Test Center: How secure is Firefox?
Mozilla's popular Web browser is long on user-friendly features and third-party extensions, and short on granular security controlsFollow @rogeragrimes
Ciphers and zones
Although Firefox does not highlight true domain names as some of its competitors do, it has excellent digital certificate handling. It supports Extended Validation (EV) certificates, OCSP (Online Certificate Status Protocol), and ECC (Elliptical Curve Cryptography) ciphers, and it's very in-your-face about certificate errors. Users must click on several confirm messages to get to a Web site with a bad or untrusted certificate, and they're given multiple opportunities to review and install the certificate in question. Plus, Firefox offers the strongest SSL/TLS (Secure Sockets Layer/Transport Layer Security) cipher order of any of the major browsers, preferring TLS using ECC with AES 256-bit symmetric key strength. (Internet Explorer offers RSA with 128-bit AES first.) Most Web sites do not yet support 256-bit AES keys, so Firefox is being aggressive in its cipher order. When connected to a Web site containing an EV certificate, Firefox prepends the URL on the address bar with the company's name highlighted in green.
Firefox automatically checks for browser, add-on, and search engine updates. Like Chrome, it fails to ask the user for permission to check or install, but unlike Chrome, that default can easily be changed. Firefox also has some limited MIME content-type sniffing capabilities (see Mozilla.org). And because Firefox does not natively support ActiveX controls (only Internet Explorer does), its users get a lot of implicit protection that Internet Explorer users don't get.
The absence of built-in, user-definable security zones in Firefox is a serious detraction for many users. Today, any browser hoping to compete in the enterprise must utilize the concept of multiple security domains, each with user-definable settings. Firefox doesn't go the distance here. But in perhaps one of the oddest middle-ground solutions, Firefox provides limited support for Internet Explorer's security zones.
Strangely, Firefox added the ability for downloaded files to be marked with Internet Explorer security zone identifier information. The zone identifier is attached to the file as a "hidden," alternative data stream (as shown here using Windows Vista's new DIR /R parameter). Firefox will then honor file-download treatment as configured in Internet Explorer. Oftentimes, the file will have to be "unblocked" to run on the user's desktop. Although this feature is a definite plus to Mozilla users, I've yet to miss the dumbfounded look when you tell a Firefox fan that their coveted browser depends on Internet Explorer's security settings.