But instead of just taking my word for it, lets take a closer look at why I believe this to be true. First, let me describe the contestants.
As Im principally a Mac user (Leopard 10.5.4), Im mainly concerned with Firefox and Apples own Safari browser, but Ill also compare them against Microsofts Internet Explorer (IE). I should also note there are significant other options available, not the least of which is the highly-regarded Opera browser. For now, though, Im going to stick with the top 3 in my comparison: Firefox, Safari, and IE.
As with the comparisons Ive done here of Windows vs. Linux vs. OS X security, Im going to explore various user-level differences between the browsers. I do believe, after all, that the determined tech-savvy user would be able to use any of these three browsers quite securely.
In their own ways, all three of these browsers are delivered in an overly trusting configuration. If youre serious about being secure in your Web browsing habits, its clear youll need to spend some time fine-tuning each of these products. Despite their claims of providing security features (see below), when you install these products, they make some serious mistakes.
Qualitative score: Firefox gets a D, Safari an F, and IE a D.
Beyond that, IEs security zones are actually a pretty powerful mechanism for controlling Web content and how it interacts in the browser. Unfortunately, to really get the power from the security zones requires a learning curve that few users will be willing or able to overcome. Firefoxs safe browsing feature works in conjunction with an external site (run by Google) to blacklist various Internet sites that are thought to be harboring phishing attacks and other nasties. This is turned on by default, and most users neednt even be aware its there.
Unfortunately, its fundamentally a negative validation model that is doomed to eventual failurethink anti-virus signature updates. So this category is a tough call, since all three products are pretty awful.
Qualitative score: Firefox gets a C, Safari a F, and IE a D.
As I said above, the first thing to take control of in securing a browser is active content. None of the three browsers is great at that out of the box. Firefox and Safari are downright horrible at it. So, I generally turn to security add-ons for this sort of thing. My favorite such add-on is NoScript, a free plug-in for the Mozilla family of browsers, including Firefox.
Its biggest complaint among users is that its ponderous to build that whitelist one site at a time. I say: Get over it. Over in Safari, theres a plug-in Ive recently started looking at called Pith Helmet. It too can block types of content from various places, but learning how to use it is not trivial. IE, as I said above, uses its zones for blocking content. Although I have no doubt something similar to NoScript must exist for IE, Ive not yet found it.
Qualitative score: Firefox gets a B, Safari a D, and IE a D.
Integration with operating system:
Okay, this category is not directly security-related, but it is nevertheless important in selecting a browser. Although Safari has been losing pretty pathetically in my other categories here, its integration with OS X is a work of genius. (Not so much for the Windows version of Safari )
For example, it fully integrates with OS Xs keychains, proxy settings, as well as other operating system features. Thus, if you use X.509 certificates for email authentication, you only need to maintain one repository of them. Similarly, if your network uses a corporate proxy for connecting users to the Internet, its all configured in one location.
Firefox, by comparison, chose to do all of that internally and ignore the underlying operating systems APIspresumably done in the name of ease of porting to numerous operating systems. This added complexity simply must have long-term functional as well as security ramifications, and remains my biggest complaint about using Firefox on OS X.
Qualitative score: Firefox gets a D, Safari an A, and IE an A.
This list of topics is, I believe, extremely important to the overall security of a browsing environment. I should also say that keeping your browser and its plug-ins up to date is absolutely vital. Most browsers are pretty darned good with that these days, even if they dont use the operating systems own software updating mechanism.
Overall, I feel safest using Firefox paired with NoScript, but I keep Safari and Pith Helmet around for some sites that either wont run on Firefox, or for those times when I absolutely need the browser to use an operating systems functionality directly. I also even occasionally will run IE inside a Parallels virtual machine, but when I do that, I immediately revert the virtual machine back to a pre-browse snapshot of itself, but thats another topic for another time and column.
I firmly believe that Firefox gives you the most secure browser for the least effort.