But instead of just taking my word for it, let’s take a closer look at why I believe this to be true. First, let me describe the contestants.
As I’m principally a Mac user (Leopard 10.5.4), I’m mainly concerned with Firefox and Apple’s own Safari browser, but I’ll also compare them against Microsoft’s Internet Explorer (IE). I should also note there are significant other options available, not the least of which is the highly-regarded Opera browser. For now, though, I’m going to stick with the top 3 in my comparison: Firefox, Safari, and IE.
As with the comparisons I’ve done here of Windows vs. Linux vs. OS X security, I’m going to explore various user-level differences between the browsers. I do believe, after all, that the determined tech-savvy user would be able to use any of these three browsers quite securely.
• Out of the box configuration:
In their own ways, all three of these browsers are delivered in an overly trusting configuration. If you’re serious about being secure in your Web browsing habits, it’s clear you’ll need to spend some time fine-tuning each of these products. Despite their claims of providing security features (see below), when you install these products, they make some serious mistakes.
Qualitative score: Firefox gets a D, Safari an F, and IE a D.
• Security features:
Beyond that, IE’s security zones are actually a pretty powerful mechanism for controlling Web content and how it interacts in the browser. Unfortunately, to really get the power from the security zones requires a learning curve that few users will be willing or able to overcome. Firefox’s “safe browsing” feature works in conjunction with an external site (run by Google) to blacklist various Internet sites that are thought to be harboring phishing attacks and other nasties. This is turned on by default, and most users needn’t even be aware it’s there.
Unfortunately, it’s fundamentally a negative validation model that is doomed to eventual failure—think anti-virus signature updates. So this category is a tough call, since all three products are pretty awful.
Qualitative score: Firefox gets a C, Safari a F, and IE a D.
• Security add-ons:
As I said above, the first thing to take control of in securing a browser is active content. None of the three browsers is great at that out of the box. Firefox and Safari are downright horrible at it. So, I generally turn to security add-ons for this sort of thing. My favorite such add-on is NoScript, a free plug-in for the Mozilla family of browsers, including Firefox.
Its biggest complaint among users is that it’s ponderous to build that whitelist one site at a time. I say: Get over it. Over in Safari, there’s a plug-in I’ve recently started looking at called “Pith Helmet.” It too can block types of content from various places, but learning how to use it is not trivial. IE, as I said above, uses its zones for blocking content. Although I have no doubt something similar to NoScript must exist for IE, I’ve not yet found it.
Qualitative score: Firefox gets a B, Safari a D, and IE a D.
• Integration with operating system:
Okay, this category is not directly security-related, but it is nevertheless important in selecting a browser.
Although Safari has been losing pretty pathetically in my other categories here, its integration with OS X is a work of genius. (Not so much for the Windows version of Safari…)
For example, it fully integrates with OS X’s keychains, proxy settings, as well as other operating system features. Thus, if you use X.509 certificates for email authentication, you only need to maintain one repository of them. Similarly, if your network uses a corporate proxy for connecting users to the Internet, it’s all configured in one location.
Firefox, by comparison, chose to do all of that internally and ignore the underlying operating system’s APIs—presumably done in the name of ease of porting to numerous operating systems. This added complexity simply must have long-term functional as well as security ramifications, and remains my biggest complaint about using Firefox on OS X.
Qualitative score: Firefox gets a D, Safari an A, and IE an A.
This list of topics is, I believe, extremely important to the overall security of a browsing environment. I should also say that keeping your browser and its plug-ins up to date is absolutely vital. Most browsers are pretty darned good with that these days, even if they don’t use the operating system’s own software updating mechanism.
Overall, I feel safest using Firefox paired with NoScript, but I keep Safari and Pith Helmet around for some sites that either won’t run on Firefox, or for those times when I absolutely need the browser to use an operating system’s functionality directly. I also even occasionally will run IE inside a Parallels virtual machine, but when I do that, I immediately revert the virtual machine back to a pre-browse snapshot of itself, but that’s another topic for another time and column.
I firmly believe that Firefox gives you the most secure browser for the least effort.