexibility of critical configuration settings and the ability to manage them in a corporate environment.
We concluded that while the others may be acceptable for home users, IE 7.0 is the clear choice for corporate environments. The combination of innovative security features and--perhaps most important--IE's superior capability for administering granular security configuration controls makes it the best business choice.
Are They Safe?
Overall, Netscape, Firefox and IE all do a good job protecting against pop-ups, phishing schemes and scripting attacks, but we found several new capabilities that move IE 7.0 ahead of the pack. We analyzed, tested and compared the browsers in eight key areas:
Both Netscape and IE 7.0 feature the ability to allow or prohibit Java and ActiveX execution by individual site. Firefox users have to turn these controls on or off for all sites.
IE 7.0 has greater flexibility in configurations that can be set to control Microsoft languages to include ActiveX and the .Net Suite (ASP, VB and C#).
IE 7.0 alone has introduced controls against cross-site scripting (CSS/XSS) or cross-domain (XD) scripting attacks by preventing an attacker from redirecting a user or session to an untrusted resource from within a current browser object. We tested this feature by sending an XD attack to IE 7.0 and attempting--without success--to redirect a user to a foreign site and carry the current browsing cookie.
In light of the known vulnerabilities and exploits of SSL 1.0 and 2.0, all three browsers support the more secure SSL 3.0 and TLS 1.0. IE 7.0 goes a step further: TLS is enabled by default, and SSL 2.0 is no longer supported. Netscape and Firefox both enable SSL 2.0, along with TLS and SSL 3.0, by default.
3. User information
All three browsers allow the user to delete potentially sensitive information--history, off-line content (e.g., media player content in temp files), cookies, temporary files cache, registry modifications and other sensitive data.
Firefox, as well as Netscape and IE 7.0, allow users to clear information such as history, cookies and cache. All sensitive information in IE 7.0 can be cleared with a single mouse click.
All three browsers feature site-parsing engines that can spawn multiple threads for retrieving data and thus download faster (Firefox was the first to integrate this feature, a key to its early popularity). The security concern with multi-threading is the browser's ability to secure each of, say, 1,000 concurrent sessions spawned on a site. We tried to compromise individual tunnels using man-in-the-middle attacks to inject untrusted code, but all the browsers thwarted our attempts.
5. URL Obfuscation
An offshoot of the antiphishing capabilities in all of the browsers are their ability to identify sites that may be attempting to obfuscate their URL patterns. For instance, a malicious site that wants to get your credit card information might launch a browser window that looks exactly like your online bank. While it might look and feel like your Acme Bank site, www.acmebank.com, in reality, the hidden URL would have shown it was coming from the clever phony site, www.my-acmebank.com.
IE 7.0 requires each Web site to display its URL, while Firefox and Netscape still retain the option to hide the address bar. Additionally, IE 7.0 allows you to limit the URL character set to the language of your choice, thwarting hackers who use foreign characters to fool users. While the option to hide the address bar embraces user-friendliness, it limits the ability of administrators trying to centrally manage these configurations.
Pop-ups are at best an annoyance, at worst a lure to malicious sites. Each tested browser is generally effective at blocking pop-ups. Netscape's and IE's controls are a little more granular, permitting designated sites to allow pop-ups and storing them as a site security property, while Firefox has a single button to block pop-up windows. However, Firefox has a configurable whitelist of sites that will permit pop-ups, so there's really little difference.
All three browsers have anti-phishing capabilities, but IE 7.0's and Netscape's functionality is embedded in their native code, while Firefox requires an antiphishing toolbar from Web services provider Netcraft.
Password maintenance is a serious security issue: Unencrypted, easily accessible passwords are prime prey for attackers. No worries on that score. All three browsers store application passwords with AES encryption and hide the actual characters from plain-sight view. Nevertheless, password transmission should really be the main concern. We'd love to see the browsers notify users when they are about to send a password in clear text over the Internet.
Phishing attempts, orchestrated by organized criminals, are a major factor in identity theft and a serious threat to online consumer confidence. Using social engineering, attackers lure users to convincingly fake Web sites, usually on hijacked servers.
All three browsers have taken first steps to help thwart phishing and alert users that they may be on a potentially bogus site, but the jury is still out on how much they really will help.
Firefox users can download a free antiphishing toolbar from Web services provider Netcraft (also available for IE 6.0), while IE 7.0 and Netscape embed this capability in native code. All three rely primarily on a blacklist of known phishing sites. This is helpful, but phishing sites are notoriously moving targets--they're taken down as soon as they're discovered, and the crooks simply move to another hijacked server.
IE 7.0 also uses a parsing engine that can potentially identify threats based on string patterns.
No security features are worth much in a corporate environment if managers can't configure and control them globally. In addition to superior security features, IE 7.0 really stands out in its ability to manage configurations across the enterprise.
|BROWSER SECURITY FEATURES|
While there's still no browser-embedded capability to centrally create browser configurations based on specific users or computers, you can create different browser configurations either through your AD implementation or enterprise disk imaging program.
AD is the better choice, since nearly all configuration controls--mostly registry settings--can be captured in a .INI file. The file can be distributed via SMS or commercial product, as opposed to an entire disk image every time you want to introduce new configuration settings or create specialized disk images for select groups. Further, because IE was designed to work with AD, you can control all of its more robust configuration options through this mechanism; the only way to manage all of the other browsers' more limited feature sets is through disk images.
The Vulnerability Caveat
Microsoft's track record on vulnerabilities hardly inspires confidence. The U.S. Department of Defense's NIST National Vulnerability Database lists 152 reported IE vulnerabilities in the last three years alone. Keeping up with patches and configuration controls, and the nagging anxiety about the next critical hole is the stuff of nightmares for security managers.
The assertion that Firefox is inherently more secure because it will have fewer vulnerabilities is open to debate. Since its release, 102 vulnerabilities have been reported, according to NIST. (Version 1.0 was announced in November 2004, though pre-1.0 betas were generally available for download and scrutiny.) Netscape had just 39 reported vulnerabilities in the last three years.
Numbers can be deceptive, though. IE is a mature product, so the continued discovery of large numbers of vulnerabilities is a real concern. On the other hand, it can be argued that the plethora of Firefox vulnerabilities is just an initial spike, typical of new applications.
Moreover, Firefox is under the close scrutiny of the open-source community, which is likely to uncover lots of issues early and, adherents argue, offer fixes as well. On the other hand, Microsoft defenders will argue that as a commercial software supplier, Redmond is obligated to address vulnerabilities quickly. It's typical of the open source/closed source debate, which we won't presume to resolve here.
Adoption of alternative browsers is also fueled by attackers' preference for exploiting IE's vulnerabilities because of the huge install base, especially among businesses. Of course, the other side of that coin is that, as Firefox becomes more popular, it's a more attractive target.
Naturally, there's no way to know what the future holds. Microsoft claims it invested heavily in quality control and security testing, and promises that IE 7.0 will be more secure than past browsers.
Netscape and Firefox share common base code, so most Netscape vulnerabilities will impact Firefox, while vulnerabilities in new Firefox code won't affect Netscape. Firefox 1.5 still shows its common roots with Netscape, particularly configuration options, parsing and cryptography code. This is in part because it is a product of open-source community development.
And none of these browsers offers iron-clad protection against sloppily written applications that leave them vulnerable to exploitation by attacks such as stack overflows and heap corruption.
Let's just acknowledge a few solid truths: All browsers have had major vulnerabilities and will continue to have new vulnerabilities; in the end all browsers will be confined by your network bandwidth and will be relatively similar in their download capabilities. None of them will protect you against the next malicious code threat yet to be discovered and released. The very best you can do is protect against all known threats, trust only those few sites that you indeed trust, and restrict all others.
IE 7.0, at least for the near term, presents a solution that will help secure the desktop's browsing environment better than the competition. The real question will come down to who's spent the time needed in security testing, and how many major vulnerabilities will be found in 2006.