Slashdot Mirror

← Back to Stories (view on slashdot.org)

FireFox as a Security Risk Compared to IE?

Posted by Cliff on from the that's-just-silly-talk dept.

A not-so anonymous Anonymous Coward asks: "The administrator at my work gave me the following reason for not using Mozilla. What do you think? 'FireFox is a security risk. Please refrain from using it. Please continue to use IE 6.0. IE is our only supported browser. FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'" Do any of you have information that could be used to contradict the administrators information on FireFox? Are there configuration options one can reach from about:config that a user can use to address the problem this administrator has cited?

14 of 174 comments (clear)

  1. Simple. by mewyn · · Score: 4, Informative

    Turn off caching. In the configuration, privacy, cache set that to 0, and caching is now disabled. Now, why anyone would claim that Mozilla/Firefox is less secure IE because of their own idocy should be shot.

    1. Re:Simple. by randomblast · · Score: 5, Informative

      It would be better for a site like that to use a caching proxy anyway. It puts all the effort on the server, and off the desktops, and you have no problem keeping track of what the desktops have stored on them, so if a desktop machine gets stolen, no sensitive info is on it. This has to be applied to other areas of their computing system as well, of course, but it probably already is, because it's really stupid to cache database results.
      So, if you use a caching proxy instead of client-side caching, you save bandwidth, you save space, you keep it fast for the users, and you don't have to worry about caching SSL pages on your user's machines.

      --
      ...these aren't my real teeth.
    2. Re:Simple. by Anonymous Coward · · Score: 5, Informative

      "The administrator at my work gave me the following reason for not using Mozilla."

      Someone's not going to be an anonymous coward for long...

      "FireFox is a security risk. Please refrain from using it"

      LOL. Very good.

      "IE is our only supported browser"

      Please don't make me change anything. I might have to test it.

      "FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'"

      OMG, people write this stuff?

      Internet Explorer runs programs if you put them in an XML stylesheet, it runs programs supplied in bitmap images, allows websites to save scripts to disk and run them from the "trusted" zone, and allows any website to run activeX programs with full access to your computer if you ever click OK to a dialog box. These are security risks.

  2. Adminstrator is full of it by abartlett_219 · · Score: 5, Informative
    browser.cache.disk_cache_ssl? Q.19 here

    by default, ssl cache is disabled on firefox.

    1. Re:Adminstrator is full of it by memodude · · Score: 5, Informative

      Also, you can make it essentially clear the cache on each browser exit by setting browser.cache.memory.enable to true and browser.cache.disk.enable to false.

  3. Call Bullshit by TrebleJunkie · · Score: 5, Informative

    I think I'm going to have to call bullshit on your admistrator.

    In about:config, the property you want to look for is:

    browser.cache.disk_cache_ssl

    From This Page:

    * Description: switch to enable caching of objects served over a secure connection (SSL).
    * Type: boolean
    * Default: false
    * Recommendation: true on systems where it is secure to cache these objects.

    By default, Firefox (and Mozilla. and Netscape.) will *NOT* cache SSL-served pages. And, contrary to your administrator's *other* claim, you most certainly *can* toggle this behaviour in Firefox.

    --

    Ed R.Zahurak

    You know, oblivion keeps looking better every day.

  4. Re:Install it anyway by Parsec · · Score: 3, Informative

    If they use a system like M$'s Systems Management Server, they can create an automated query for Firefox binaries that will inform them of who has it installed. The data is collected with the default inventory schedule of the individual machine's SMS agent.

    I think there would be a Control Panel called "Advertised Packages" on your machine if this was in use. There is another, but I'm not certain what it's called; it would show you information on the SMS server and the schedule it uses to check in.

  5. The Bullshit ... by tqft · · Score: 3, Informative

    is that the sysadmins security bots cannot read the cache and see what people have been up to (though he should be able to see the server logs).

    Besides what you have written Kiosk mode should fix everything.

    --
    The Singularity is closer than you think
    Quant
  6. Re:Even better by sepluv · · Score: 4, Informative

    That is a version of Firefox optimised for use on portable drives (by reducing disk usage, reducing size on disk, making references to exntesions relative, &c).

    --
    Joe Llywelyn Griffith Blakesley
    [This post is in the public domain (copyright-free) unless otherwise stated]
  7. Re:Just pressure from MS by sepluv · · Score: 4, Informative
    There is a lot in this (especially with governments). I'm currently *trying* to persuade my uni have more free software on public machines starting with Firefox. I'll give some recent examples from my experience of this in relation to Firefox (as well as the obvious minor stuff like the government only producing documents in MSWord format or WWW sites that are in MSHTML so only work in MSIE):
    1. In my old (state) college (where I've just left) the sysops told me (in person) that we were not allowed to use Firefox because and I quote, "Firebird [as it was] is a hacking [sic, should be cracking] tool like Kuzu [sic, should be Kazaa]". They also denied that it was a WWW browser and said that MSIE was the only WWW browser. They also said that they have a policy of only using Microsoft's software on the PCs.

    2. A friend of mine uninstalled Firefox because his ISP told him that they did not support their users connecting to the WWW using Firefox. They also told him that just using MSIE (without uninstalling Firefox) instead would not work as Firefox also stops MSIE from connecting to the Internet when it is installed. (The same ISP also said that they only allow their users to check their email with Outlook Express and that my friend should not install any other mail client.)

    I could go on...
    --
    Joe Llywelyn Griffith Blakesley
    [This post is in the public domain (copyright-free) unless otherwise stated]
  8. Re:Install it anyway by dougmc · · Score: 3, Informative
    We (normal people, non-telecom companies) don't fire people for installing essential software.
    Sorry, but Firefox does not qualify as essential software. IE, as provided by the IT department, provides approximately the same functionality. Perhaps Firefox is more secure, but since everybody else there runs IE, what difference does it make?

    As for why they don't allow Firefox, it's probably that they don't want to support it. With XP, IE, Outlook and Office on everybody's desktop, with some relatively simple tools, they can update everybody at once. So in theory, they should be able to keep up on patches and such, and keep it as secure as possible (as MS software ever is, anyways.)

    When people start installing their own software, then that either adds more things for IT to support, or adds things that IT does not update. If it's the latter, then it's possible that a hole will appear in Firefox that does not exist in IE, and the company could be compromised that way. (Yes, if the hole appears in IE, the company is compromised that way. But they like to limit the number of vulnerabilities.)

    I'm not saying this attitude is correct, but it's pretty pervasive. When IT tells you to not do something, and you do it anyways, that's the sort of thing that can get you fired at many places, or at least make them think again about your name when making lists of people to sack for the newest round of layoffs ...

    (For the record, I work in a land of Microsoft software, but I do run Linux (and the assorted applications that go with it) on my boxes at work. And I even have permission to do so -- but it certainly wasn't easy to get. But at least I know I won't get fired for it. (Ultimately, I was told to stop, and so I pushed for official permission rather than stop.))

  9. Paranoia Button by kajoob · · Score: 4, Informative

    Check out the Paranoia Button. It adds a button to your toolbar that you can click and it clears your history, browser cache, passwords, download history, cookies, etc. You can do the same thing in options, but if the black helicopters are right overhead, the Paranoia Button is nice and quick.

    --
    Quidquid latine dictum sit, altum viditur
  10. One real reason not to use it by drsmithy · · Score: 3, Informative
    Your admin's claims, as others have noted, are BS.

    However, one reason I haven't rolled out Firefox across the board here is because it's a pain to centrally distribute, update and administer.

    A word to the Firefox devs - if you really want to start making an impact into the corporate world:

    Make centralised admin of Firefox under Windows easy and standard with GPOs (or even for just a start, obey the system-wide settings for things like homepages and proxies).

    Package it into an MSI.

    On a more personal note, fix the damn copy and paste bug that's been hanging around since (at least) the Firefox 0.7 days. It doesn't stop me using it (or recommending it to others), but it *does* make it EXTREMELY FRUSTRATING sometimes.

  11. Wish #2 granted by leonbrooks · · Score: 3, Informative

    clickety click

    Wish #1 presumably in progress as I type.

    --
    Got time? Spend some of it coding or testing