Slashdot Mirror
FireFox as a Security Risk Compared to IE?
A not-so anonymous Anonymous Coward asks: "The administrator at my work gave me the following reason for not using Mozilla. What do you think? 'FireFox is a security risk. Please refrain from using it. Please continue to use IE 6.0. IE is our only supported browser. FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'" Do any of you have information that could be used to contradict the administrators information on FireFox? Are there configuration options one can reach from about:config that a user can use to address the problem this administrator has cited?
Or better yet, when you find out a good, definitive answer (that could potentially help those of us in the same boat to convince our higher-ups), do a nice write up of all of the info you collected and THEN submit it to slashdot.
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
Turn off caching. In the configuration, privacy, cache set that to 0, and caching is now disabled. Now, why anyone would claim that Mozilla/Firefox is less secure IE because of their own idocy should be shot.
by default, ssl cache is disabled on firefox.
Use MSIE and access as many problem pages as you can so that you end up with a system filled with viruses, spyware, adware, popups and everything else until the machine slows to a crawl and then let IT deal with it.
The corps are under constant pressure to use MS software. The admin is just passing that on.
You are being MICROattacked, from various angles, in a SOFT manner.
I think I'm going to have to call bullshit on your admistrator.
In about:config, the property you want to look for is:
browser.cache.disk_cache_ssl
From This Page:
* Description: switch to enable caching of objects served over a secure connection (SSL).
* Type: boolean
* Default: false
* Recommendation: true on systems where it is secure to cache these objects.
By default, Firefox (and Mozilla. and Netscape.) will *NOT* cache SSL-served pages. And, contrary to your administrator's *other* claim, you most certainly *can* toggle this behaviour in Firefox.
Ed R.Zahurak
You know, oblivion keeps looking better every day.
I worked in an all-Windows shop for awhile. It wasn't too bad and the network and server admins were *very* tuned into the security notices from Microsoft. They would have every machine patched within one business day of the announcement. Maybe your company is the same way, and introducting non-Microsoft software may upset that cycle.
Just install it anyway. There's no way that they can tell you're using it, unless they're looking over your shoulder.
That kind of attitude will get you fired. Management is edgy these days and support/admin money is tight. There just isn't room for someone who doesn't want to go along with the flow. It's not 1998 anymore. The Aeron chairs and the foosball table have been auctioned off and there are many other people just waiting to take your job. Seriously. I've seen several people canned in 2004 by doing things "their own way" despite being told not to.
If they use a system like M$'s Systems Management Server, they can create an automated query for Firefox binaries that will inform them of who has it installed. The data is collected with the default inventory schedule of the individual machine's SMS agent.
I think there would be a Control Panel called "Advertised Packages" on your machine if this was in use. There is another, but I'm not certain what it's called; it would show you information on the SMS server and the schedule it uses to check in.
Even Microsoft uses Firefox.
Add an autorun.inf to fire up firefox.exe (with command-line switches -- see the first link's discussion) automatically upon insert and you're good to go.
Yeah, right.
While your admin may have issues with the default configuration for Firefox, there are genuine reasons for not deploying firefox to your network. Most security concious organisations have a very rigourous patching system for the authorised applications and operating systems. Any app which doesn't fit into that patching system (whether it be up2date, apt-get, SUS/WUS/SMS, yum or another flavour) presents a massive overhead to the IT team. Every time there is an update to Firefox, it needs to be repackaged and redeployed to every desktop in your organisation. And it's not just Firefox, but by setting a precedent of deploying MyRequestedAppX, they face pressure from all sides for AppY, AppZ, etc. Then the questions come - "you support Mr X's AppX with updates and patches - why not mine?".
Unless your organisation has the infrastructure to deal with non-baseline application patching, those apps WILL present a security risk while the IT team tries to find the resource to patch/update and deploy the latest version.
Why can't we all just get along?
For people at any sane shop. I have local Admin rights on my laptop, as I need to install s/w. As a result, I have disabled much of the IT spyware that your profile loads. The result? When AD blows up, or Novell NDS-AD bridge goes down, I can still get on locally. The fact that you speak so readily of needing to "go with the flow" and wistfully of the "Aeron chairs" and "foosball" table tell me that your experience was markedly different, perhaps due to our differing skillsets and attitudes. Sorry for your loss.
I want to delete my account but Slashdot doesn't allow it.
... because i've switched all the machines i'm responsible for to using firefox precisely because it's n-times harder to get malware. not impossible mind, but a lot harder by default. perhaps inducing some blunt trauma with a clue-by-four might help...
That is a complete fucking lie. Unlike the security train wreck that is Internet Explorer, Firefox (and Mozilla and Netscape and ever other browser designed by people with a semblance of knowledge about security) does not save encrypted pages to the disk cache by default. Internet Explorer does (can be disabled by unchecking the 'Do not save encrypted pages to disk' box on the Advanced tab of the Internet Options dialogue).
set browser.disk_cache_ssl to false. :)
it's set to false by default, btw.
My email addy? should be easy enough.
Also in recent news: jumping into a pit of lava is safer than swimming in your friends swimming pool.
But the admin didn't say "please use IE because we have defined patch and update mechanisms in place and we don't have the resources to do that for FF as well", the admin said "please use IE because FF is a security hole because [a bunch of bogus reasons]".
There's a wonderful little extension for Firefox called "Configuration Mania" and it works with 1.0. It has the ability to choose the option for the SSL disk cache mode as well as clear the disk cache every time you close the program, as well as other nifty little things. Give it a whirl.
Viva La Revolucion! Buy a Mac!
Dear slashdot, a friend of mine claims that his dad can beat my dad. Do any of you have information that could be used to contradict my friend's information on my dad, as I can't be bothered to check? Are there any options one can pursue (anabolics, boxing classed etc), that a kid can use to address the problem this friend has cited?
is that the sysadmins security bots cannot read the cache and see what people have been up to (though he should be able to see the server logs).
Besides what you have written Kiosk mode should fix everything.
The Singularity is closer than you think
Quant
http://www.firefoxie.net/
As for why they don't allow Firefox, it's probably that they don't want to support it. With XP, IE, Outlook and Office on everybody's desktop, with some relatively simple tools, they can update everybody at once. So in theory, they should be able to keep up on patches and such, and keep it as secure as possible (as MS software ever is, anyways.)
When people start installing their own software, then that either adds more things for IT to support, or adds things that IT does not update. If it's the latter, then it's possible that a hole will appear in Firefox that does not exist in IE, and the company could be compromised that way. (Yes, if the hole appears in IE, the company is compromised that way. But they like to limit the number of vulnerabilities.)
I'm not saying this attitude is correct, but it's pretty pervasive. When IT tells you to not do something, and you do it anyways, that's the sort of thing that can get you fired at many places, or at least make them think again about your name when making lists of people to sack for the newest round of layoffs ...
(For the record, I work in a land of Microsoft software, but I do run Linux (and the assorted applications that go with it) on my boxes at work. And I even have permission to do so -- but it certainly wasn't easy to get. But at least I know I won't get fired for it. (Ultimately, I was told to stop, and so I pushed for official permission rather than stop.))
Check out the Paranoia Button. It adds a button to your toolbar that you can click and it clears your history, browser cache, passwords, download history, cookies, etc. You can do the same thing in options, but if the black helicopters are right overhead, the Paranoia Button is nice and quick.
Quidquid latine dictum sit, altum viditur
IMHO, Firefox is more of a local security risk that could expose your sensitive data to others who use your computer. IE, OTOH, could expose your data to anyone on the internet.
Anthony Papillion
Advanced Data Concepts, Inc.
"Quality Custom Software and IT Services"
What would be more useful (and currently not possible) is a "be anonymous" button that when pressed toggled the browser into a full privacy mode. In this mode, sites would not be well trusted (javascript disabled, plugins don't load), the Refered_By HTTP header would not be set, and nothing would be stored (history, autocomplete).
This post written under Gentoo-linux with an SCO IP license.
It so happens that the pendulum has swung to the "conservative" management ideology. My office is Sun Ray and Windows 2000 based. Previously I only had a Sun Ray and was given a PC to run some Java software better. There was talk of removing UNIX workstations all together, to which I told my boss that my productivity would be halved at best. He thought that was a fair assessment and now we can use whichever is better for a given task. I'd say one of the most difficult IT jobs is to be an administrator of an office full of "administrators." Granted, we're all networking people, but a lot of us are hardcore UNIX guys and have always been. I sometimes feel bad for our admins and what they have to put up with from us. Usually they understand that it's best to help us do what we want.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
I work at a MS-Friendly company (I'd say Microsoft is one of our major customers) and as they gave me Administrator permissions to my machine, I did not even ask if I could install Firefox - I simply got it installed. Once the sysadmin saw and told me I should not use non-IE browsers. I answered him that as a web developer, it was my job to test everything in the most popular browsers and that IE now has less than 90% of market. He didn't knew that and while he was trying to answer something-too-complex-for-a-non-mcse, I asked if he saw the Wired edition where the CSO of Microsoft says he uses Firefox. Obviously the mcse got a BSOD and never bothered me again.
:D
Or, in fewer words: read slashdot and any tech news sites befere your mcse and tell them things they didn't know - they get totally b0rked if someone knows something they don't know.
your sysadmin's email address here.
This will make him know better !
Votez ecolo : Chiez dans l'urne !
However, one reason I haven't rolled out Firefox across the board here is because it's a pain to centrally distribute, update and administer.
A word to the Firefox devs - if you really want to start making an impact into the corporate world:
Make centralised admin of Firefox under Windows easy and standard with GPOs (or even for just a start, obey the system-wide settings for things like homepages and proxies).
Package it into an MSI.
On a more personal note, fix the damn copy and paste bug that's been hanging around since (at least) the Firefox 0.7 days. It doesn't stop me using it (or recommending it to others), but it *does* make it EXTREMELY FRUSTRATING sometimes.
...and you'll see that their default search engine (on a screenshot advertising MSN Search) is Google. Ta-dish boom. Even for advertising bozos, that move really is dumber than a rock.
Got time? Spend some of it coding or testing
clickety click
Wish #1 presumably in progress as I type.
Got time? Spend some of it coding or testing
since the admins want to minimize the number of things to be watched over (i.e. if I let you install Firefox, then besides Microsoft's updates, I have to watch for Mozilla.org's updates too.)
This sort of makes sense if *all* you ever run is MS Office, MS Small Biz Server, IIS, etc. But if your org needs to run other things (Raiser's Edge, QuickBooks, Adobe products, etc.)
It used to be people chose to run Windows vs. Linux or Mac because 'Windows has all the software'. But it seems now more IT depts are using security as an excuse to not run/install anything *but* MS software, excluding a gigantic range of other software options (ostensibly much of the reason for using Windows in the first place!)
creation science book
In Poland only electronical way to submit tax returns is by Windows-only closed-source program "Patnik" (made by Prokom, an unlawful goverment software monopolist)
Software itself is bloated s**t and government refuses to make it open-source. Bribes, bribes, bribes...
I once turned down a job because of stupid admin staff.
At the interview I asked what they used and if they allowed staff to install more secure aps if the ones they use are not secure. They said no, I explained FireFox and others (for email etc) and was told they would not look at it. I then told them (when I got accepted for the job) that I could not work for a company that does not take computer security seriously (or even takes advice of the issue). Ended up working for a croup that had a better approach to this issue. Found out that thier system got so infected it had to be re-done froum scratch and they got advise by an IT security company to use no IE or Outlook.
I told the mso !!!!!
The Hippy
Even if it doesn't get the guy fired at the time, it sure is a nice tool for management to use when they do want to get rid of him.
Besides, there's every chance they will know he installed, if not immediately, then sooner or later. I used to work at a place where each workstation was, in effect, periodically spidered to determine if any unauthorized software was present. If it was, it was removed.
-- Slashdot: When Public Access TV Says "No"
When you've got this sort of thing going on, I don't see why any competent user should be denied the right to use appropriate software in their job
Because everyone who knows how to make text bold in Word thinks they're a competent user.
However, understanding why IT does this doesn't stop me from running lots of non-standard stuff myself...
When they came for the communists, I said "He's next door. Take him away. Goddam commies."