The battle over the question in the title has been raging in discussions all over the Internet. Unfortunately, this is the wrong question. In fact, it is a meaningless question unless a lot of additional factors are considered. Security is a multidimensional problem and cannot be usefully discussed in the kind of simplistic comparisons that are being made.
I am not a professional security expert but there are some pretty obvious points that can be raised about how you define what is meant by “security”. The most popular way seems to be a kind of numerology where somebody with a vested interest like Symantec purports to count “vulnerabilities” or even “possible” vulnerabilities. The conditions where these vulnerabilities apply are usually not specified. Many questions have to be asked before any meaningful assessment of the severity of a problem can be made, For example, does having a firewall prevent them? Do typical anti-malware packages detect them? Does the user have to click on a link or do something stupid for the problem to apply? Can the problem be fixed by changing a default setting? How long does it take before a patch can be made? Not all “vulnerabilities” are created equal. A so-called vulnerability may be “potentially” very dangerous but not be a problem in practice because it easily fixed by standard measures or can only be incurred because of stupidity. So this numbers game looks very misleading to me.
The whole subject is quite complicated but in an attempt to keep this discussion reasonably short I suggest we replace the single question of the title with three questions (all pertain to Windows systems):
- Which browser is safer for experienced computer users?
- Which browser is safer for average computer users?
- Which browser is safer for careless, uninformed or clueless computer users?
The answer to question 1 is that either browser will do. What browser is used by an experienced person is a matter of personal habits and preferences about different browser features. An experienced user knows what security precautions must be taken and will rarely get a problem just because of the browser that is being used. Personally, I use both Internet Explorer (IE) and Firefox. I prefer Firefox for most things but some sites only work in IE.
Next let’s consider question 2. The term “average” computer user covers a lot of different people so only a few generalities can be stated. The average PC user is not going to be familiar with the details of security measures but most will be aware that they need some kind of defense. If they have a PC bought in recent years they will have quite a bit of automatic protection such as anti-virus programs that update themselves and at least the Windows XP firewall. Also Windows update will be set to run unattended. Many PC users also have installed entire security suites. It is important to note the presence of these security measures because otherwise the question of which browser to use is moot.
For those people who have enough other security in place so that they can turn their attention to browser security, one question concerns updates. Both IE and Firefox have periodically been found to have security holes. IE has an apparent advantage in that it is automatically updated whereas at present Firefox has to be patched manually. Typical PC users can be lax about updating so that looks like a point for IE. However, this possible advantage is much lessened or even disappears because Microsoft can take many weeks to issue a patch for a known problem. Firefox patches come out within a few days after a problem is revealed. Which browser has the advantage here? For those who would keep up with the Firefox updates, I give the nod to Firefox on this particular issue. For procrastinators, maybe IE is better but future versions of Firefox are supposed to also update automatically. Note added later: Firefox version 1.5 is scheduled for release at the end of November, 2005. It contains an automatic update feature and that removes any advantage IE had for procrastinators.
There are also other security factors such as ActiveX, which I have discussed in detail on another page. On the issue of ActiveX, individual PC users will have to balance convenience with safety to decide on a browser. Knowledgeable users can configure IE to avoid ActiveX problems but I wonder how many average PC users will actually do what’s necessary. From a theoretical point of view, I think Firefox is safer because it doesn’t support ActiveX but from a practical view it can sometimes be inconvenient that some pages won’t work for any browser but IE.
What about the average PC user who has an older system with Windows 98/Me? These people are totally ignored by most commentators but there are still quite a few of them around. They will be missing a lot of the security that Microsoft has added to IE in Windows XP SP2. Personally, I think that these systems are safer with Firefox. However, there is the psychological barrier that many people have about installing a whole new browser when they already have one in place. Also, IE has to be used for certain sites and this is another obstacle to using Firefox. For these users, I think that the theoretical answer to question 2 clearly is Firefox. In practice, however, most of these users will probably stick with IE. Hopefully, they will have enough security measures in effect to obviate the newer IE exploits that they are exposed to.
Now we come to question 3. This one is easy to answer. It doesn’t matter what this group uses for a browser. These are the ones that do not use firewalls or do not install security updates or blithely click on any old link. They have much bigger problems than what browser to use. Unfortunately, their problems are our problems, too. This group is where most of the worms and Trojans hide out. It is also where the crackers get their “zombie” machines to carry out Distributed Denial of Service attacks and conduct various criminal activities.
I have framed the discussion in terms of who the intended user is. To really discuss the issue of browser security would require a much more complicated metric. However, I think the discussion helps illustrate my contention that measuring security is not simple and that there is no easy answer that applies to everybody for the question of which browser is safer to use. If you held a gun to my head and demanded that I choose a browser for everybody, I would personally pick Firefox. But you still have to use IE for some sites like Windows Update whether you like it or not. And I haven’t even mentioned Opera or Netscape.
I am very interested to hear what you have to say about all this. Log on to http://tips.vlaurie.com and let me know what you think.