Here’s a question for you: being a clued up Internet user which browser client do you favour when it comes to being totally safe and secure on the web? The answer I know you are shouting loudly at the screen is ‘Firefox you freakin’ idiot’. But at the risk of being shot down in flames, literally, I have to say you’re sadly mistaken. There is no such thing as a totally safe and secure browser, and according to respected vulnerability statistics Firefox isn’t the closest thing you’ll find to one either.
Let’s not lose grip on reality here, nobody is suggesting that Microsoft has anything like all the answers, least of all me. I might be a freakin’ idiot, but I’m not a stupid freakin’ idiot, OK? There have been improvements made in IE7 Beta 2, and I’m not talking the huge efforts to make it more user friendly, more like Firefox in usability terms in fact. Technically it gets much closer to Firefox in the security stakes, by blocking downloads unless you opt-in to accept them; new URL parsing code can limit the danger from buffer overrun exploits; a phishing filter can automatically display a visual indication of dangerous websites as you visit them; and the user gets much greater control over ActiveX including the ability to automatically uninstall ActiveX controls. But IE remains the most popular browser, end of story. Apart from the notes on the rear cover which state that because of that market share, because it’s Microsoft we are talking about, and because it’s bound into the operating system so deeply – those who would mess with your data will be attracted to it like flies to dung.
Now I’m really sorry all of you who follow the Cult of Firefox (and I happily admit that I’m one of them before you get your dolls and stick-pins out) but the simple truth is that Firefox isn’t secure either. More secure than Internet Explorer, no doubt about that. But still not secure. Indeed, it’s turning into something of a Mini-Microsoft with the release of patches fixing multiple security holes in one hit. At least Firefox has the open source advantage of being quicker to respond to the discovery of such holes, quicker to release the filler to shore itself up. But not quick enough. A ‘zero-day’ critical security hole was discovered in Firefox 184.108.40.206 on April 18th, the patch to fix it didn’t appear until May 2nd. That’s one heck of a long opportunity to get screwed.
So if not IE, and not even Firefox, which mainstream browser client does come closest to reaching the Holy Grail of most secure status? The plain truth is that if security is your only metric, and we all know that it never will be, then you should be waiting for the fat lady to sing and choose Opera. This outperforms the PC competition by a clear and constant margin, according to the Secunia Vulnerability Reports (www.secunia.com). Secunia gather data regarding numbers of vulnerabilities reported, how many have been patched and if so by the vendor or a third party, the criticality of those vulnerabilities and impact based upon category. What’s more, these reports are cumulative, dating back to 2003 so you can see the bigger picture when it comes to vendor security response. Not only does it report on browser clients, but more than 9500 software applications and as such is well worth a visit if you care about data security at all.
And the statistics that cause me to come to my conclusions? OK, in brief: IE6 has 85 advisories, 14% extremely high criticality, with 25% remaining unpatched. Firefox is on 30 advisories, 3% extremely critical and 13% unpatched. Opera 8, rates only 13 advisories, none of which were either extremely critical or remain unpatched.
I’m not finished yet, because I’m about to state the obvious and back it up with Secunia stats. If you want almost as safe as you can get surfing right now, dump the PC and buy an Apple Mac with the Safari client. Secunia reports only 4 advisories for Safari 2, and while the 50% unpatched figure looks worrying it is mitigated by there being zero extremely critical, zero highly critical, zero moderately critical vulnerabilities amongst them. Indeed, 75% were rated as ‘not critical’ and 25% ‘less’ which kind of explains it away nicely.
‘Almost as safe as you can get’ what’s wrong with as safe as you can get then? Unfortunately that involves turning your computer off and doing something else…