Test Center: How secure is Firefox?

Mozilla's popular Web browser is long on user-friendly features and third-party extensions, and short on granular security controls

Mozilla's open source Firefox browser has made a significant dent in Internet Explorer's dominant market share. Much of its popularity is due to the wide availability of third-party add-ons that significantly extend Firefox's functionality -- allowing Firefox to disable Java or JavaScript on the fly, perform JavaScript whitelisting, even host ActiveX controls, for example. Firefox has always pushed the boundary in terms of features and functionality, and it can boast both growing enterprise support and the ability to run on Windows, Mac, and Linux. One claim Firefox can't make is a high granularity of security control.

Firefox does not automatically ask for elevation when installing, so be sure to run as administrator beforehand if you want it to install the browser into the normal Program Files folder in Windows Vista or another user-securable location. If installed on Vista, Firefox runs as a single process (Firefox.exe) with medium integrity, DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) enabled, and file system and registry virtualization disabled. The latter is a feature in Vista that allows users to run applications without having administrative privileges.

[ See also "How secure is Google Chrome?" and "How secure is Opera?" Tomorrow: "How secure is Internet Explorer?" For more on browser security and protection against Web-borne threats, see Security Adviser and "Test Center: Browser security tools versus the evil Web." ]

Like Google Chrome, Firefox has a JavaScript engine that converts JavaScript source code into native machine code; Firefox uses an open source engine called TraceMonkey. Unlike Chrome, in which the V8 JavaScript engine is always on, Firefox's JavaScript support can be enabled or disabled across the browser. By using the NoScript add-on, you can enable JavaScript (and Java and Flash) on a per-site basis.

Although add-ons such as NoScript, and plug-ins such as Adobe Flash, bring many useful capabilities to Firefox, at the same time they come with problems and security issues of their own. Firefox has a built-in add-on manager that allows you to browse available extensions, install and uninstall them, and enable and disable them, but again, they can't be enabled or disabled with per-site granularity.

Security settings
Security can be defined through the normal Tools > Options menu or by typing "about:config" in the URL bar. The latter option opens up hundreds of behind-the-scenes settings, similar to what might only be found among the registry settings of other browsers. Serious users always configure security using the about:config method, although detailed descriptions on each option can be a little hard to find.

Firefox has made tabbed browsing all the rage. The latest version, 3.0, allows tabs from one window to be moved to another browser window -- a pretty cool feature. Firefox 3.0 also contains a private browsing mode, which saves no data after the session is ended. First- and third-party cookies are allowed by default, but exceptions to the overall cookie policy can be made on a per-site basis. Third-party cookies can't be read by unrelated parties, as they can be in Safari and Chrome, but the privacy policy does not have the granularity offered in Internet Explorer.

Firefox has an anti-phishing feature, and it will attempt to block connections to previously reported malicious Web sites. The latter feature is similar to Internet Explorer's SmartScreen Filter. These features can be easily turned on and off. Firefox had the best pop-up prevention of any of the browsers I've tested. Whereas even the other top browsers would occasionally hiccup or suffer slight delays or GUI issues, Firefox simply blocked the pop-ups and warned in a non-annoying way.

But when I took Firefox to a malicious Web site known for starting dozens of browser windows, pop-up ads, and programs, Firefox locked up like most of the other browsers I tested (the lone exception was Opera). I had to reboot the system to regain control. Further, when I restarted Firefox, it attempted to re-open my last visited Web pages (again, like nearly every browser today), which in this instance was the killer Web site. With a little bit of Task Manager fighting, I was able to end the new Firefox sessions before they caused another lockup. Luckily, like Internet Explorer, Firefox has a "safe mode" that can be launched to recover from such disasters. Even better, whereas Internet Explorer only disables all add-ons by default, Firefox Safe Mode allows you to erase the history files, return browser settings to the defaults, make other necessary changes, and then automatically restart in normal mode. It's a great little feature.

Ciphers and zones
Although Firefox does not highlight true domain names as some of its competitors do, it has excellent digital certificate handling. It supports Extended Validation (EV) certificates, OCSP (Online Certificate Status Protocol), and ECC (Elliptical Curve Cryptography) ciphers, and it's very in-your-face about certificate errors. Users must click on several confirm messages to get to a Web site with a bad or untrusted certificate, and they're given multiple opportunities to review and install the certificate in question. Plus, Firefox offers the strongest SSL/TLS (Secure Sockets Layer/Transport Layer Security) cipher order of any of the major browsers, preferring TLS using ECC with AES 256-bit symmetric key strength. (Internet Explorer offers RSA with 128-bit AES first.) Most Web sites do not yet support 256-bit AES keys, so Firefox is being aggressive in its cipher order. When connected to a Web site containing an EV certificate, Firefox prepends the URL on the address bar with the company's name highlighted in green.

Firefox automatically checks for browser, add-on, and search engine updates. Like Chrome, it fails to ask the user for permission to check or install, but unlike Chrome, that default can easily be changed. Firefox also has some limited MIME content-type sniffing capabilities (see Mozilla.org). And because Firefox does not natively support ActiveX controls (only Internet Explorer does), its users get a lot of implicit protection that Internet Explorer users don't get.

The absence of built-in, user-definable security zones in Firefox is a serious detraction for many users. Today, any browser hoping to compete in the enterprise must utilize the concept of multiple security domains, each with user-definable settings. Firefox doesn't go the distance here. But in perhaps one of the oddest middle-ground solutions, Firefox provides limited support for Internet Explorer's security zones.

Strangely, Firefox added the ability for downloaded files to be marked with Internet Explorer security zone identifier information. The zone identifier is attached to the file as a "hidden," alternative data stream (as shown here using Windows Vista's new DIR /R parameter). Firefox will then honor file-download treatment as configured in Internet Explorer. Oftentimes, the file will have to be "unblocked" to run on the user's desktop. Although this feature is a definite plus to Mozilla users, I've yet to miss the dumbfounded look when you tell a Firefox fan that their coveted browser depends on Internet Explorer's security settings.

Firefox passed 9 of the 21 password handling tests on the Password Manager Evaluator, tops among the browsers I tested (including Internet Explorer, Google Chrome, Opera, and Safari). Firefox allows locally stored passwords to be protected by a separate master password, and even tells you how strong your master password is. Firefox also passed my browser security and JavaScript security tests, negotiating dozens of predefined tests in my lab and several browser security test sites on the Web without permitting automatic installation of malware. Still, it is a shame that Firefox fell to real-life malicious Web sites such as the "DoS attack" site mentioned above.

Firefox in the wild
Naturally, Firefox's popularity has brought out the attackers. Many different attacks "in the wild" specifically target Firefox users, making it the second-most-attacked browser behind Internet Explorer. Firefox 3.0 has had at least 39 separate vulnerabilities in less than six months (as compared to 154 vulnerabilities for Firefox 2.0 during its lifetime). Seventy-five percent of these exploits were ranked high-criticality, and a third allowed complete system compromise.

One of the common complaints about Firefox is its lack of support for the enterprise. Although Mozilla doesn't directly offer tools to ease large installations or to centrally manage Firefox through Group Policy, these are available from independent providers including FirefoxADM and FrontMotion.

All in all, Firefox is a sophisticated open source browser that has earned its place as a market leader. Like Internet Explorer, Firefox enjoys widespread popularity and third-party support. And like Internet Explorer, it continues to struggle with frequently found vulnerabilities, perhaps due in part to the vendor's commitment to SDL (Security Development Lifecycle) processes, which initially lead to more vulnerabilities being uncovered during testing. Firefox makes a good browser choice for anyone, but especially for users who want to purposefully avoid Internet Explorer (and ActiveX) or who don't need the finest granularity (e.g., multiple security zones) in their browser's security.

Copyright © 2009 IDG Communications, Inc.

How to choose a low-code development platform