FireFox as a Security Risk Compared to IE?

A not-so anonymous Anonymous Coward asks: "The administrator at my work gave me the following reason for not using Mozilla. What do you think? 'FireFox is a security risk. Please refrain from using it. Please continue to use IE 6.0. IE is our only supported browser. FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'" Do any of you have information that could be used to contradict the administrators information on FireFox? Are there configuration options one can reach from about:config that a user can use to address the problem this administrator has cited?

Simple.

[mewyn]

Turn off caching. In the configuration, privacy, cache set that to 0, and caching is now disabled. Now, why anyone would claim that Mozilla/Firefox is less secure IE because of their own idocy should be shot.

Re:Simple.

[randomblast]

It would be better for a site like that to use a caching proxy anyway. It puts all the effort on the server, and off the desktops, and you have no problem keeping track of what the desktops have stored on them, so if a desktop machine gets stolen, no sensitive info is on it. This has to be applied to other areas of their computing system as well, of course, but it probably already is, because it's really stupid to cache database results.
So, if you use a caching proxy instead of client-side caching, you save bandwidth, you save space, you keep it fast for the users, and you don't have to worry about caching SSL pages on your user's machines.

Re:Simple.

"The administrator at my work gave me the following reason for not using Mozilla."

Someone's not going to be an anonymous coward for long...

"FireFox is a security risk. Please refrain from using it"

LOL. Very good.

"IE is our only supported browser"

Please don't make me change anything. I might have to test it.

"FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'"

OMG, people write this stuff?

Internet Explorer runs programs if you put them in an XML stylesheet, it runs programs supplied in bitmap images, allows websites to save scripts to disk and run them from the "trusted" zone, and allows any website to run activeX programs with full access to your computer if you ever click OK to a dialog box. These are security risks.

Adminstrator is full of it

[abartlett_219]

browser.cache.disk_cache_ssl? Q.19 here

by default, ssl cache is disabled on firefox.

Re:Adminstrator is full of it

[memodude]

Also, you can make it essentially clear the cache on each browser exit by setting browser.cache.memory.enable to true and browser.cache.disk.enable to false.

Spite him.

Use MSIE and access as many problem pages as you can so that you end up with a system filled with viruses, spyware, adware, popups and everything else until the machine slows to a crawl and then let IT deal with it.

Re:Spite him.

[krymsin01]

That's a good way to get fired, seeing as how most of the problem pages will either A) be against the AUP (porn, etc) or B) Illegal (certain porn, warez, etc).

Call Bullshit

[TrebleJunkie]

I think I'm going to have to call bullshit on your admistrator.

In about:config, the property you want to look for is:

browser.cache.disk_cache_ssl

From This Page:

* Description: switch to enable caching of objects served over a secure connection (SSL).
* Type: boolean
* Default: false
* Recommendation: true on systems where it is secure to cache these objects.

By default, Firefox (and Mozilla. and Netscape.) will *NOT* cache SSL-served pages. And, contrary to your administrator's *other* claim, you most certainly *can* toggle this behaviour in Firefox.

Re:Call Bullshit

I'm going to go one further and call bullshit on the submitter.

The problem was non-existent, and a fix plain and simple in the config. This entire article is a made up troll to rile up the mozilla zealots.

Depends on your admin

[green+pizza]

I worked in an all-Windows shop for awhile. It wasn't too bad and the network and server admins were *very* tuned into the security notices from Microsoft. They would have every machine patched within one business day of the announcement. Maybe your company is the same way, and introducting non-Microsoft software may upset that cycle.

Re:Depends on your admin

[green+pizza]

How does Firefox prevent them from patching Windows software?
It doesn't. It's just an excuse for lazy MCSE admins who don't want to add an additional step to their daily advisory-reading / patch-installing cycle.

My point is this: in an established MS shop, it's often very hard to get the admins to approve usage of non-MS software. At my previous job we had many people using MS Publisher and that MS photo suite when InDesign and Photoshop would have been far better for their needs.

I'm not agreeing with the original poster's admin, I'm just saying that MS shops are often set in their ways.

Re:Install it anyway

[green+pizza]

Just install it anyway. There's no way that they can tell you're using it, unless they're looking over your shoulder.
That kind of attitude will get you fired. Management is edgy these days and support/admin money is tight. There just isn't room for someone who doesn't want to go along with the flow. It's not 1998 anymore. The Aeron chairs and the foosball table have been auctioned off and there are many other people just waiting to take your job. Seriously. I've seen several people canned in 2004 by doing things "their own way" despite being told not to.

Re:Install it anyway

[Parsec]

If they use a system like M$'s Systems Management Server, they can create an automated query for Firefox binaries that will inform them of who has it installed. The data is collected with the default inventory schedule of the individual machine's SMS agent.

I think there would be a Control Panel called "Advertised Packages" on your machine if this was in use. There is another, but I'm not certain what it's called; it would show you information on the SMS server and the schedule it uses to check in.

Even better

[Safety+Cap]

You can configure FireFix to run from a keychain USB drive.

Add an autorun.inf to fire up firefox.exe (with command-line switches -- see the first link's discussion) automatically upon insert and you're good to go.

Re:Even better

[DietFluffy]

better: http://johnhaller.com/jh/mozilla/portable_firefox/

Re:Even better

[sepluv]

That is a version of Firefox optimised for use on portable drives (by reducing disk usage, reducing size on disk, making references to exntesions relative, &c).

Any non-standard app is a security risk

[SoundGuy666]

While your admin may have issues with the default configuration for Firefox, there are genuine reasons for not deploying firefox to your network. Most security concious organisations have a very rigourous patching system for the authorised applications and operating systems. Any app which doesn't fit into that patching system (whether it be up2date, apt-get, SUS/WUS/SMS, yum or another flavour) presents a massive overhead to the IT team. Every time there is an update to Firefox, it needs to be repackaged and redeployed to every desktop in your organisation. And it's not just Firefox, but by setting a precedent of deploying MyRequestedAppX, they face pressure from all sides for AppY, AppZ, etc. Then the questions come - "you support Mr X's AppX with updates and patches - why not mine?".

Unless your organisation has the infrastructure to deal with non-baseline application patching, those apps WILL present a security risk while the IT team tries to find the resource to patch/update and deploy the latest version.

Re:Any non-standard app is a security risk

[Damhna]

Could not agree more.

Custom application standardisation across the install base means that issue resolution can be standardised and tweaked to meet the response/support requirement. The certification and testing processes that most serious companies use to pass apps as fitting are both rigourous and not condusive to incorporating the latest 'app du jour'. And rightly so.

It's easy for tech saavy folks to deem these practices as a symptom of the narrow mindedness of lazy MCSE admins (who would appear to be some sort of subspecies of a real admins). It's easy to see this as an organisation being inflexible due to undereducation but I believe that that is not the case. A pestered admin will often give the sort of pseudo answer this user recieved.It's not good to fudge that way , but without taking a user step by step through the security policies and application certification documetnation, it's difficult to explain the why of decisions such as this.

It can be difficult to meet the job function requirements of diverse departments and maintain the steady balancing act that will ensure your SourceSafe users will be as compliant as the receptionist.

For this organisation it may be useful to do a business case analysis exploring the usefulness or otherwise of Firefox but as it is still in it's first iteration a lot of companies will be loathe to abandon the practices they have in place on a whim.

Aa firefox moves ever closer to a dominant position the pressure will become greater and things will change. It will also become more a target and I'm betting that this will begin getting longer and looking far more serious as more and more authors start realising the potential success to be had in taking Firefox on.

It never was "1998"

[Gothmolly]

For people at any sane shop. I have local Admin rights on my laptop, as I need to install s/w. As a result, I have disabled much of the IT spyware that your profile loads. The result? When AD blows up, or Novell NDS-AD bridge goes down, I can still get on locally. The fact that you speak so readily of needing to "go with the flow" and wistfully of the "Aeron chairs" and "foosball" table tell me that your experience was markedly different, perhaps due to our differing skillsets and attitudes. Sorry for your loss.

Also in recent news...

[comwiz56]

Also in recent news: jumping into a pit of lava is safer than swimming in your friends swimming pool.

that's not what he said

[jeif1k]

But the admin didn't say "please use IE because we have defined patch and update mechanisms in place and we don't have the resources to do that for FF as well", the admin said "please use IE because FF is a security hole because [a bunch of bogus reasons]".

Re:that's not what he said

[francium+de+neobie]

Firefox's automatic update is good for the individual. But for IT departments, they'd want to test the patches before releasing them and they'd want to centralize the patching process. I think it's well known what happens if we let the non-computer savvy users choose whether to update or not themselves, or forcing them to take on untested patches ;^) (even the Linux kernel had problematic updates, remember 2.4.11?). So depending on Firefox's automatic update would likely make a mess sooner or later.

I don't know what you mean by "third party automatic package updates for Windows", but the third option is obviously nonsense. Converting to Linux is not a trivial undertaking for a company.

Re:that's not what he said

[A+Naughty+Moose]

I don't know what you mean by "third party automatic package updates for Windows"

ZENWorks, is a third party option. And if your running a Novell network, it is practically mandatory. Sure it costs a lot (last time I looked, it was $70/seat), but if you have a VLA it becomes practically free. Anyway, whatever the cost, with the proper deployment it will save at least an FTE, and free up the guys admining the network to do something else in there free time. Why can it free up so much time? Simple there is:

• Automatic application deployment. Can be assigned to users, workstations or users in a context, or workstations in a context. If the fix is something simple like a registry change, or a new dll, then a force run object can be created to push the change. Otherwise, the application, or an update can be installed by the user.
  
• How many times have you had to deal with a problem that the only solution was to re-install? (Someone deleted all the Word templates on there machine, for example). With NAL, the user can right-click the application and choose "Verify", thus forcing the application to be re-installed.
  
• Group policys: You can create and enforce group policies within ConsoleOne easier then you can with Microsoft's domain tools, and just as easy as with their Active Directory tools.
  
• Users no longer need administrative rights to their computer. Got an application that needs admin rights to install? No problem, as the NAL runs as a service, the install will work. Need the application to run as an supervisor? Not a problem, the NAL runs as a service and can launch the application with supervisory rights if need be.
  
• Easy printer management: Department got a new printer? Not a problem, push out the printer drivers through ZEN. Again, you can associate printers to users, workstations (indiviuals, or groups or contexts) so that you can always have your finance people print to the printer in accounting (for instance), no matter what computer they log into.
  
• Computer imaging services. Have a machine that needs to be backed up periodically? (Might be a computer that has an app that no one has the install disks for anymore, for instance?) Not a problem. Set up the imaging service to make a backup of the machine once a month (or whenever), restore is just a simple checkmark in ConsoleOne.
  

There are a few more features, but those are the ones I use the most. ZEN, along with salvage(aka: undelete on Network shares), and the ACL's on the Directory and filesystems make managing Windows networks tolerable, almost enjoyable.

Nobody's Mentioned This So I am...

[DiscoOnTheSide]

There's a wonderful little extension for Firefox called "Configuration Mania" and it works with 1.0. It has the ability to choose the option for the SSL disk cache mode as well as clear the disk cache every time you close the program, as well as other nifty little things. Give it a whirl.

Re:Nobody's Mentioned This So I am...

[Saiyine]

What about giving an url?

Dear slashdot...

[pyrros]

Dear slashdot, a friend of mine claims that his dad can beat my dad. Do any of you have information that could be used to contradict my friend's information on my dad, as I can't be bothered to check? Are there any options one can pursue (anabolics, boxing classed etc), that a kid can use to address the problem this friend has cited?

The Bullshit ...

[tqft]

is that the sysadmins security bots cannot read the cache and see what people have been up to (though he should be able to see the server logs).

Besides what you have written Kiosk mode should fix everything.

FirefoxIE

[file+cabinet]

http://www.firefoxie.net/

Re:Just pressure from MS

[sepluv]

There is a lot in this (especially with governments). I'm currently *trying* to persuade my uni have more free software on public machines starting with Firefox. I'll give some recent examples from my experience of this in relation to Firefox (as well as the obvious minor stuff like the government only producing documents in MSWord format or WWW sites that are in MSHTML so only work in MSIE):

1. In my old (state) college (where I've just left) the sysops told me (in person) that we were not allowed to use Firefox because and I quote, "Firebird [as it was] is a hacking [sic, should be cracking] tool like Kuzu [sic, should be Kazaa]". They also denied that it was a WWW browser and said that MSIE was the only WWW browser. They also said that they have a policy of only using Microsoft's software on the PCs.

2. A friend of mine uninstalled Firefox because his ISP told him that they did not support their users connecting to the WWW using Firefox. They also told him that just using MSIE (without uninstalling Firefox) instead would not work as Firefox also stops MSIE from connecting to the Internet when it is installed. (The same ISP also said that they only allow their users to check their email with Outlook Express and that my friend should not install any other mail client.)

I could go on...

Re:Just pressure from MS

[legirons]

"the obvious minor stuff like the government only producing documents in MSWord format or WWW sites that are in MSHTML so only work in MSIE"

It could be worse. Your government could demand that all tax returns be filed electronically, make it illegal to not file electronically, and then create a website for filing so that it can't be used on non-Internet Explorer browsers

Of course, no real government would ever be that retarded.

Re:Install it anyway

[dougmc]

We (normal people, non-telecom companies) don't fire people for installing essential software.

Sorry, but Firefox does not qualify as essential software. IE, as provided by the IT department, provides approximately the same functionality. Perhaps Firefox is more secure, but since everybody else there runs IE, what difference does it make?

As for why they don't allow Firefox, it's probably that they don't want to support it. With XP, IE, Outlook and Office on everybody's desktop, with some relatively simple tools, they can update everybody at once. So in theory, they should be able to keep up on patches and such, and keep it as secure as possible (as MS software ever is, anyways.)

When people start installing their own software, then that either adds more things for IT to support, or adds things that IT does not update. If it's the latter, then it's possible that a hole will appear in Firefox that does not exist in IE, and the company could be compromised that way. (Yes, if the hole appears in IE, the company is compromised that way. But they like to limit the number of vulnerabilities.)

I'm not saying this attitude is correct, but it's pretty pervasive. When IT tells you to not do something, and you do it anyways, that's the sort of thing that can get you fired at many places, or at least make them think again about your name when making lists of people to sack for the newest round of layoffs ...

(For the record, I work in a land of Microsoft software, but I do run Linux (and the assorted applications that go with it) on my boxes at work. And I even have permission to do so -- but it certainly wasn't easy to get. But at least I know I won't get fired for it. (Ultimately, I was told to stop, and so I pushed for official permission rather than stop.))

Paranoia Button

[kajoob]

Check out the Paranoia Button. It adds a button to your toolbar that you can click and it clears your history, browser cache, passwords, download history, cookies, etc. You can do the same thing in options, but if the black helicopters are right overhead, the Paranoia Button is nice and quick.

"Be Anonymous" Button

[cbr2702]

What would be more useful (and currently not possible) is a "be anonymous" button that when pressed toggled the browser into a full privacy mode. In this mode, sites would not be well trusted (javascript disabled, plugins don't load), the Refered_By HTTP header would not be set, and nothing would be stored (history, autocomplete).

Just post...

[jalet]

your sysadmin's email address here.

This will make him know better !

One real reason not to use it

[drsmithy]

Your admin's claims, as others have noted, are BS.

However, one reason I haven't rolled out Firefox across the board here is because it's a pain to centrally distribute, update and administer.

A word to the Firefox devs - if you really want to start making an impact into the corporate world:

Make centralised admin of Firefox under Windows easy and standard with GPOs (or even for just a start, obey the system-wide settings for things like homepages and proxies).

Package it into an MSI.

On a more personal note, fix the damn copy and paste bug that's been hanging around since (at least) the Firefox 0.7 days. It doesn't stop me using it (or recommending it to others), but it *does* make it EXTREMELY FRUSTRATING sometimes.

Wish #2 granted

[leonbrooks]

clickety click

Wish #1 presumably in progress as I type.