In the same vein as my series earlier this year on Windows vs. OS X vs. Linux security, let’s explore how I came to this subjective opinion.
• Lower profile target. One of the main reasons I’m more willing to trust my data security to my OS X (Mac) system is that they have a smaller market share than Windows does. This sounds peculiar to many people who aren’t familiar with security, but in the dangerous world that is the Internet, keeping a low profile can be an important aspect of staying secure.
The reason for this, quite simply, is that our attackers, by and large, write their attack code to market share, for all the same reasons that legitimate software developers most often deliver their Windows products before their Mac or Linux ones.
Now, I’m fully aware that Firefox continues to make strides in this area and is constantly gaining market share, so this argument may well eventually fail. I’m confident, though, that by then I’ll have other, lower profile choices available.
For now, finding a balance between unpopular and popular enough to be widely supported on the web sites I frequent is very much a security consideration. Today, that nod goes to Firefox for my needs. It’s very rare that I can’t use Firefox on sites that I care about.
Qualitative score: IE gets an F while Firefox gets a B+.
• Configurability. This is a tough one to judge. Like many Microsoft features, IE has a quite rich set of security features that can be configured to suit the user’s needs. Firefox, by comparison, is more simplistic in its security configuration choices. There’s a strong argument to be made for each approach.
IE manages its security via “zones”—Internet, Local intranet, Trusted sites, and Restricted sites. Within each zone, the user has a rich set of configuration options where authorizations can be fine-tuned. For example, Internet sites can be set to default to disallowing browser scripting, ActiveX, Flash, and other dangerous content. That’s the good news.
Qualitative score: IE gets a B+ while Firefox gets a B-.
• Security-minded plug-ins. Now here is where Firefox starts to shine, at least for my needs. I’m a huge fan of the popular and free plug-in, NoScript (available from noscript.net). NoScript provides a script whitelisting capability in the entire Mozilla family of browsers, including Firefox.
With NoScript, I can allow individual sites that I have some level of faith in to run script content in my browser, while defaulting to disallowing scripts for all others. I find this approach to be very workable, as I only have to teach NoScript once per site I visit.
To be fair, however, some people find NoScript to be very annoying for the same reasons that I find it liberating. And it’s certainly not perfect. It provides trust per domain, not per IP. That means that, for example, I could allow (say) mac.com to run scripts in my browser, and anything within that entire domain space would be allowed to run – clearly something that I want to avoid.
I understand there are similar (and no doubt more) similar plug-ins available for IE, but I have yet to find something that suits my needs as well as NoScript does. Perhaps someone out there can set me straight on this.
Qualitative score: IE gets a D while Firefox gets an A-.
• Open source scrutiny. Ok, this one is a bit shakey, but what the heck. I’m a big fan of open source. I like the fact that the entire Firefox source tree is “out there.” While I don’t place a lot of weight in this as a security feature for most software – indeed, numerous published studies would dismiss it – I just have to believe that Firefox has been studied quite closely by a lot of people. And I’m not just talking about people directly affiliated with Mozilla.
My rationale for this opinion is that Firefox is very high profile, as open source projects go. It’s also a prime target for phishers and other miscreants (notwithstanding my statements above about market share).
The same can’t be said for IE.
Qualitative score: IE gets an F while Firefox gets a C+.
So that’s how I decided Firefox is a better choice for me and my PC users versus IE. How do other browsers fare?I mentioned, after all, that I’m now an OS X desktop user – how about Safari? I also have a few friends whose opinions I trust who use Opera. We’ll dive into those browsers at a later date here.
For now, I’m happy using Firefox with NoScript protecting me from the vast majority of nasty stuff that can happen in Internet applications. Until, that is, something better comes along.