FireFox as a Security Risk Compared to IE?

A not-so anonymous Anonymous Coward asks: "The administrator at my work gave me the following reason for not using Mozilla. What do you think? 'FireFox is a security risk. Please refrain from using it. Please continue to use IE 6.0. IE is our only supported browser. FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'" Do any of you have information that could be used to contradict the administrators information on FireFox? Are there configuration options one can reach from about:config that a user can use to address the problem this administrator has cited?

Simple.

[mewyn]

Turn off caching. In the configuration, privacy, cache set that to 0, and caching is now disabled. Now, why anyone would claim that Mozilla/Firefox is less secure IE because of their own idocy should be shot.

Re:Simple.

[randomblast]

It would be better for a site like that to use a caching proxy anyway. It puts all the effort on the server, and off the desktops, and you have no problem keeping track of what the desktops have stored on them, so if a desktop machine gets stolen, no sensitive info is on it. This has to be applied to other areas of their computing system as well, of course, but it probably already is, because it's really stupid to cache database results.
So, if you use a caching proxy instead of client-side caching, you save bandwidth, you save space, you keep it fast for the users, and you don't have to worry about caching SSL pages on your user's machines.

Re:Simple.

"The administrator at my work gave me the following reason for not using Mozilla."

Someone's not going to be an anonymous coward for long...

"FireFox is a security risk. Please refrain from using it"

LOL. Very good.

"IE is our only supported browser"

Please don't make me change anything. I might have to test it.

"FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'"

OMG, people write this stuff?

Internet Explorer runs programs if you put them in an XML stylesheet, it runs programs supplied in bitmap images, allows websites to save scripts to disk and run them from the "trusted" zone, and allows any website to run activeX programs with full access to your computer if you ever click OK to a dialog box. These are security risks.

Adminstrator is full of it

[abartlett_219]

browser.cache.disk_cache_ssl? Q.19 here

by default, ssl cache is disabled on firefox.

Re:Adminstrator is full of it

[memodude]

Also, you can make it essentially clear the cache on each browser exit by setting browser.cache.memory.enable to true and browser.cache.disk.enable to false.

Call Bullshit

[TrebleJunkie]

I think I'm going to have to call bullshit on your admistrator.

In about:config, the property you want to look for is:

browser.cache.disk_cache_ssl

From This Page:

* Description: switch to enable caching of objects served over a secure connection (SSL).
* Type: boolean
* Default: false
* Recommendation: true on systems where it is secure to cache these objects.

By default, Firefox (and Mozilla. and Netscape.) will *NOT* cache SSL-served pages. And, contrary to your administrator's *other* claim, you most certainly *can* toggle this behaviour in Firefox.

Re:Even better

[sepluv]

That is a version of Firefox optimised for use on portable drives (by reducing disk usage, reducing size on disk, making references to exntesions relative, &c).

Re:Just pressure from MS

[sepluv]

There is a lot in this (especially with governments). I'm currently *trying* to persuade my uni have more free software on public machines starting with Firefox. I'll give some recent examples from my experience of this in relation to Firefox (as well as the obvious minor stuff like the government only producing documents in MSWord format or WWW sites that are in MSHTML so only work in MSIE):

1. In my old (state) college (where I've just left) the sysops told me (in person) that we were not allowed to use Firefox because and I quote, "Firebird [as it was] is a hacking [sic, should be cracking] tool like Kuzu [sic, should be Kazaa]". They also denied that it was a WWW browser and said that MSIE was the only WWW browser. They also said that they have a policy of only using Microsoft's software on the PCs.

2. A friend of mine uninstalled Firefox because his ISP told him that they did not support their users connecting to the WWW using Firefox. They also told him that just using MSIE (without uninstalling Firefox) instead would not work as Firefox also stops MSIE from connecting to the Internet when it is installed. (The same ISP also said that they only allow their users to check their email with Outlook Express and that my friend should not install any other mail client.)

I could go on...

Paranoia Button

[kajoob]

Check out the Paranoia Button. It adds a button to your toolbar that you can click and it clears your history, browser cache, passwords, download history, cookies, etc. You can do the same thing in options, but if the black helicopters are right overhead, the Paranoia Button is nice and quick.