Hi all,
Could anyone give a concise answer on why is firefox more secure than IE? Or maybe point me to some good articles.
cheers,
j
Printable View
Hi all,
Could anyone give a concise answer on why is firefox more secure than IE? Or maybe point me to some good articles.
cheers,
j
Right now, firefox and other browsers are "more secure" because of their lack of being tied so closely to the OS as well as requiring more interaction with the user (in regards to downloads and spyware activity). Additionally, there are few spyware/malware in existence that take advantage of firefox.
This might change since it has become more popular. It is still subject to various phishing exercises and flaws in URLs. You can find info on the various firefox/mozilla flaws here. IMO, it still comes down to how the user uses the product and how aware they are of issues that exist out there in the wilds of the Internet.
Howstuffworks: Firefox Security might also give you some simple insights.
Security comes with lack of knowledge. The less people know about something the less people are gonig to try to exploit it. No point in working hard on something if no one is using it. But like MsMittens was saying, anything can be secure if you know what needs to be secured.
*Learn to code and make all your own software : )
Normally all applications are of equal security, due to the simple fact that applications cannot contain or isolate themselves. This is entirely upto the OS.
Think about it, if application X has 100 known exploits, but is completely isolated by the OS and application Y has 1 known exploit but is not isolated at all... which application is more secure?
All of that being said, in a network environment IE is "more secure" because it can be configured via the group policy. This allows the admin to enforce a higher level of control, resulting in greater consistancy.
Additionally because IE is bound to the OS, installing an additional browser merely adds to the system and I'm sure by know we all know that the key to high assurance/security is simplicity. ;)
cheers,
catch
How about when working with secure connections / protocols (SSL, IPSEC). I reckon that since those are standards the level of security or encryption will be same on both browsers.
thnx
Everyone has said it or thought about it, firefox is everything IE was a year ago.
Not necessarily. Even on things such as ssl there can be implementation flaws that come with the browser itself. It's usually something that works with ssl that breaks such as the following examples:
http://netscape.intelligent.net/redisa/ssl_spoof.html
http://news.zdnet.co.uk/software/0,3...2068733,00.htm
There was a flaw in netscape a few years ago i believe with the random number generator used for the crypto as well.
Sometimes the flaws are shared, most time there is an implementation problem in one or the other.
Firefox...safer...
http://www.internetnews.com/dev-news...le.php/3494316Quote:
The report shows the Firefox browser was only exposed to a publicly known vulnerability without a patch for 65 days in 2004; IE, on the other hand, was safe for only seven days last year.
Mozilla Community Cashing in on Bug Bounties
fewer users...
It would seem that many of you don't read... perhaps we can give this another shot:
"Current security efforts suffer from the flawed assumption that adequate security can be provided in applications with the existing security mechanisms of mainstream operating systems."
- The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments ( http://www.nsa.gov/selinux/papers/inevit-abs.cfm )
You see what that says? Adequate security cannot be provided by applications... it must be accomplished at the OS level. What does this mean? Application security DOSE NOT MATTER! Unless your application is PERFECT sooner or later it will be exploited, and all applications get exploited in the same way. A BOF in Firefox is the same as one in LYNX and the same as one in MSIE.
Counting exploits is not a viable measure of security. If an exploit is made public on Jan 1, 2005... that software was vulnerable since its inception, aka 100% of the year not 300 days, not even 358 days. Even though the exploit isn't widely known, it still existed.
So again, I'll say it... the NCSC says it, the NSA says it, the good people at ISO say it, the CISSP exam says it.
APPLICATION LEVEL SECURITY IS MEANINGLESS.
cheers,
catch
edited for formatting
Thank you! So often folks blindly hoist up the MoZiller/Firefox banner regardless of the scenario.Quote:
All of that being said, in a network environment IE is "more secure" because it can be configured via the group policy. This allows the admin to enforce a higher level of control, resulting in greater consistancy.
cheers
Greeting's
From : http://secunia.com/product/4227/
Now if you look at the date's at which these 4 vulnerabilities were discovered the oldest one was discovered on 2004-08-30, hence an eight month old vulnerablity is still unpatched. More on this specific vulnerablity can be found here http://secunia.com/advisories/12403/. This vulnerablity is classified as less then critical.Quote:
Currently, 4 out of 13 Secunia advisories, is marked as "Unpatched" in the Secunia database.
As per Secunia.comNow as for Internet ExplorerQuote:
Mozilla Firefox 1.x with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Less critical
The oldest unpatched vulnerablity in IE is as old as 2003-03-13 ( http://secunia.com/advisories/8283/ ).Quote:
Currently, 20 out of 79 Secunia advisories, is marked as "Unpatched" in the Secunia database.
And verdict for IE as per Secunia.comQuote:
Microsoft Internet Explorer 6 with all vendor patches installed and all vendor workarounds applied, is currently affected by one or more Secunia advisories rated Highly critical
Also if you look at solutions provided for SOME of IE unpatched vulnerablities it saysQuote:
Use another browser.
But you have to understand these are views as per one site. Also as per secunia and its statistics Opera is the most secure browser as none of the vulnarablities found in Opera are still unpatched.
This is all as per www.secunia.com.
you may also want to take a look at this active thread :
http://www.antionline.com/showthread...hreadid=267304
heh That's the complete opposite of what Smittens just said. I guess someone studied harder. Yeah, and those lockdown options in IE are there for a reason. And don't come complaining when you’re surfing on an Admin account either, that's what I tell 'em.Quote:
Originally posted here by catch You see what that says? Adequate security cannot be provided by applications... it must be accomplished at the OS level. What does this mean? Application security DOSE NOT MATTER! Unless your application is PERFECT sooner or later it will be exploited, and all applications get exploited in the same way. A BOF in Firefox is the same as one in LYNX and the same as one in MSIE.
Counting exploits is not a viable measure of security. If an exploit is made public on Jan 1, 2005... that software was vulnerable since its inception, aka 100% of the year not 300 days, not even 358 days. Even though the exploit isn't widely known, it still existed.
So again, I'll say it... the NCSC says it, the NSA says it, the good people at ISO say it, the CISSP exam says it.
APPLICATION LEVEL SECURITY IS MEANINGLESS.
Quote:
Originally posted here by Microsoft TFM Use separate accounts for administrative activity and general user activity. Individuals who do administrative work on the computer should each have two user accounts on the system: one for administrative tasks, and one for general activity.
Fellow AOs
Let us examine things a bit here. IMO, each product can be customized to meet the requirement of a user. There are categories in which we should consider before judging which is which (MORE SECURE).
A typical user could just conclude that product A is more secured than product B by checking and believing with the statistics (which IMO, again depends on the type of crowd). Opinions in forums like AO could lead people to being convinced about such product. So far, I could see that the crowd is being driven to observe and think harder about concluding which is MORE SECURE. SECURE in what way? So far as the growing discussion here, perhaps we have to consider the following dependencies (correct my analysis if you may :) ):
A. Percentage of users of such product – Firefox has fewer user
B. Age of the product (since introduction) – Firefox is younger
C. Number of vulnerabilities and patches – depends on item A & B (IMO). See item D.
D. Sources of such security threat advisory (source 1, 2, 3 and so on…) – to name a few, sans, cert, secunia, AV websites, lots of them actually (those are the only ones I visited often).
E. Advisory of the product provider themselves – Seriously, advisories here comes late compared to item D.
F. Degree of actual effect once exploited – depends on the data provided in items D & E
G. Coverage of users/clients really affected – As of now, it entirely depends on items A and B.
H. Impact to security – Consider looking at the charts and level that can be found on sources in item D.
I. People’s awareness – The reason why the Internet is there is primarily to speed-up information. SURF, SEARCH, READ IMPORTANT UPDATES ABOUT THE PRODUCT! AO is a good source. :D
- And while patches are being done, we have to get updated whenever it is available. Good thing LIVE UPDATE OR REMINDER IS THERE, use it!Quote:
Check these related articles about the current analysis:
http://informationweek.com/story/sho...leID=159905629
"We must stay ahead of the curve in patching potential vulnerabilities," he said.
Reminder: Sometimes, don’t trust the media too much. Research and seek for a really reliable source.
Yo!
I'm going to throw something out here....
Firefox is indirectly more secure due to the slightly more educated/motivated userbase.
Those who are willing to take that extra step are more likely to have a firewall/antivirus/system updates since they are still extra steps.
I'd also like to throw out the lack of ActiveX.....
Come now, lets consider how many people who made the switch for reasons based on word of mouth... yep, there's no way your going to shake the minds of those people. :rolleyes:Quote:
Firefox is indirectly more secure due to the slightly more educated/motivated userbase.
I disagree with this point. Most of Firefox's user base seems to be people that think Firefox is more secure. I submit that these people actually know very little about security (see my above post) and enjoy having the perception of security. These people are more likely to be compromised as their perception of security frequently precludes actual security.Quote:
Firefox is indirectly more secure due to the slightly more educated/motivated userbase.
cheers,
catch
Touche....
Well... one thing that was said earlier, about IE being more secure due to configuration through group policy....
This does not mean IE is more secure, it means that is is easier to secure in a networked environment.
Hell, if you want a secure browser... ain't nothing quite like lynx.... ;)
You'll note, I put "more secure" in quotes. When comparing two networks, one with a collection of browsers configured in an ad hoc manner and the other with all of the browsers configured via a central point. Which is more likely to have security issues from misconfigurations? This is why a security configuration (approved manuals, etc) is a major point in both of the primary security evaluation standards.Quote:
Well... one thing that was said earlier, about IE being more secure due to configuration through group policy....
This does not mean IE is more secure, it means that is is easier to secure in a networked environment.
Why is security frequently called the antithesis to productivity? Because security is best achieved through bottlenecks. Single points of high assurance whose presence is felt across everything behind it. Consider firewalls, security kernels, and mantraps as a few prime examples. Now there may be ways to configure Firefox uniformly across a network in a mandatory fashion... but such a method has undergone now formal evaluation (or even much informal evaluation) and consequently cannot be trusted.
cheers,
catch
Thanks, everyone for your feedback.
So, it would be correct to say that for visiting sites that require a secure connection its the same to use IE or firefox since the protocols for secure connections are standards shared by both browsers. What will you choose to use IE or firefox for, say, online banking?
cheers
Well.... I have chosen firefox for a long time, but then again... I'm a Linux user... so IE isn't really a viable option....
But in all honesty, the security of both is completely up to you... SSL isn't going to help the person who downloads every attachment.... :P
I'm still learning and catch will correct me where I'm wrong. (from the Brett D. Fleisch publication) If I'm correct this stems from the TOS layered design and ring structure(one type of design): level zero being your innermost core and most secure, and the outermost layer being level eight (untrusted user programs) being least secure. So, with firefox you're getting further away from your security core, and IE is protected by inner layers or rings closer to its core, figuratively speaking? I guess until TOS philosophy is widely adopted and the ideals are applied to lower level systems; like security mechanism education and the likes. I'm afraid we'll continue to see old habits dying hard and more prosy threads like "my system is broke" etc... With an acronym such as the aforementioned, it’s blatantly obvious that we're dealing with deep security, as deep as you can go, you'd think it would be welcomed on a site with the slogan of this one. Sadly, it's eschewed for reasons of silly pride or whatnot or lack of understanding and comprehension .:(
I wish not to be like all those other poor dullards and choose to think out of the norm.
http://informationweek.com/story/sho...leID=160900911
Quote:
There are no magic cures, period.
I am using IE on poweruser account w2k. After visiting bunch of porn/warez sites I didn't catch any malware.
IE is secure? NO
I'm good in blocking malware? NO
I use Spybot S&D TeaTimer? Yes
My answer on main question in this thread is:
Any app is secure if you know how to secure it, or if you use another security tools with it.
Advice:
Try both IE and Mozilla. See what is easier to use, more confotable. Then decide what you will use in the future. After that, secure your box. How to secure it? try to read security tutorials on AO for example.
No matter what you use for browsing, don't forget AV, patching, firewall, patching, malware scaners, patching, reading security tutorials, patching, not using admin account when browsing, patching, etc.
Hello!
It is a nice review about SW and SW vulnerabilities in general. It even discuss about different users' reaction on SW they try or use. About the stats on vulnerabilities, I am still on the look-out for it and observe the trends before choosing any SW or tool to use.
Lately, I have UPDATED my XP PRO BOX with SP2. together with the latest Win Security Update, IE is promising especially in blocking popups and other malicious code (I guess). And for Windows, I had installed MS Antispyware and update it and scan my system regularly (usually 3x a week).
Like Ikalo said, every tool or SW's capabilities and security depends on the user. I also use Ad-Aware, Spybot S&D and even use Firefox as my primary browser. I have AVG and ZoneAlarm to finalize my BOXES SW specs. Since I started using Firefox, I haven't got much Malware around. But still the best practice is be updated with news, threats and as much as possible, everything that got to do with the internet and its security.
IE or Firefox, there are certain barrier between the way how I use the 2 browsers. First, I use IE in some sites that are IE friendly. I use Firefox commonly for my browsing since I like it and I explore its capabilities. As far as securing my Windows BOX, it's a tough job especially if other employees use my BOX. I let them use limited account expecially for browsing and try to orient other users on how to properly observe security while surfing the net. I also discourage other co-employees on surfing untrusted sites and even encourage them to update their tools like AV, Anti-malware/spyware, and other security SW and scan their system on a regular basis (mostly weekly).
Most of the things I implement in my SECURITY practice was due to the fact that I read stuff and news about technology and computers (reliable sources). I dig and search for things I would like to know. And AO came in handy whenever I have security issues I suspect in my BOX.
-GONE