I have to say I still firmly believe I’m safer using Firefox than IE, and that’s not just because I’m principally a Mac user. I believe Firefox is a more secure choice for the average user, especially with just a little bit of tweaking.
So, let’s revisit my earlier conclusions and see how they’ve changed with the latest releases.
• Lower profile target. This remains largely true. Even with Firefox gaining significant market share recently, it’s still a lower profile target than Microsoft’s Internet Explorer. At some level, that fact does buy a modicum of security, at least from the perspective of how safe (or unsafe) an end user is. Note, however, that this does not make either browser more secure per se.
Further to that, Firefox is an add-on for any operating system. That means that there are naturally more users of IE than Firefox on any platform.
And the fact remains that malware authors, just like other software authors, are in large part writing software to market share. That makes Microsoft/IE popular targets by the bad guys. There is indeed a bit of safety in small numbers.
Qualitative score: IE gets an F while Firefox gets a B+. Unchanged.
• Configurability. This remains one of the toughest criteria to compare between the two browsers. And I’m limiting my comparisons here to the base browsers, without any plug-ins installed.
IE truly provides a hugely rich set of security features that can be configured and tweaked. Microsoft defines security “zones” such as “Internet,” “Local intranet,” “Trusted sites,” and “Restricted sites.” Although each of these categories is fairly loose, each can be finely tuned to suit the user’s needs.
In fact, the level of tuning options in IE is almost daunting. I don’t like to penalize a product for having too many security options, but I think this is a case of “menu-itis” in giving the end user too many options.
Firefox, on the other hand, has a powerful but simplistic set of choices. You can tune whether a site can invoke active content such as JavaScript, but it’s an all-or-nothing proposition. If it’s disabled for one site, it’s disabled for them all.
Despite IE’s sea of choices, I have to give it the nod here. They’ve helped obfuscate the confusion by creating the security zones, and it’s pretty darned easy to put sites into one of the zones based on how much trust they should get. Businesses you want to trust, for example, should go into “Trusted sites,” while all unknowns should fall into the “Internet” or even “Restricted sites” zones. Further, the default zone should be fine tuned a bit to disallow all active content.
The average user should be able to do that without too much fuss. One fairly easy way to achieve this is to set “Restricted sites” as the default, and then add trustworthy sites to either the “Internet” or even “Trusted sites” zones on a case-by-case basis. I just wish this had been the default setting.
Qualitative score: IE gets an A- while Firefox gets a C+. IE gains some ground, while Firefox has remained largely stagnant.
No comments:
Post a Comment