Slashdot Mirror
FireFox as a Security Risk Compared to IE?
A not-so anonymous Anonymous Coward asks: "The administrator at my work gave me the following reason for not using Mozilla. What do you think? 'FireFox is a security risk. Please refrain from using it. Please continue to use IE 6.0. IE is our only supported browser. FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'" Do any of you have information that could be used to contradict the administrators information on FireFox? Are there configuration options one can reach from about:config that a user can use to address the problem this administrator has cited?
Turn off caching. In the configuration, privacy, cache set that to 0, and caching is now disabled. Now, why anyone would claim that Mozilla/Firefox is less secure IE because of their own idocy should be shot.
by default, ssl cache is disabled on firefox.
In Mozilla my "browser.cache.disk_cache_ssl" was set to false by default, after checking Firefox, it's also set to false by default. So no it dosn't cache ssl pages, Unless you tell it too.
Also check "browser.cache.disk.enable" set it to false, and it won't write to disk cache at all, even more secure than IE, since no temporary files are written at all.
Next!
I think I'm going to have to call bullshit on your admistrator.
In about:config, the property you want to look for is:
browser.cache.disk_cache_ssl
From This Page:
* Description: switch to enable caching of objects served over a secure connection (SSL).
* Type: boolean
* Default: false
* Recommendation: true on systems where it is secure to cache these objects.
By default, Firefox (and Mozilla. and Netscape.) will *NOT* cache SSL-served pages. And, contrary to your administrator's *other* claim, you most certainly *can* toggle this behaviour in Firefox.
Ed R.Zahurak
You know, oblivion keeps looking better every day.
If they use a system like M$'s Systems Management Server, they can create an automated query for Firefox binaries that will inform them of who has it installed. The data is collected with the default inventory schedule of the individual machine's SMS agent.
I think there would be a Control Panel called "Advertised Packages" on your machine if this was in use. There is another, but I'm not certain what it's called; it would show you information on the SMS server and the schedule it uses to check in.
That is a complete fucking lie. Unlike the security train wreck that is Internet Explorer, Firefox (and Mozilla and Netscape and ever other browser designed by people with a semblance of knowledge about security) does not save encrypted pages to the disk cache by default. Internet Explorer does (can be disabled by unchecking the 'Do not save encrypted pages to disk' box on the Advanced tab of the Internet Options dialogue).
set browser.disk_cache_ssl to false. :)
it's set to false by default, btw.
My email addy? should be easy enough.
is that the sysadmins security bots cannot read the cache and see what people have been up to (though he should be able to see the server logs).
Besides what you have written Kiosk mode should fix everything.
The Singularity is closer than you think
Quant
That is a version of Firefox optimised for use on portable drives (by reducing disk usage, reducing size on disk, making references to exntesions relative, &c).
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
- In my old (state) college (where I've just left) the sysops told me (in person) that we were not allowed to use Firefox because and I quote, "Firebird [as it was] is a hacking [sic, should be cracking] tool like Kuzu [sic, should be Kazaa]". They also denied that it was a WWW browser and said that MSIE was the only WWW browser. They also said that they have a policy of only using Microsoft's software on the PCs.
-
I could go on...A friend of mine uninstalled Firefox because his ISP told him that they did not support their users connecting to the WWW using Firefox. They also told him that just using MSIE (without uninstalling Firefox) instead would not work as Firefox also stops MSIE from connecting to the Internet when it is installed. (The same ISP also said that they only allow their users to check their email with Outlook Express and that my friend should not install any other mail client.)
Joe Llywelyn Griffith Blakesley
[This post is in the public domain (copyright-free) unless otherwise stated]
As for why they don't allow Firefox, it's probably that they don't want to support it. With XP, IE, Outlook and Office on everybody's desktop, with some relatively simple tools, they can update everybody at once. So in theory, they should be able to keep up on patches and such, and keep it as secure as possible (as MS software ever is, anyways.)
When people start installing their own software, then that either adds more things for IT to support, or adds things that IT does not update. If it's the latter, then it's possible that a hole will appear in Firefox that does not exist in IE, and the company could be compromised that way. (Yes, if the hole appears in IE, the company is compromised that way. But they like to limit the number of vulnerabilities.)
I'm not saying this attitude is correct, but it's pretty pervasive. When IT tells you to not do something, and you do it anyways, that's the sort of thing that can get you fired at many places, or at least make them think again about your name when making lists of people to sack for the newest round of layoffs ...
(For the record, I work in a land of Microsoft software, but I do run Linux (and the assorted applications that go with it) on my boxes at work. And I even have permission to do so -- but it certainly wasn't easy to get. But at least I know I won't get fired for it. (Ultimately, I was told to stop, and so I pushed for official permission rather than stop.))
Check out the Paranoia Button. It adds a button to your toolbar that you can click and it clears your history, browser cache, passwords, download history, cookies, etc. You can do the same thing in options, but if the black helicopters are right overhead, the Paranoia Button is nice and quick.
Quidquid latine dictum sit, altum viditur
Speaking of "sane", I am currently contractin at big big big defense contractor. Desktops are so heavily "managed", 2GHz P4 machine is nearly useless as McAfee runs all the time. We are not local admins and to install something I need to find one of only two people who are.
Overall, I estimated I lose 80% of productivity this way. For a large group of contractors, the amount of money they are wasting is astronomical.
However, one reason I haven't rolled out Firefox across the board here is because it's a pain to centrally distribute, update and administer.
A word to the Firefox devs - if you really want to start making an impact into the corporate world:
Make centralised admin of Firefox under Windows easy and standard with GPOs (or even for just a start, obey the system-wide settings for things like homepages and proxies).
Package it into an MSI.
On a more personal note, fix the damn copy and paste bug that's been hanging around since (at least) the Firefox 0.7 days. It doesn't stop me using it (or recommending it to others), but it *does* make it EXTREMELY FRUSTRATING sometimes.
clickety click
Wish #1 presumably in progress as I type.
Got time? Spend some of it coding or testing
I once turned down a job because of stupid admin staff.
At the interview I asked what they used and if they allowed staff to install more secure aps if the ones they use are not secure. They said no, I explained FireFox and others (for email etc) and was told they would not look at it. I then told them (when I got accepted for the job) that I could not work for a company that does not take computer security seriously (or even takes advice of the issue). Ended up working for a croup that had a better approach to this issue. Found out that thier system got so infected it had to be re-done froum scratch and they got advise by an IT security company to use no IE or Outlook.
I told the mso !!!!!
The Hippy