Feeds

Firefox 2.0: happier browsing, but secure?

The jury's still out

SANS - Survey on application security programs

Review It's long past time to bother telling anyone how much better than IE Firefox is. Faster, smaller, more responsive, with tabbed browsing and useful extensions galore. It's also lot more secure than IE, partly because it's open source, and particularly because it's not integrated with the underlying OS.

Firefox's security bugs involve the browser only, and can be fixed quickly and without much fuss. On the other hand, because of its integration with the OS, IE's bugs can involve the system overall, and may need weeks or months to sort out.

Indeed, IE6 was estimated to be vulnerable to exploitation for 284 days last year, even among users who patched it religiously, as we reported recently. In contrast, Firefox was estimated to have left users exposed to unpatched flaws for a total of nine days over the same period. Microsoft's sluggish turnaround with IE's flaws, due chiefly to the vast complexity of the system of which it is a part, is reason enough to recommend Firefox.

Nevertheless, I've long advised security-conscious users to prefer Mozilla to Firefox, in stubborn defiance of the slobbering media infatuation lavished on Firefox. The good news is that recent versions of Firefox are catching up with Mozilla nicely, although there is still some work to be done.

For example, I never liked the way earlier versions of Firefox handled passwords and form data, third party cookies, third party images, cookie expiration, link prefetching, and other configuration issues that affect privacy and security. I also never cared for the way configuration options would change from release to release. It's hard to write about Firefox with an emphasis on security and privacy, or give practical configuration advice, because the developers keep adding configuration options, then discarding them, then reviving them. Mozilla has remained consistent in its excellent set of configuration options, which means that the step-by-step security and privacy setup for Mozilla detailed in my 2004 manual Computer Security for the Home and Small Office is still effective.

Firefox has not shown anything approaching this degree of consistency. For example, on my trusty Linux box, I have Firefox version 1.5.0.4, with a configuration option enabling me to block third party images. On my cursed Windows box, I have Firefox version 2.0.0.1, which lacks this option. It's an important privacy issue, because there are invisible, 1-pixel-square images called web bugs often embedded in web pages by third parties - marketing outfits, usually - which are used to track our web sessions. Marketers prefer to call them "web beacons", but they are, in fact, bugs.

They can be defeated quite easily, by preventing your browser from loading images from sites other than the one you are visiting. Perhaps 2.0.0.1 defaults to loading images only from the websites you visit, but by withdrawing the option, the developers have left me a good deal less confident.

Nevertheless, there have been significant improvements in Firefox 2.x. I am somewhat in favour of the option to clear personal data, which you can configure to clear your browser cache, cookies, browsing history, download history, saved form information, passwords, and authenticated sessions. You can choose any or all of those options, and you can set it to delete this information whenever you close Firefox, or you can do it manually. You can also set it to ask you on exit, and choose not to clear these items whenever that suits you.

Still, I have reservations. This is hardly a secure way to delete these data traces, so no one should allow themselves to get a false sense of security from this option. However, if these files are constantly overwritten each time you open and close the browser, it's at least fairly likely that old data will be overwritten in time, and will not accumulate over long periods. It's better than nothing, but it is something of a privacy gimmick and I'm not behind it wholeheartedly.

3 Big data security analytics techniques

More from The Register

next story
OpenBSD founder wants to bin buggy OpenSSL library, launches fork
One Heartbleed vuln was too many for Theo de Raadt
Got Windows 8.1 Update yet? Get ready for YET ANOTHER ONE – rumor
Leaker claims big release due this fall as Microsoft herds us into the CLOUD
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
Patch iOS, OS X now: PDFs, JPEGs, URLs, web pages can pwn your kit
Plus: iThings and desktops at risk of NEW SSL attack flaw
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Apple inaugurates free OS X beta program for world+dog
Prerelease software now open to anyone, not just developers – as long as you keep quiet
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.