Browser Security: IE vs. Safari vs. Firefox

When browsing the net, I’m safest when I’m using Mozilla’s Firefox 3.0 browser—at least after I’ve tweaked it just a bit. Yup, I have absolutely no doubt about it. I’ve looked at others, and I’m sticking with Firefox.

But instead of just taking my word for it, let’s take a closer look at why I believe this to be true. First, let me describe the contestants.

As I’m principally a Mac user (Leopard 10.5.4), I’m mainly concerned with Firefox and Apple’s own Safari browser, but I’ll also compare them against Microsoft’s Internet Explorer (IE). I should also note there are significant other options available, not the least of which is the highly-regarded Opera browser. For now, though, I’m going to stick with the top 3 in my comparison: Firefox, Safari, and IE.

As with the comparisons I’ve done here of Windows vs. Linux vs. OS X security, I’m going to explore various user-level differences between the browsers. I do believe, after all, that the determined tech-savvy user would be able to use any of these three browsers quite securely.

Out-of-the-Box Configuration

In their own ways, all three of these browsers are delivered in an overly trusting configuration. If you’re serious about being secure in your Web browsing habits, it’s clear you’ll need to spend some time fine-tuning each of these products. Despite their claims of providing security features (see below), when you install these products, they make some serious mistakes.

Chief among the default mistakes is allowing active content (e.g., Javascript, ActiveX) to run by default, from just about any site you might connect to. This, by the way, is the single most important thing to control if you want to make your browser more secure. Nonetheless, I have to give a slight nod here to Firefox for its “safe browsing” feature as well as IE for its security zones, including an “Internet zone” which is at least slightly untrusted.

Qualitative Score: Firefox gets a D, Safari an F, and IE a D.

Security Features:

All three browsers offer some rudimentary security controls in the way of being able to allow or disallow broad categories of content, such as Javascript, Java, or ActiveX. But by default, these features are so broad in their “all or nothing” approaches as to be next to worthless.

Turning off Javascript, for example, just doesn’t work. Today’s Internet applications, by and large, require Javascript in order to run, so I need to enable that for sites I want to do business with. On the other hand, uncontrolled Javascript is a boon to all types of miscreants who want to attack my computer.

Beyond that, IE’s security zones are actually a pretty powerful mechanism for controlling Web content and how it interacts in the browser. Unfortunately, to really get the power from the security zones requires a learning curve that few users will be willing or able to overcome. Firefox’s “safe browsing” feature works in conjunction with an external site (run by Google) to blacklist various Internet sites that are thought to be harboring phishing attacks and other nasties. This is turned on by default, and most users needn’t even be aware it’s there.

Unfortunately, it’s fundamentally a negative validation model that is doomed to eventual failure—think anti-virus signature updates. So this category is a tough call, since all three products are pretty awful.

Qualitative Score: Firefox gets a C, Safari a F and IE a D.

Must Read