Slashdot Mirror
FireFox as a Security Risk Compared to IE?
A not-so anonymous Anonymous Coward asks: "The administrator at my work gave me the following reason for not using Mozilla. What do you think? 'FireFox is a security risk. Please refrain from using it. Please continue to use IE 6.0. IE is our only supported browser. FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'" Do any of you have information that could be used to contradict the administrators information on FireFox? Are there configuration options one can reach from about:config that a user can use to address the problem this administrator has cited?
Or better yet, when you find out a good, definitive answer (that could potentially help those of us in the same boat to convince our higher-ups), do a nice write up of all of the info you collected and THEN submit it to slashdot.
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
Turn off caching. In the configuration, privacy, cache set that to 0, and caching is now disabled. Now, why anyone would claim that Mozilla/Firefox is less secure IE because of their own idocy should be shot.
Maybe it's a joke.
by default, ssl cache is disabled on firefox.
Just install it anyway. There's no way that they can tell you're using it, unless they're looking over your shoulder. Any admin who would say this, wouldn't know to transparently proxy HTTP traffic and inspect the logs, or have 'remote asset tracking' spy^H^Hoftware on your system worth a damn.
I want to delete my account but Slashdot doesn't allow it.
Use MSIE and access as many problem pages as you can so that you end up with a system filled with viruses, spyware, adware, popups and everything else until the machine slows to a crawl and then let IT deal with it.
The corps are under constant pressure to use MS software. The admin is just passing that on.
You are being MICROattacked, from various angles, in a SOFT manner.
In Mozilla my "browser.cache.disk_cache_ssl" was set to false by default, after checking Firefox, it's also set to false by default. So no it dosn't cache ssl pages, Unless you tell it too.
Also check "browser.cache.disk.enable" set it to false, and it won't write to disk cache at all, even more secure than IE, since no temporary files are written at all.
Next!
I think I'm going to have to call bullshit on your admistrator.
In about:config, the property you want to look for is:
browser.cache.disk_cache_ssl
From This Page:
* Description: switch to enable caching of objects served over a secure connection (SSL).
* Type: boolean
* Default: false
* Recommendation: true on systems where it is secure to cache these objects.
By default, Firefox (and Mozilla. and Netscape.) will *NOT* cache SSL-served pages. And, contrary to your administrator's *other* claim, you most certainly *can* toggle this behaviour in Firefox.
Ed R.Zahurak
You know, oblivion keeps looking better every day.
I worked in an all-Windows shop for awhile. It wasn't too bad and the network and server admins were *very* tuned into the security notices from Microsoft. They would have every machine patched within one business day of the announcement. Maybe your company is the same way, and introducting non-Microsoft software may upset that cycle.
wow what a biased administrator you have.
tell him, he should get a job at microsoft instead. he fits nicely.
Even Microsoft uses Firefox.
Add an autorun.inf to fire up firefox.exe (with command-line switches -- see the first link's discussion) automatically upon insert and you're good to go.
Yeah, right.
While your admin may have issues with the default configuration for Firefox, there are genuine reasons for not deploying firefox to your network. Most security concious organisations have a very rigourous patching system for the authorised applications and operating systems. Any app which doesn't fit into that patching system (whether it be up2date, apt-get, SUS/WUS/SMS, yum or another flavour) presents a massive overhead to the IT team. Every time there is an update to Firefox, it needs to be repackaged and redeployed to every desktop in your organisation. And it's not just Firefox, but by setting a precedent of deploying MyRequestedAppX, they face pressure from all sides for AppY, AppZ, etc. Then the questions come - "you support Mr X's AppX with updates and patches - why not mine?".
Unless your organisation has the infrastructure to deal with non-baseline application patching, those apps WILL present a security risk while the IT team tries to find the resource to patch/update and deploy the latest version.
Why can't we all just get along?
For people at any sane shop. I have local Admin rights on my laptop, as I need to install s/w. As a result, I have disabled much of the IT spyware that your profile loads. The result? When AD blows up, or Novell NDS-AD bridge goes down, I can still get on locally. The fact that you speak so readily of needing to "go with the flow" and wistfully of the "Aeron chairs" and "foosball" table tell me that your experience was markedly different, perhaps due to our differing skillsets and attitudes. Sorry for your loss.
I want to delete my account but Slashdot doesn't allow it.
... because i've switched all the machines i'm responsible for to using firefox precisely because it's n-times harder to get malware. not impossible mind, but a lot harder by default. perhaps inducing some blunt trauma with a clue-by-four might help...
The group policy (Worldwide) is to have *ONLY* Windows 2003 Servers. ....
Just was doing a scan on the German network, and the main online reporting server/portal is running Linux
Hehe.., either that or one of the clear german IT got MySQL and VSftpD http://vsftpd.beasts.org/ on Windows 2003.., and hacked the TCP fingerprint to show up as Linux 2.4
The Admin is just studit and does not have a clue of that Firefox really is.
You should, (which the Admin-Troll is off getting a coffee, install Firefox on his PC and delete the IE icon from desktop and startbar, and rename the Firefox one to "Internet Explorer" and change the icon to the stupid "E".
He probally will not even notice.....
P.S. His password is either "null" or print on a post-it on his monitor......
"Clutch my testes, bloody squirrel humpers!!" -Happy Noodle Boy
Get your own mod points!?
The mod system is supposed to be METAinformation. People yelling at moderators does not help anything.
When you have mod points, use 'em. When you don't, SHUT UP.
Thank you.
(This message brought to you by a person suffering severe coffee withdrawal.)
That is a complete fucking lie. Unlike the security train wreck that is Internet Explorer, Firefox (and Mozilla and Netscape and ever other browser designed by people with a semblance of knowledge about security) does not save encrypted pages to the disk cache by default. Internet Explorer does (can be disabled by unchecking the 'Do not save encrypted pages to disk' box on the Advanced tab of the Internet Options dialogue).
set browser.disk_cache_ssl to false. :)
it's set to false by default, btw.
My email addy? should be easy enough.
Also in recent news: jumping into a pit of lava is safer than swimming in your friends swimming pool.
(This message brought to you by a person suffering severe coffee withdrawal.) ... who should be modded up ;p
I'm getting very tired of shouting idiots. There should be a free moderation when you're eligible: -1 STFU...
Your Admin either A) Works for Microsoft or B) Has mental problems.
But the admin didn't say "please use IE because we have defined patch and update mechanisms in place and we don't have the resources to do that for FF as well", the admin said "please use IE because FF is a security hole because [a bunch of bogus reasons]".
There's a wonderful little extension for Firefox called "Configuration Mania" and it works with 1.0. It has the ability to choose the option for the SSL disk cache mode as well as clear the disk cache every time you close the program, as well as other nifty little things. Give it a whirl.
Viva La Revolucion! Buy a Mac!
Dear slashdot, a friend of mine claims that his dad can beat my dad. Do any of you have information that could be used to contradict my friend's information on my dad, as I can't be bothered to check? Are there any options one can pursue (anabolics, boxing classed etc), that a kid can use to address the problem this friend has cited?
Wow. That guy is dumb. Set cache maximal size to 0 and you no longer save pages to disk. FireFox is far more secure then IE, it doesn't support ActiveSecurityhole, and isn't used by 90% of the population (who targets a browser that 10% use?)
If he's less concerned about viruses, spyware, trojans, and in fact any malware, and more concerned about an encrypted cache document not being deleted (again, a bogus concern), he needs to be disposed of by way of being fired. But that's just my opinion.
This sig no verb.
Tell him that ActiveX controls have no restrictions on their actions and that controls marked "Safe for Scripting are by far some of the most dangerous security risks associated with that technology. Also be sure to let him know that ActiveX doesn't necessarily require user intervention to run. It can work without a user's knowledge or permission.
is that the sysadmins security bots cannot read the cache and see what people have been up to (though he should be able to see the server logs).
Besides what you have written Kiosk mode should fix everything.
The Singularity is closer than you think
Quant
http://www.firefoxie.net/
As someone else here mentioned, allowing the installation of Firefox would disrupt the usual patching routines, since the admins want to minimize the number of things to be watched over (i.e. if I let you install Firefox, then besides Microsoft's updates, I have to watch for Mozilla.org's updates too.) I can imagine the admins are already in deep shit with the Microsoftian legion of security flaws, but (un)luckily Microsoft has provided a rather automatic means of unattended update for IT administrators to save the day. Thus, adding Firefox into the equation just doesn't help. Especially when considering that there's no well known mass updating mechanism for Firefox and open source softwares in general. Sure you can write a program to look for the updates, changelogs, and related bugtraqs for you, but you can't expect an MCSE to write a proper program can you? ;^)
With this in mind, I wonder if open source softwares, despite superior quality to M$'s offerings, are friendly to IT departments? This question is significant since if we can't make our softwares friendly to companies then the average users aren't likely to use them as well. If the answer is negative, how can we tackle this problem?
yeah i could set a master password and enter it everytime i want to access a site that uses passwords or i could not have it save passwords.
but i like the feature that keeps me from typing my password for every goddamn site that needs one (also a security risk as the chance to look over my shoulder increases)
oh and heres some salt for the wound: IE does not do that right? right!
save your hypotheticals for someone who cares about such sillyness
IE should only be used if you have a deathwish. There is only one person I know who uses it (but his parents don't let him install stuff). Moving over to the point, why is it that all of the schools and the public libraries use IE? I've also noticed some schools I've been to don't even have firewalls.
Zed_eX: The original menace to society.
Here's an email I just sent to my company's sysadmin... what you think? (Hotel with ~100 desktops)
8 41232
3 &tid=95&tid=172
p hp?t=1380 33&sid=42e903fcae0f8f25a49acf8e70071f13
We discussed installing firefox on all machines...
After some thought and reading I'm not sure that's the right move now...
+ I like firefox
+ No ActiveX
- No easy autoupdater that I'm aware of
- Not controllable via Group Policy
Related discussion: http://ask.slashdot.org/article.pl?sid=04/11/24/1
Web's getting nasty; I worry mostly about users going to our regions account (I don't know who has access, and there are lots of 'phishing' scams (emails saying 'Hi I'm you're bank and need more info. Click here so I can steal your password when you enter it' and then take your money). Gartner says these scams have cost 10.2 Billion!
If we get scammed the bank will probably take the loss itself but I'm not sure.
Phishing discussion: http://slashdot.org/article.pl?sid=04/11/26/19921
Some info on customizing firefox install: http://www.firefoxie.net/
Some info on how to install firefox on every pc in the domain easily:
http://forums.mozillazine.org/viewtopic.
Bottom line is:
- I think we need SP2 asap on all desktops (especially ****'s, and anyone else with the bank password... Many of the 'url spoofing in the address bar' issues are fixed by it). We should also send some basic info on phishing scams to anyone with regions access. (Note some apps are not 'SP2 certified'... like our credit card auth system).
- I don't think we should install firefox until we can get it to autoupdate, and maybe not until it's controllable by GP. It would be a PITA to manually update all the clients. Maybe IE will become somewhat secure before that happens.
- We need to disable ActiveX in group policy... Maybe by moving everyone into the gptest group... There may be a better solution; let me know if you have ideas. If you're a member of gptest you get annoying popups saying 'this page may not work because activex is disabled' on many sites.
Any input is appreciated.
Thanks
Check out the Paranoia Button. It adds a button to your toolbar that you can click and it clears your history, browser cache, passwords, download history, cookies, etc. You can do the same thing in options, but if the black helicopters are right overhead, the Paranoia Button is nice and quick.
Quidquid latine dictum sit, altum viditur
How is it "overhead" for the IT team to look at Firefox just once to see that it already does automatically keep itself up-to-date if you tell it to? That and all its extensions. I have yet to see a Google bar or some such (can anyone say "Comet Cursor"?) keep itself up-to-date on IE.
Don't thank God, thank a doctor!
IMHO, Firefox is more of a local security risk that could expose your sensitive data to others who use your computer. IE, OTOH, could expose your data to anyone on the internet.
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
What would be more useful (and currently not possible) is a "be anonymous" button that when pressed toggled the browser into a full privacy mode. In this mode, sites would not be well trusted (javascript disabled, plugins don't load), the Refered_By HTTP header would not be set, and nothing would be stored (history, autocomplete).
This post written under Gentoo-linux with an SCO IP license.
It's not FireFox but Firefox ;)
A new way to get support on slashdot; diss your fav OSS app, and a hord of slashdot monkeys will fire up google for you, will have your answer in seconds. It's better than asking, "How do I...?", since otherwise everyone would be GVFG (go visit fucking google).
Job secutity I mean, for anyone who lives from spyware and virii removal, like myself. :(
I work at a MS-Friendly company (I'd say Microsoft is one of our major customers) and as they gave me Administrator permissions to my machine, I did not even ask if I could install Firefox - I simply got it installed. Once the sysadmin saw and told me I should not use non-IE browsers. I answered him that as a web developer, it was my job to test everything in the most popular browsers and that IE now has less than 90% of market. He didn't knew that and while he was trying to answer something-too-complex-for-a-non-mcse, I asked if he saw the Wired edition where the CSO of Microsoft says he uses Firefox. Obviously the mcse got a BSOD and never bothered me again.
:D
Or, in fewer words: read slashdot and any tech news sites befere your mcse and tell them things they didn't know - they get totally b0rked if someone knows something they don't know.
your sysadmin's email address here.
This will make him know better !
Votez ecolo : Chiez dans l'urne !
However, one reason I haven't rolled out Firefox across the board here is because it's a pain to centrally distribute, update and administer.
A word to the Firefox devs - if you really want to start making an impact into the corporate world:
Make centralised admin of Firefox under Windows easy and standard with GPOs (or even for just a start, obey the system-wide settings for things like homepages and proxies).
Package it into an MSI.
On a more personal note, fix the damn copy and paste bug that's been hanging around since (at least) the Firefox 0.7 days. It doesn't stop me using it (or recommending it to others), but it *does* make it EXTREMELY FRUSTRATING sometimes.
Good. Coming at you from a risk point of view.
Risk of IE - lots of vulnerabilities that are mainly high risk according to vendor. Threat is you get lots of spyware etc just by visiting sites. Probability of this happeningis high.
Risk of Firefox. few known vulnerabilities, mainly low risk occording to vendor.
Got time? Spend some of it coding or testing
...and you'll see that their default search engine (on a screenshot advertising MSN Search) is Google. Ta-dish boom. Even for advertising bozos, that move really is dumber than a rock.
Got time? Spend some of it coding or testing
Interesting project for the FF people, damn sure MS won't implement it until the Styx becomes icebound despite this.
Maybe if you leave enough teeth under your pillow, they will get swapped for negotiable cash overnight.
This will kill some idiot PHB's favourite site and thus get rejected within a few days. If you force everyone but the idiot PHB(s) in question to use FireFox, and firewall their machines to within an inch of their lives, that will reduce your exposure.
Got time? Spend some of it coding or testing
clickety click
Wish #1 presumably in progress as I type.
Got time? Spend some of it coding or testing
On top of this, I get the tabs and all of those bazillions of nice, easy-to-reach extensions and themes. It's almost as good as Konqueror (except that Konq's JavaScript sucks).
Got time? Spend some of it coding or testing
Cliff: Firstly, does 'anonimous coward' have a vested interest in keeping I.E. as your browser? Secondly, 120 other answers easily show you that Firefox is *vastly* superior to I.E. Hell, it's even better than Netscape, when it comes to security!
IE is not secure. Nor is it more secure than other software.
To compare the security of various packages, do this:
Install a Linux box. Install it with 10 NICs connected to 10 DS-3 connections to the Internet, with static IPs. Use no firewall. Open every port. Install every service. Run everything under 'root'. Serve web pages explaining that you have done this. Provide all of the static IPs and the root password. Offer a reward to anybody who manages to 0wn your box. Pay Google to place ads in its search results to bring people to your site. Go in all the IRC channels and tell everyone.
Install a Windows XP box. Run IE.
My guess is that the box running IE will physically explode within 10 seconds of starting IE. The box running Linux? It will take a day or so for it to get compromised.
Conclusion? IE less secure.
MS relases their patches when they feel like it. Though often that doesn't have much to do with the reality of a threat..
Internet Explorer. How do you know that you need a patch other than trawling the tech sites or hitting the MS update site, YOU DON'T!
Firefox, when a patch is needed, they change your home page to the site with the patch. how simple is that? (the only other time i had my home page re-directed was when I installed a pugin for [copy plain txt])
Firefox, easier to keep patched than I.E.
NEXT!
I use IE. I have used the 'trusted sites' system for nearly two years and (knock on wood) gotten zero spyware. The trick - I have ActiveX and scripting disabled for the 'internet zone'.
Unlike with Firefox, I actually *can* use ActiveX on pages that use it - provided I've added that site to the 'trusted sites' security zone. Plus, all the sites that have been carefully hacked to look a certain way in IE look exactly like what the authors intended.
This must be the oldest conflict in IT. The paranoid sysadmin wants to keep everything everywhere the same and under their complete control. On the face of it, that's not unreasonable. They are, after all, the ones who have to clear up the mess when something goes wrong.
On the other hand, an informed user may know full-well that certain non-standard tools would help them to do their job better than the officially-recognised alternatives, and may be perfectly competent to install and maintain the non-standard software. Given that they're the ones doing the real work and IT are only a support function, this argument also has a lot of merit.
I'm stuck in a similar situation at work. Small company (lots of flexibility) let us install whatever we wanted as long as we didn't screw up and it was all legal, fit for purpose, etc. Large company (rigid procedures, absurd overheads, centralised IT) buys small company, and decides to upgrade loads of machines so everyone can run Outlook 2003. This results in the absurdity that support staff now have nice new 22" monitors and 3GHz, 1GB machines they don't need, while developers who've been asking for those specs for a year or more still get 19", 2GHz, 512MB machines (and all of those numbers actually matter to more than our egos in the work we do). More to the point, it means I expect to be told to give up Thunderbird in favour of Outlook 2003 imminently.
I'd have more sympathy for the sysadmin approach if I hadn't switched to Thunderbird after the official solution failed to do its job at all usefully: after a standard MS update took out my standard-configuration Dell PC, we were unable to restore the backed up mail due to the Outlook-inventing-a-non-existent-password bug. Moreover, Outlook's address book features stopped working, and the mail filters never worked properly in the first place, due to another well-known bug.
I recovered my mail flawlessly by importing into Thunderbird, which also has simple-but-effective address book and mail filtering features. It also doesn't second-guess the intentions of those sending me .exe files (handy if you work in a software house!), doesn't pose the same security risks, yada yada. Basically, Thunderbird does what I need a mail client to do in my job, simply and without fuss. Outlook didn't, and caused me more than a day of downtime when the official update failed.
When you've got this sort of thing going on, I don't see why any competent user should be denied the right to use appropriate software in their job just because paranoid sysadmins either aren't competent to provide a better alternative, or choose an alternative that isn't up to spec, whether or not it says Microsoft on the box.
As a final note, I'm also well aware that Outlook 2003 is a lot more than an e-mail client. Its ability to schedule meetings, publicise a person's diary, etc. has already resulted in at least one of my colleagues missing an important meeting because he didn't know it was happening (since the e-mail notification was added straight into the electronic diary he'd never used without further notice). It has also resulted in a string of nearly a dozen confused e-mails between people who sit three desks apart about another meeting, where previously either asking the people directly or, if they weren't in the office, a single e-mail would have sufficed. And this is Microsoft/the IT department's idea of improving efficiency? Stuff 'em.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I suppose he doesn't know the meaning of setting the cache to use 0kb of space...
Your ad here.
In Poland only electronical way to submit tax returns is by Windows-only closed-source program "Patnik" (made by Prokom, an unlawful goverment software monopolist)
Software itself is bloated s**t and government refuses to make it open-source. Bribes, bribes, bribes...
I once turned down a job because of stupid admin staff.
At the interview I asked what they used and if they allowed staff to install more secure aps if the ones they use are not secure. They said no, I explained FireFox and others (for email etc) and was told they would not look at it. I then told them (when I got accepted for the job) that I could not work for a company that does not take computer security seriously (or even takes advice of the issue). Ended up working for a croup that had a better approach to this issue. Found out that thier system got so infected it had to be re-done froum scratch and they got advise by an IT security company to use no IE or Outlook.
I told the mso !!!!!
The Hippy
Even if it doesn't get the guy fired at the time, it sure is a nice tool for management to use when they do want to get rid of him.
Besides, there's every chance they will know he installed, if not immediately, then sooner or later. I used to work at a place where each workstation was, in effect, periodically spidered to determine if any unauthorized software was present. If it was, it was removed.
-- Slashdot: When Public Access TV Says "No"
NOT because he's right, but BECAUSE its HIS responsibility to clean up the mess that IE will probably allow to sneak onto your network! Oh, ask him what a BHO is! (Answer: Browser Helper Object -- programs that can be integrated into IE, but can't be uninstalled from IE's built-in menus.) If he doesn't know about this, he's never REALLY dealt with the trash IE allows onto networks, so all the more reason to listen to him. As an IT Manager, I have to say, listen to your IT department. But I'm also going to say that after dealing with virii/worms coming onto my network via IE BHO's, (my 2nd week on the job too, what a mess!), we've been rolling out Firefox for people's main browser. As long as I have people using IE, I keep getting virii/worms trying to establish themselves. With Firefox, none of this. (Perhaps its only a matter of time... hope not.) I only have people use IE when they have to access some extranet site using "legacy" ActiveX controls. So you can't get rid of IE altogether, even if you wanted to, (although yes it can be done... but you won't be able to install MDAC then... but that's another story.) Just to clarify my position... Firefox rocks! But if you work for a company set on M$, follow your company's wisdom (or lack thereof). Its THEIR responsiblity to maintain your network's security, and to clean up the mess THEIR decisions make.
Okay, suppose you work for IngSoc, and you really can't risk it, but you really, really want to surf the light fantastic. Get yourself a cheap-ass laptop (try retro box or ebay), get a t-mobile card and their cellular service (about $30/month, but it is all yours), and you're golden.
Yeah, right.
in fact, it *CAN* keep itself up to date if you install it as a non-admin user, it will just keep itself up to date without admin rights.
if it *is* installed by the IT department (as an admin) then I'd say that they'll have to have some sort of patching strategy, don't you?
Fighting for peace is like fucking for virginity
I completely agree. My personal view is that 'consevative management ideology' is in place due to the social changes that have occured on a large scale basis as a result of 911 and the 'with us or against us' atmosphere set by the Bush Administration.
At my new job, I have been spared this a bit by having a great boss. Unfortunately, his job is in jeopardy by those who dislike his hands off approach and his relaxed attitude. To top it all off, I was only hired(as a temp) because he requested it. The 'management' felt that the 200+ employee organization only needs one comp tech. He disagreed. The other guy, whom they hired permanent, sits around all day and plays with Flash. I've got a 4 to 1 trouble ticket lead on him and most of his are still open. Why did they hire him over me? He's a great bullshitter. Ah well. We're in another dark age I guess.