Browser Security: IE vs. Safari vs. Firefox

Tuesday Jul 8th 2008 by Kenneth van Wyk

Each of the three browsers has strengths in malware protection, but it’s their weaknesses that are the most worrisome.

When browsing the net, I’m safest when I’m using Mozilla’s Firefox 3.0 browser—at least after I’ve tweaked it just a bit. Yup, I have absolutely no doubt about it. I’ve looked at others, and I’m sticking with Firefox.

But instead of just taking my word for it, let’s take a closer look at why I believe this to be true. First, let me describe the contestants.

As I’m principally a Mac user (Leopard 10.5.4), I’m mainly concerned with Firefox and Apple’s own Safari browser, but I’ll also compare them against Microsoft’s Internet Explorer (IE). I should also note there are significant other options available, not the least of which is the highly-regarded Opera browser. For now, though, I’m going to stick with the top 3 in my comparison: Firefox, Safari, and IE.

As with the comparisons I’ve done here of Windows vs. Linux vs. OS X security, I’m going to explore various user-level differences between the browsers. I do believe, after all, that the determined tech-savvy user would be able to use any of these three browsers quite securely.

Out of the box configuration:

In their own ways, all three of these browsers are delivered in an overly trusting configuration. If you’re serious about being secure in your Web browsing habits, it’s clear you’ll need to spend some time fine-tuning each of these products. Despite their claims of providing security features (see below), when you install these products, they make some serious mistakes.

Chief among the default mistakes is allowing active content (e.g., Javascript, ActiveX) to run by default, from just about any site you might connect to. This, by the way, is the single most important thing to control if you want to make your browser more secure. Nonetheless, I have to give a slight nod here to Firefox for its “safe browsing” feature as well as IE for its security zones, including an “Internet zone” which is at least slightly untrusted.

Qualitative score: Firefox gets a D, Safari an F, and IE a D.

Security features:

All three browsers offer some rudimentary security controls in the way of being able to allow or disallow broad categories of content, such as Javascript, Java, or ActiveX. But by default, these features are so broad in their “all or nothing” approaches as to be next to worthless.

Turning off Javascript, for example, just doesn’t work. Today’s Internet applications, by and large, require Javascript in order to run, so I need to enable that for sites I want to do business with. On the other hand, uncontrolled Javascript is a boon to all types of miscreants who want to attack my computer.

Beyond that, IE’s security zones are actually a pretty powerful mechanism for controlling Web content and how it interacts in the browser. Unfortunately, to really get the power from the security zones requires a learning curve that few users will be willing or able to overcome. Firefox’s “safe browsing” feature works in conjunction with an external site (run by Google) to blacklist various Internet sites that are thought to be harboring phishing attacks and other nasties. This is turned on by default, and most users needn’t even be aware it’s there.

Unfortunately, it’s fundamentally a negative validation model that is doomed to eventual failure—think anti-virus signature updates. So this category is a tough call, since all three products are pretty awful.

Qualitative score: Firefox gets a C, Safari a F, and IE a D.

Security add-ons:

As I said above, the first thing to take control of in securing a browser is active content. None of the three browsers is great at that out of the box. Firefox and Safari are downright horrible at it. So, I generally turn to security add-ons for this sort of thing. My favorite such add-on is NoScript, a free plug-in for the Mozilla family of browsers, including Firefox.

Once installed, it defaults to blocking all Javascript and other active content from running in your browser. One by one, you can enable Javascript to run on the sites where you want it to—for example, the sites you want to do business with. It thus slowly builds a whitelist of sites you allow.

Its biggest complaint among users is that it’s ponderous to build that whitelist one site at a time. I say: Get over it. Over in Safari, there’s a plug-in I’ve recently started looking at called “Pith Helmet.” It too can block types of content from various places, but learning how to use it is not trivial. IE, as I said above, uses its zones for blocking content. Although I have no doubt something similar to NoScript must exist for IE, I’ve not yet found it.

Qualitative score: Firefox gets a B, Safari a D, and IE a D.

Integration with operating system:

Okay, this category is not directly security-related, but it is nevertheless important in selecting a browser. Although Safari has been losing pretty pathetically in my other categories here, its integration with OS X is a work of genius. (Not so much for the Windows version of Safari…)

For example, it fully integrates with OS X’s keychains, proxy settings, as well as other operating system features. Thus, if you use X.509 certificates for email authentication, you only need to maintain one repository of them. Similarly, if your network uses a corporate proxy for connecting users to the Internet, it’s all configured in one location.

Firefox, by comparison, chose to do all of that internally and ignore the underlying operating system’s APIs—presumably done in the name of ease of porting to numerous operating systems. This added complexity simply must have long-term functional as well as security ramifications, and remains my biggest complaint about using Firefox on OS X.

Qualitative score: Firefox gets a D, Safari an A, and IE an A.

This list of topics is, I believe, extremely important to the overall security of a browsing environment. I should also say that keeping your browser and its plug-ins up to date is absolutely vital. Most browsers are pretty darned good with that these days, even if they don’t use the operating system’s own software updating mechanism.

Overall, I feel safest using Firefox paired with NoScript, but I keep Safari and Pith Helmet around for some sites that either won’t run on Firefox, or for those times when I absolutely need the browser to use an operating system’s functionality directly. I also even occasionally will run IE inside a Parallels virtual machine, but when I do that, I immediately revert the virtual machine back to a pre-browse snapshot of itself, but that’s another topic for another time and column.

I firmly believe that Firefox gives you the most secure browser for the least effort.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved