IE or Firefox: Which is More Secure?
Surprise, surprise -- opinions on which Web browser offers better security are not as stark as they were a few years ago. In an informal poll, security pros rated IE, Firefox and others about equal -- for better or worse
By Bill Brenner , Senior Editor
February 02, 2009 — CSO —
The conventional wisdom in security circles used to be that Microsoft's Internet Explorer was hopelessly attack-prone and that only someone with a cyber death wish would prefer it over such alternatives as Mozilla Firefox, Opera or Apple's Safari browser.
That's no doubt still the case for some. But with Microsoft more focused on IE security than it used to be and the market increasingly saturated with Web-browsing alternatives like Google Chrome, opinions aren't as sharp as they once were.
CSOonline.com recently conducted a highly unscientific, very informal poll of security practitioners, asking which browser they consider more secure. Firefox still scores well for many who like the frequent and easy security updates. But IE seems to be gaining more acceptance, especially since Microsoft released version 7 a couple of years ago. As for Google's Chrome, the jury is still out.
In the final analysis, though, security pros say the quality of one's IT defenses can't be based on the browser a company uses. If one were to get into a flaw count between browsers (Microsoft's Jeff Jones used to make a lot noise in the blogging world doing just that; we won't do that here) the security of each would rate about the same.
With attacks increasingly aimed at the application layer, and Web apps a particularly juicy target, it's clearly critical that all browser-makers continue to improve. However, security pros say that from their point of view, it's better to worry less about the browser and more about what other security layers are in place throughout the organization. In other words, one secure browser will never be a substitute for defense-in-depth.
When Mozilla launched Firefox 1.0 in late 2004, users praised it as the ironclad alternative to IE, whose security reputation was at a low point after years of withering attacks targeting a cornucopia of vulnerabilities. Some began questioning the security of Firefox after a steady stream of security fixes that rivaled the number usually found in a Microsoft Patch Tuesday release. But its popularity remains largely undiminished among the security crowd.
Asked for his preference, Chicago-based critical infrastructure researcher and security author Bob Radvanovsky didn't hesitate.
"Firefox, without a doubt," he said. "Something that doesn't record my keystrokes or keep my cached information, and does what I ask it to do."
Tudor Panaitescu, manager of global network security at Colorcon Inc. in the Greater Philadelphia area, said Firefox has been an important part of his efforts to be Windows-free.