Slashdot Mirror

← Back to Stories (view on slashdot.org)

FireFox as a Security Risk Compared to IE?

Posted by Cliff on from the that's-just-silly-talk dept.

A not-so anonymous Anonymous Coward asks: "The administrator at my work gave me the following reason for not using Mozilla. What do you think? 'FireFox is a security risk. Please refrain from using it. Please continue to use IE 6.0. IE is our only supported browser. FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'" Do any of you have information that could be used to contradict the administrators information on FireFox? Are there configuration options one can reach from about:config that a user can use to address the problem this administrator has cited?

27 of 174 comments (clear)

  1. Simple. by mewyn · · Score: 4, Informative

    Turn off caching. In the configuration, privacy, cache set that to 0, and caching is now disabled. Now, why anyone would claim that Mozilla/Firefox is less secure IE because of their own idocy should be shot.

    1. Re:Simple. by randomblast · · Score: 5, Informative

      It would be better for a site like that to use a caching proxy anyway. It puts all the effort on the server, and off the desktops, and you have no problem keeping track of what the desktops have stored on them, so if a desktop machine gets stolen, no sensitive info is on it. This has to be applied to other areas of their computing system as well, of course, but it probably already is, because it's really stupid to cache database results.
      So, if you use a caching proxy instead of client-side caching, you save bandwidth, you save space, you keep it fast for the users, and you don't have to worry about caching SSL pages on your user's machines.

      --
      ...these aren't my real teeth.
    2. Re:Simple. by Anonymous Coward · · Score: 5, Informative

      "The administrator at my work gave me the following reason for not using Mozilla."

      Someone's not going to be an anonymous coward for long...

      "FireFox is a security risk. Please refrain from using it"

      LOL. Very good.

      "IE is our only supported browser"

      Please don't make me change anything. I might have to test it.

      "FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'"

      OMG, people write this stuff?

      Internet Explorer runs programs if you put them in an XML stylesheet, it runs programs supplied in bitmap images, allows websites to save scripts to disk and run them from the "trusted" zone, and allows any website to run activeX programs with full access to your computer if you ever click OK to a dialog box. These are security risks.

  2. Adminstrator is full of it by abartlett_219 · · Score: 5, Informative
    browser.cache.disk_cache_ssl? Q.19 here

    by default, ssl cache is disabled on firefox.

    1. Re:Adminstrator is full of it by memodude · · Score: 5, Informative

      Also, you can make it essentially clear the cache on each browser exit by setting browser.cache.memory.enable to true and browser.cache.disk.enable to false.

  3. Spite him. by Anonymous Coward · · Score: 5, Funny

    Use MSIE and access as many problem pages as you can so that you end up with a system filled with viruses, spyware, adware, popups and everything else until the machine slows to a crawl and then let IT deal with it.

    1. Re:Spite him. by krymsin01 · · Score: 4, Insightful

      That's a good way to get fired, seeing as how most of the problem pages will either A) be against the AUP (porn, etc) or B) Illegal (certain porn, warez, etc).

      --
      stuff
  4. Call Bullshit by TrebleJunkie · · Score: 5, Informative

    I think I'm going to have to call bullshit on your admistrator.

    In about:config, the property you want to look for is:

    browser.cache.disk_cache_ssl

    From This Page:

    * Description: switch to enable caching of objects served over a secure connection (SSL).
    * Type: boolean
    * Default: false
    * Recommendation: true on systems where it is secure to cache these objects.

    By default, Firefox (and Mozilla. and Netscape.) will *NOT* cache SSL-served pages. And, contrary to your administrator's *other* claim, you most certainly *can* toggle this behaviour in Firefox.

    --

    Ed R.Zahurak

    You know, oblivion keeps looking better every day.

  5. Depends on your admin by green+pizza · · Score: 4, Insightful

    I worked in an all-Windows shop for awhile. It wasn't too bad and the network and server admins were *very* tuned into the security notices from Microsoft. They would have every machine patched within one business day of the announcement. Maybe your company is the same way, and introducting non-Microsoft software may upset that cycle.

    1. Re:Depends on your admin by green+pizza · · Score: 5, Interesting

      How does Firefox prevent them from patching Windows software?
      It doesn't. It's just an excuse for lazy MCSE admins who don't want to add an additional step to their daily advisory-reading / patch-installing cycle.

      My point is this: in an established MS shop, it's often very hard to get the admins to approve usage of non-MS software. At my previous job we had many people using MS Publisher and that MS photo suite when InDesign and Photoshop would have been far better for their needs.

      I'm not agreeing with the original poster's admin, I'm just saying that MS shops are often set in their ways.

  6. Re:Install it anyway by green+pizza · · Score: 5, Insightful

    Just install it anyway. There's no way that they can tell you're using it, unless they're looking over your shoulder.
    That kind of attitude will get you fired. Management is edgy these days and support/admin money is tight. There just isn't room for someone who doesn't want to go along with the flow. It's not 1998 anymore. The Aeron chairs and the foosball table have been auctioned off and there are many other people just waiting to take your job. Seriously. I've seen several people canned in 2004 by doing things "their own way" despite being told not to.

  7. Even better by Safety+Cap · · Score: 5, Insightful
    You can configure FireFix to run from a keychain USB drive.

    Add an autorun.inf to fire up firefox.exe (with command-line switches -- see the first link's discussion) automatically upon insert and you're good to go.

    --
    Yeah, right.
    1. Re:Even better by DietFluffy · · Score: 5, Interesting

      better: http://johnhaller.com/jh/mozilla/portable_firefox/

    2. Re:Even better by sepluv · · Score: 4, Informative

      That is a version of Firefox optimised for use on portable drives (by reducing disk usage, reducing size on disk, making references to exntesions relative, &c).

      --
      Joe Llywelyn Griffith Blakesley
      [This post is in the public domain (copyright-free) unless otherwise stated]
  8. Any non-standard app is a security risk by SoundGuy666 · · Score: 5, Interesting

    While your admin may have issues with the default configuration for Firefox, there are genuine reasons for not deploying firefox to your network. Most security concious organisations have a very rigourous patching system for the authorised applications and operating systems. Any app which doesn't fit into that patching system (whether it be up2date, apt-get, SUS/WUS/SMS, yum or another flavour) presents a massive overhead to the IT team. Every time there is an update to Firefox, it needs to be repackaged and redeployed to every desktop in your organisation. And it's not just Firefox, but by setting a precedent of deploying MyRequestedAppX, they face pressure from all sides for AppY, AppZ, etc. Then the questions come - "you support Mr X's AppX with updates and patches - why not mine?".

    Unless your organisation has the infrastructure to deal with non-baseline application patching, those apps WILL present a security risk while the IT team tries to find the resource to patch/update and deploy the latest version.

    --
    Why can't we all just get along?
    1. Re:Any non-standard app is a security risk by Damhna · · Score: 4, Interesting

      Could not agree more.

      Custom application standardisation across the install base means that issue resolution can be standardised and tweaked to meet the response/support requirement. The certification and testing processes that most serious companies use to pass apps as fitting are both rigourous and not condusive to incorporating the latest 'app du jour'. And rightly so.

      It's easy for tech saavy folks to deem these practices as a symptom of the narrow mindedness of lazy MCSE admins (who would appear to be some sort of subspecies of a real admins). It's easy to see this as an organisation being inflexible due to undereducation but I believe that that is not the case. A pestered admin will often give the sort of pseudo answer this user recieved.It's not good to fudge that way , but without taking a user step by step through the security policies and application certification documetnation, it's difficult to explain the why of decisions such as this.

      It can be difficult to meet the job function requirements of diverse departments and maintain the steady balancing act that will ensure your SourceSafe users will be as compliant as the receptionist.

      For this organisation it may be useful to do a business case analysis exploring the usefulness or otherwise of Firefox but as it is still in it's first iteration a lot of companies will be loathe to abandon the practices they have in place on a whim.

      Aa firefox moves ever closer to a dominant position the pressure will become greater and things will change. It will also become more a target and I'm betting that this will begin getting longer and looking far more serious as more and more authors start realising the potential success to be had in taking Firefox on.

  9. It never was "1998" by Gothmolly · · Score: 4, Insightful

    For people at any sane shop. I have local Admin rights on my laptop, as I need to install s/w. As a result, I have disabled much of the IT spyware that your profile loads. The result? When AD blows up, or Novell NDS-AD bridge goes down, I can still get on locally. The fact that you speak so readily of needing to "go with the flow" and wistfully of the "Aeron chairs" and "foosball" table tell me that your experience was markedly different, perhaps due to our differing skillsets and attitudes. Sorry for your loss.

    --
    I want to delete my account but Slashdot doesn't allow it.
  10. Also in recent news... by comwiz56 · · Score: 4, Funny

    Also in recent news: jumping into a pit of lava is safer than swimming in your friends swimming pool.

  11. Nobody's Mentioned This So I am... by DiscoOnTheSide · · Score: 4, Interesting

    There's a wonderful little extension for Firefox called "Configuration Mania" and it works with 1.0. It has the ability to choose the option for the SSL disk cache mode as well as clear the disk cache every time you close the program, as well as other nifty little things. Give it a whirl.

    --
    Viva La Revolucion! Buy a Mac!
    1. Re:Nobody's Mentioned This So I am... by Saiyine · · Score: 5, Insightful

      What about giving an url?

      --
      Hosting 20G hd, 1Tb bw! ssh $7.95
  12. Dear slashdot... by pyrros · · Score: 4, Funny

    Dear slashdot, a friend of mine claims that his dad can beat my dad. Do any of you have information that could be used to contradict my friend's information on my dad, as I can't be bothered to check? Are there any options one can pursue (anabolics, boxing classed etc), that a kid can use to address the problem this friend has cited?

  13. FirefoxIE by file+cabinet · · Score: 5, Interesting

    http://www.firefoxie.net/

  14. Re:that's not what he said by francium+de+neobie · · Score: 4, Insightful

    Firefox's automatic update is good for the individual. But for IT departments, they'd want to test the patches before releasing them and they'd want to centralize the patching process. I think it's well known what happens if we let the non-computer savvy users choose whether to update or not themselves, or forcing them to take on untested patches ;^) (even the Linux kernel had problematic updates, remember 2.4.11?). So depending on Firefox's automatic update would likely make a mess sooner or later.

    I don't know what you mean by "third party automatic package updates for Windows", but the third option is obviously nonsense. Converting to Linux is not a trivial undertaking for a company.

  15. Re:Just pressure from MS by sepluv · · Score: 4, Informative
    There is a lot in this (especially with governments). I'm currently *trying* to persuade my uni have more free software on public machines starting with Firefox. I'll give some recent examples from my experience of this in relation to Firefox (as well as the obvious minor stuff like the government only producing documents in MSWord format or WWW sites that are in MSHTML so only work in MSIE):
    1. In my old (state) college (where I've just left) the sysops told me (in person) that we were not allowed to use Firefox because and I quote, "Firebird [as it was] is a hacking [sic, should be cracking] tool like Kuzu [sic, should be Kazaa]". They also denied that it was a WWW browser and said that MSIE was the only WWW browser. They also said that they have a policy of only using Microsoft's software on the PCs.

    2. A friend of mine uninstalled Firefox because his ISP told him that they did not support their users connecting to the WWW using Firefox. They also told him that just using MSIE (without uninstalling Firefox) instead would not work as Firefox also stops MSIE from connecting to the Internet when it is installed. (The same ISP also said that they only allow their users to check their email with Outlook Express and that my friend should not install any other mail client.)

    I could go on...
    --
    Joe Llywelyn Griffith Blakesley
    [This post is in the public domain (copyright-free) unless otherwise stated]
  16. Re:Just pressure from MS by legirons · · Score: 4, Interesting

    "the obvious minor stuff like the government only producing documents in MSWord format or WWW sites that are in MSHTML so only work in MSIE"

    It could be worse. Your government could demand that all tax returns be filed electronically, make it illegal to not file electronically, and then create a website for filing so that it can't be used on non-Internet Explorer browsers

    Of course, no real government would ever be that retarded.

  17. Paranoia Button by kajoob · · Score: 4, Informative

    Check out the Paranoia Button. It adds a button to your toolbar that you can click and it clears your history, browser cache, passwords, download history, cookies, etc. You can do the same thing in options, but if the black helicopters are right overhead, the Paranoia Button is nice and quick.

    --
    Quidquid latine dictum sit, altum viditur
  18. "Be Anonymous" Button by cbr2702 · · Score: 4, Interesting

    What would be more useful (and currently not possible) is a "be anonymous" button that when pressed toggled the browser into a full privacy mode. In this mode, sites would not be well trusted (javascript disabled, plugins don't load), the Refered_By HTTP header would not be set, and nothing would be stored (history, autocomplete).

    --


    This post written under Gentoo-linux with an SCO IP license.