The conventional wisdom in security circles used to be that Microsoft's Internet Explorer was hopelessly attack-prone and that only someone with a cyber death wish would prefer it over such alternatives as Mozilla Firefox, Opera or Apple's Safari browser.
That's no doubt still the case for some. But with Microsoft more focused on IE security than it used to be and the market increasingly saturated with Web-browsing alternatives like Google Chrome, opinions aren't as sharp as they once were.
CSOonline.com recently conducted a highly unscientific, very informal poll of security practitioners, asking which browser they consider more secure. Firefox still scores well for many who like the frequent and easy security updates. But IE seems to be gaining more acceptance, especially since Microsoft released version 7 a couple of years ago. As for Google's Chrome, the jury is still out.
In the final analysis, though, security pros say the quality of one's IT defenses can't be based on the browser a company uses. If one were to get into a flaw count between browsers (Microsoft's Jeff Jones used to make a lot noise in the blogging world doing just that; we won't do that here) the security of each would rate about the same.
With attacks increasingly aimed at the application layer, and Web apps a particularly juicy target, it's clearly critical that all browser-makers continue to improve. However, security pros say that from their point of view, it's better to worry less about the browser and more about what other security layers are in place throughout the organization. In other words, one secure browser will never be a substitute for defense-in-depth.
When Mozilla launched Firefox 1.0 in late 2004, users praised it as the ironclad alternative to IE, whose security reputation was at a low point after years of withering attacks targeting a cornucopia of vulnerabilities. Some began questioning the security of Firefox after a steady stream of security fixes that rivaled the number usually found in a Microsoft Patch Tuesday release. But its popularity remains largely undiminished among the security crowd.
Asked for his preference, Chicago-based critical infrastructure researcher and security author Bob Radvanovsky didn't hesitate.
"Firefox, without a doubt," he said. "Something that doesn't record my keystrokes or keep my cached information, and does what I ask it to do."
Tudor Panaitescu, manager of global network security at Colorcon Inc. in the Greater Philadelphia area, said Firefox has been an important part of his efforts to be Windows-free.
"I am using Firefox on Linux 99.9 percent of the time. I have to admit that for the last couple of years I am Windows free, no Windows on my workstation at work nor on my PCs at home," he said. "I am a long-time Netscape/Mozilla suite/Firefox user, I recommend it to all my friends and family, and I definitely consider it more secure than everything else out there."
Panaitescu said he has worked with IE and Safari but hasn't tried Chrome yet. "IE is notorious for security issues and Safari is based on the same renderer and is not so friendly," he said. "I've also heard of some security issues there, too and it doesn't run on Linux (AFAIK)."
Others, like Russ Hall, owner of Nebraska-based Perfect Security LLC, prefer Firefox but only with some setting tweaks. He said he feels most secure using Firefox 3 with plug-ins NoScript and Sandboxie.
"It is true that sites can't display scripts without my toggling that feature but I haven't found this distracting," he said. "Sandboxie will prompt if you download something that should be saved permanently. Otherwise, it is flushed at the end of the session."
IE better, but still flawed still has many security holes, and Microsoft's monthly patch updates almost always include a cumulative update for the browser. But the mere mention of IE doesn't cause the chorus of sneers and groans that were typical half a decade ago.
That doesn't mean security pros now embrace it unconditionally. Some have learned to accept it as a necessary evil because of its compatibility with various websites that won't work in Firefox.
"I use IE 7, but I must confess this is not a security choice but a compatibility one," said François Amigorena, president and CEO of French security software company IS Decisions. "As an Independent software vendor specializing in security solutions for Windows-based infrastructures, my company uses a bunch of Microsoft products, including Exchange, SQL Server, Dynamics CRM, SharePoint, Groove, Live Meeting, and so on."
Therefore, he said, the company is "forced" to stick with IE in order to avoid heavy compatibility issues.
Others are more indifferent about which browser they use. It's not that they don't care. It's that they feel about the same level of security with the likes of IE and Firefox.
One IT security professional who requested anonymity said he uses both and makes sure each are kept up to date on the security patches. He also uses a secure hardware device from IronKey to store his online passwords, so when he needs to use someone else's PC he can launch the browser from the secure memory on his USB key.
"I don't know if this really make me more secure, but I feel more secure and with the password management on the key I can create really strong random passwords since I don't have to remember them," he said. (See Researcher Promotes Concept of 'Safe' and 'Promiscuous' Browsers for a related point of view from WhiteHat Security founder Jeremiah Grossman, who emphasized the browser settings and uses rather than the choice of browser.)
No substitute for layered security
For most of those interviewed for this article, the browser one uses isn't as relevant in the big security picture as the defensive layers across the network. A vendor can make the most ironclad browser ever, but it will never be a substitute for a multi-tiered security program.
"In terms of vulnerability, all the browsers are the same," said Nicolas Fort, product manager at Vasco Data Security. "The big point for me is that security is a different layer, it has to be provided."
He would never trust the security of a browser by itself if he were making a transaction on a banking site. Instead, he said he would want to use a different mechanism to ensure authentication.
John Cass, a Boston-based online marketer and author of "Strategies & Tools For Corporate Blogging," said the most attacked browser is always going to be the one with the most market share.
"Perhaps your article should state or conclude that no browser is safe, and here are some best practices to follow to mitigate the chances of problems happening due to security issues," he responded.