Monday, December 08, 2008

Firefox or Internet Explorer:Safe and not so safe

Since information security is my hobby/job/obsession, this particular topic is near and dear to my heart. Just about everyone reading this has seen computers that have been beaten down with spyware - the evil junk that hijacks IE and renders a system virtually useless. How many times have you been called to a family member’s house to clean up their system? Or had to call your techie friend to come clean yours? It’s often quite awkward - the system slows to a crawl and every other mouse click conjures up some species of perverse, obscene image. What most people don’t realize, however, is that there is a very simple and powerful way to defend your system (and/or the systems of your loved ones) in one fell swoop.Don’t use Internet Explorer.What makes other browsers better than IE at protecting vs. spyware and other attacks? Well, it’s simple really - most other browsers don’t make it so easy to install malicious software on your system without you knowing about it. IE makes it relatively trivial through two features called ActiveX and Active Scripting. These technologies were designed specifically for the purpose of giving Web sites more control over a user’s computer. Unfortunately, as we have seen with exploit after exploit - that’s not always a good thing.

In addition to the spyware issues, IE in general has had a terrible track record when it comes to all types of serious security issues. For years now, it’s seemed like every time you turn around there is a new way to have your computer taken over via Internet Explorer. Put “internet explorer” and “allow an attacker to execute commands” (with the quotes) into Google and you’ll see what I mean.

In IE’s defense, many anti-Microsoft types will claim that it’s not possible to lock down IE at all. This is not true. It is possible - but if and only if you have a fair amount of technical know-how on the subject, and the time to do it. My personal view, however, is that tools such as Internet browsers should not require expertise and configuration time to be able to use them safely.

Standards

This is likely to get me in some hot water with my fellow security enthusiasts, but I find this issue to be of even more concern than that of IE’s security. The Internet works for one simple reason - everything at its core has been built on agreements that bind it together. Whether a computer is connected from California or Newfoundland, it’s going to speak the same language and obey the same rules - the rules defined by standards. If this weren’t the case there would be no Internet at all. These agreements are forged by a body of people whose goal is nothing short of designing a better and more efficient Internet for everyone. Microsoft, for some odd reason, seems bent on breaking stride with these agreed-upon standards. Case in point: the next time you’re in a bookstore, head over to the technology section and pick up a book on XHTML or CSS. These are two major Web standards that deal with how Web pages are displayed to users, and within any book on the subjects you will find one common theme:

The absolute worst browser when it comes to supporting the standards is Internet Explorer.

Page after page in these books will reveal features supported in other browsers, but not in IE. Ask yourself why a company would choose not to support standards that benefit everyone? The way I see it, it’s for precisely one of two reasons - either they are unable to, or they don’t want to. Given the fact that they are a multi-billion dollar company (one of the richest on the planet), I can’t help but lean toward the second option. Without going into too much detail, they have their own plans, and those plans involve implementing their own standard and forcing it upon the world. Call me a geek/hippie, but the idea of a multi-billion dollar corporation snubbing its nose at agreed-upon standards is nothing short of infuriating.

Options

Lucky for us, we have alternatives. The good news is that the alternative browsers are actually as good or better than IE. There are many out there, but in my opinion the Mozilla products are the best. I personally prefer and recommend Mozilla Firefox. Not only does it keep your browsing sessions a lot more secure and spyware-free, but it also supports the standards religiously and has a wide range of powerful features. Arguably the biggest benefit to using a Mozilla-based product is something called tabbed browsing. What this allows you to do is have multiple pages open within a single browser window. Rather than going from window to window in the taskbar, you can simply switch between clearly visible tabs, all within the same view. You can even do this and many other commands via the keyboard if you are into that sort of thing.

Using Firefox will not require any major shift in your daily browsing habits. It’ll import your favorites automatically, and you can benefit from the improved security starting the first time you open it. With the popup blocking enabled, you can breath quite a bit easier when browsing to unknown sites. Attempts to install garbage on your system that could have easily succeeded if you were using IE will simply be ignored by Firefox. Plus, the whole time you’re browsing you’ll know that you are doing your part to keep the soul of the Internet alive by choosing to use a browser whose developers actually care about standards.

Of course, I still use IE. (pause for effect) …it’s how I get my Windows security updates. : Seriously though - Windows Update is a must, and it only works in IE, so that in itself is a good reason to fire up IE once in a while. Aside from Windows Update though, there is still the occasional site that I go to that doesn’t look right in any other browser. Those sites, by the way, are all the more reason to not use IE. They weren’t written according to the standards, and they look bad in any browser other than IE as a result of that fact. Using IE all the time just because the occasional site is designed so poorly as to look like crap in other browsers is utterly bad form. I implore you not to give into this temptation.

Wrapping It Up

So, in closing, I leave you with two thoughts:

  1. Due to the combination of ActiveX, scripting, and its integration with the Windows operating system, Internet Explorer is more vulnerable to attack than many other browsers.
  2. The designers of Internet Explorer have purposely turned their back on the standards designed to benefit the Internet as a whole. They have done this for years, continue to do it today, and appear to have nothing but their own interests at heart.

I ask that you consider these points and pull down a copy of Firefox, Opera, or another alternative browser. Run it for a week and see how it feels. As mentioned above, I personally recommend Firefox due to its excellent development team and large user base. Once you have had some time to get to know your new onramp to the Web, I think you’ll find that you’ll wish you had switched sooner. No longer will you have to worry about garbage clogging up your system because of your browser, or having to make a mad rush for a patch every time an IE vulnerability is released.

Finally, and most importantly - spread the word. It’s time now for us to put alternative browsers on the map and let it be known that we are aware of our choices. We need not settle for what we are being fed when there are better, more secure alternatives out there.

No comments: