FireFox as a Security Risk Compared to IE? 174
A not-so anonymous Anonymous Coward asks: "The administrator at my work gave me the following reason for not using Mozilla. What do you think? 'FireFox is a security risk. Please refrain from using it. Please continue to use IE 6.0. IE is our only supported browser. FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'" Do any of you have information that could be used to contradict the administrators information on FireFox? Are there configuration options one can reach from about:config that a user can use to address the problem this administrator has cited?
Simple. (Score:5, Informative)
Re:Simple. (Score:5, Informative)
Someone's not going to be an anonymous coward for long...
"FireFox is a security risk. Please refrain from using it"
LOL. Very good.
"IE is our only supported browser"
Please don't make me change anything. I might have to test it.
"FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.'"
OMG, people write this stuff?
Internet Explorer runs programs if you put them in an XML stylesheet, it runs programs supplied in bitmap images, allows websites to save scripts to disk and run them from the "trusted" zone, and allows any website to run activeX programs with full access to your computer if you ever click OK to a dialog box. These are security risks.
Re:Simple. (Score:5, Informative)
So, if you use a caching proxy instead of client-side caching, you save bandwidth, you save space, you keep it fast for the users, and you don't have to worry about caching SSL pages on your user's machines.
Re:Simple. (Score:2)
Not if they have a proxy server between the internal LAN and the outside.
Adminstrator is full of it (Score:5, Informative)
by default, ssl cache is disabled on firefox.
Re:Adminstrator is full of it (Score:5, Informative)
Paranoia Button (Score:5, Informative)
"Be Anonymous" Button (Score:5, Interesting)
Re:"Be Anonymous" Button (Score:2)
Re:Adminstrator is full of it (Score:3, Funny)
Spite him. (Score:5, Funny)
Re:Spite him. (Score:4, Insightful)
Re:Spite him. (Score:2)
Re:Spite him. (Score:2)
Just pressure from MS (Score:2, Insightful)
Re:Just pressure from MS (Score:5, Informative)
- In my old (state) college (where I've just left) the sysops told me (in person) that we were not allowed to use Firefox because and I quote, "Firebird [as it was] is a hacking [sic, should be cracking] tool like Kuzu [sic, should be Kazaa]". They also denied that it was a WWW browser and said that MSIE was the only WWW browser. They also said that they have a policy of only using Microsoft's software on the PCs.
-
I could go on...A friend of mine uninstalled Firefox because his ISP told him that they did not support their users connecting to the WWW using Firefox. They also told him that just using MSIE (without uninstalling Firefox) instead would not work as Firefox also stops MSIE from connecting to the Internet when it is installed. (The same ISP also said that they only allow their users to check their email with Outlook Express and that my friend should not install any other mail client.)
Re:Just pressure from MS (Score:5, Interesting)
It could be worse. Your government could demand that all tax returns be filed electronically, make it illegal to not file electronically, and then create a website for filing so that it can't be used on non-Internet Explorer browsers [theregister.co.uk]
Of course, no real government would ever be that retarded.
Re:Just pressure from MS (Score:2)
(When I said "the government" in grandparent I was talking about UK government obviously.)
There is retarded government (Score:2, Interesting)
Software itself is bloated s**t and government refuses to make it open-source. Bribes, bribes, bribes...
Re:Just pressure from MS (Score:2)
After about 2 days of running around i finally called the saleman and he went onto a 3 way with the support personel and basicaly told
Re:Just pressure from MS (Score:2)
Re:Just pressure from MS (Score:3, Funny)
The story of my conversation with the BoFH that day is funnier and longer than that actually--I'm sure I wrote some of it down somewhere.
It was funny, not least, because the sysop who made those comments looks like an orangutan--loads of scraggily bright red hair, very large tum, scratches himself constantly, move's with an orangutan's gait.
Although, admittedly, the analogy does fall down when you consider the fact that he is missing one of the most important facets o [google.com]
Re:Just pressure from MS (Score:2)
If you need any more evidence of what idiots the sysops there (I could tell many a story...) look at their WWW site (linked to in parent, note lack of content, broken display, &c) which is designed by those same sysops.
Re:Just pressure from MS (Score:2)
I'm not *necessarily* saying /. mods are all smoking something[*] but...I feel really guilty because my reply to his post basically repeating what he said and agreeing with him got modded +5 informative whereas his original post got modded Flamebait.
[*] which incidentally means that /.ers are all smoking something as nearly all if us are mods at some point.
Call Bullshit (Score:5, Informative)
In about:config, the property you want to look for is:
browser.cache.disk_cache_ssl
From This Page: [lockergnome.com]
* Description: switch to enable caching of objects served over a secure connection (SSL).
* Type: boolean
* Default: false
* Recommendation: true on systems where it is secure to cache these objects.
By default, Firefox (and Mozilla. and Netscape.) will *NOT* cache SSL-served pages. And, contrary to your administrator's *other* claim, you most certainly *can* toggle this behaviour in Firefox.
Re:Call Bullshit (Score:3, Insightful)
The problem was non-existent, and a fix plain and simple in the config. This entire article is a made up troll to rile up the mozilla zealots.
Re:Call Bullshit (Score:2)
Christ, just as I was getting my pitchfork and trying to light a torch. Oh well, maybe next time.
Re:Call Bullshit (Score:2)
Re:Call Bullshit (Score:2)
Of course, that doesn't directly answer your question, but this is slashdot after all
Re:Call Bullshit (Score:2)
Someone pointed out that about:config lets you set browser.cache.memory.enable=TRUE (the default) and browser.cache.disk.enable=FALSE. This (apparently) disables Firefox's disk cache, so there is nothing cached to clear when you exit!
The Bullshit ... (Score:4, Informative)
Besides what you have written Kiosk mode should fix everything.
Re:Call Bullshit (Score:3, Interesting)
Re:Call Bullshit (Score:2)
Re:Call Bullshit (Score:2)
I can think of a number of commercial sites that would be rendered useless if you couldn't save a page/file that's been delivered via SSL.
Re:Call Bullshit (Score:2)
Re:Call Bullshit (Score:2)
Depends on your admin (Score:5, Insightful)
Re:Depends on your admin (Score:2)
I hope that your admins test out the patches before they install them on production systems. I can't tell you how many times our Exchange server has been knocked out, due to a MS patch. Then, after about a day and a half without e-mail, a "hotfix" gets installed, which lets us have our mail again.
See story a few up the list about a Win update... (Score:2)
Re:Depends on your admin (Score:5, Interesting)
It doesn't. It's just an excuse for lazy MCSE admins who don't want to add an additional step to their daily advisory-reading / patch-installing cycle.
My point is this: in an established MS shop, it's often very hard to get the admins to approve usage of non-MS software. At my previous job we had many people using MS Publisher and that MS photo suite when InDesign and Photoshop would have been far better for their needs.
I'm not agreeing with the original poster's admin, I'm just saying that MS shops are often set in their ways.
Re:Depends on your admin (Score:2)
Not just MS admins. Every admin I've ever encountered has been as loathe to have his daily routine altered, regardless of whether the shop used MS or not.
Imagine the reaction if someone working in an all-Unix shop decides they want to run IE.
Just tell him (Score:2, Funny)
Look carefully at that image... (Score:3, Interesting)
Any non-standard app is a security risk (Score:5, Interesting)
Unless your organisation has the infrastructure to deal with non-baseline application patching, those apps WILL present a security risk while the IT team tries to find the resource to patch/update and deploy the latest version.
that's not what he said (Score:4, Insightful)
Re:that's not what he said (Score:2)
Re:that's not what he said (Score:2)
What's there to be solved? Firefox has a built-in update mechanism, you can get third party automatic package updates for Windows, and you can install Linux, which provides you with fully automatic updates. What more do you want?
Re:that's not what he said (Score:4, Insightful)
I don't know what you mean by "third party automatic package updates for Windows", but the third option is obviously nonsense. Converting to Linux is not a trivial undertaking for a company.
Re:that's not what he said (Score:2)
Re:that's not what he said (Score:2)
Yeah, that's a really great plan, and never has problems [slashdot.org] if you stick to sysadmin-friendly Microsoft kit. ;-)
Did you ever get the feeling that the linked
Re:that's not what he said (Score:3, Interesting)
ZENWorks, [novell.com] is a third party option. And if your running a Novell network, it is practically mandatory. Sure it costs a lot (last time I looked, it was $70/seat), but if you have a VLA it becomes practically free. Anyway, whatever the cost, with the proper deployment it will save at least an FTE, and free up the guys admining the network to do something else in there free time. Why can it free up so much time? Simple the
Re:that's not what he said (Score:2)
Re:Any non-standard app is a security risk (Score:4, Interesting)
Custom application standardisation across the install base means that issue resolution can be standardised and tweaked to meet the response/support requirement. The certification and testing processes that most serious companies use to pass apps as fitting are both rigourous and not condusive to incorporating the latest 'app du jour'. And rightly so.
It's easy for tech saavy folks to deem these practices as a symptom of the narrow mindedness of lazy MCSE admins (who would appear to be some sort of subspecies of a real admins). It's easy to see this as an organisation being inflexible due to undereducation but I believe that that is not the case. A pestered admin will often give the sort of pseudo answer this user recieved.It's not good to fudge that way , but without taking a user step by step through the security policies and application certification documetnation, it's difficult to explain the why of decisions such as this.
It can be difficult to meet the job function requirements of diverse departments and maintain the steady balancing act that will ensure your SourceSafe users will be as compliant as the receptionist.
For this organisation it may be useful to do a business case analysis exploring the usefulness or otherwise of Firefox but as it is still in it's first iteration a lot of companies will be loathe to abandon the practices they have in place on a whim.
Aa firefox moves ever closer to a dominant position the pressure will become greater and things will change. It will also become more a target and I'm betting that this [secunia.com] will begin getting longer and looking far more serious as more and more authors start realising the potential success to be had in taking Firefox on.
I call BS (Score:2)
I call BS on your BS (Score:2)
if it *is* installed by the IT department (as an admin) then I'd say that they'll have to have some sort of patching strategy, don't you?
Re:Any non-standard app is a security risk (Score:2)
Hmm well coming from speaking from one very large company in the UK it seems that would be the exception rather than the norm.
Here we use NT 4 SP5 (maybe 5a, certainly not 6) and ie 5.5 and well hey most of the machines here are spyware infested and getting it to sort it out is so complicated thank to having to ring an offsite call centre who ring someone back on site to come out to have a look (don't you love modern it policy) who will generally just boot from the notwor
funny your admin should say that... (Score:3, Interesting)
Firefox does not save encrypted pages to disk (Score:2, Informative)
That is a complete fucking lie. Unlike the security train wreck that is Internet Explorer, Firefox (and Mozilla and Netscape and ever other browser designed by people with a semblance of knowledge about security) does not save encrypted pages to the disk cache by default. Internet Explorer does (can be disabled by unchecking the 'Do not save encrypted pages to disk' box on the Advanced tab of the Internet Options dialogue).
It's set to NOT cache ssl pages by default. (Score:3, Informative)
it's set to false by default, btw.
Also in recent news... (Score:4, Funny)
Re:Also in recent news... (Score:2)
Nobody's Mentioned This So I am... (Score:5, Interesting)
Re:Nobody's Mentioned This So I am... (Score:5, Insightful)
Dear slashdot... (Score:5, Funny)
FirefoxIE (Score:5, Interesting)
Re:FirefoxIE (Score:2)
You'll risk your job trying something sneaky like that.
Simply configue Firefox to address his security complaints and bring up the issue again.
Problem patching open source software? (Score:2, Interesting)
Re:Problem patching open source software? (Score:3, Insightful)
This sort of makes sense if *all* you ever run is MS Office, MS Small Biz Server, IIS, etc. But if your org needs to run other things (Raiser's Edge, QuickBooks, Adobe products, etc.)
It used to be people chose to run Windows vs. Linux or Mac because 'Windows has all the software'. But it seems now more IT depts are
Advice? (Score:2)
We discussed installing firefox on all machines...
After some thought and reading I'm not sure that's the right move now...
+ I like firefox
+ No ActiveX
- No easy autoupdater that I'm aware of
- Not controllable via Group Policy
Related discussion: http://ask.slashdot.org/article.pl?sid=04/11/24/1 8 41232
Web's getting nasty; I worry mostly about users going to our regions account (I don't know who has access,
_Somewhat_ secure...? (Score:2)
It does.
Interesting project for the FF people, damn sure MS won't implement it until the Styx becomes icebound despite this [yahoo.com].
Maybe if you leave enough teeth under your pillow, they will get swapped for negotiable cash overnight.
This will kill some idiot PHB's favourite site and thus get rej
Your system admin... (Score:3, Interesting)
IMHO, Firefox is more of a local security risk that could expose your sensitive data to others who use your computer. IE, OTOH, could expose your data to anyone on the internet.
How to BSOD your MCSE (Score:2, Insightful)
Just post... (Score:3, Insightful)
This will make him know better !
One real reason not to use it (Score:4, Informative)
However, one reason I haven't rolled out Firefox across the board here is because it's a pain to centrally distribute, update and administer.
A word to the Firefox devs - if you really want to start making an impact into the corporate world:
Make centralised admin of Firefox under Windows easy and standard with GPOs (or even for just a start, obey the system-wide settings for things like homepages and proxies).
Package it into an MSI.
On a more personal note, fix the damn copy and paste bug that's been hanging around since (at least) the Firefox 0.7 days. It doesn't stop me using it (or recommending it to others), but it *does* make it EXTREMELY FRUSTRATING sometimes.
Wish #2 granted (Score:4, Informative)
Wish #1 presumably in progress as I type.
Risks.. (Score:2)
Risk of IE - lots of vulnerabilities that are mainly high risk according to vendor. Threat is you get lots of spyware etc just by visiting sites. Probability of this happeningis high.
Risk of Firefox. few known vulnerabilities, mainly low risk occording to vendor.
IE is less secure. (Score:2, Funny)
IE is not secure. Nor is it more secure than other software.
To compare the security of various packages, do this:
Install a Linux box. Install it with 10 NICs connected to 10 DS-3 connections to the Internet, with static IPs. Use no firewall. Open every port. Install every service. Run everything under 'root'. Serve web pages explainin
Admin idiots (Score:2, Informative)
At the interview I asked what they used and if they allowed staff to install more secure aps if the ones they use are not secure. They said no, I explained FireFox and others (for email etc) and was told they would not look at it. I then told them (when I got accepted for the job) that I could not work for a company that does not take computer security seriously (or even takes advice of the issue). Ended up working for a croup that had a better approac
Re:What is this, ask mozilla? (Score:3, Insightful)
Re:Install it anyway (Score:5, Insightful)
That kind of attitude will get you fired. Management is edgy these days and support/admin money is tight. There just isn't room for someone who doesn't want to go along with the flow. It's not 1998 anymore. The Aeron chairs and the foosball table have been auctioned off and there are many other people just waiting to take your job. Seriously. I've seen several people canned in 2004 by doing things "their own way" despite being told not to.
It never was "1998" (Score:4, Insightful)
Re:It never was "1998" (Score:3, Informative)
Speaking of "sane", I am currently contractin at big big big defense contractor. Desktops are so heavily "managed", 2GHz P4 machine is nearly useless as McAfee runs all the time. We are not local admins and to install something I need to find one of only two people who are.
Overall, I estimated I lose 80% of productivity this way. For a large group of contractors, the amount of money they are wasting is astronomical.
Re:Install it anyway (Score:2)
+3 Insightful?
-1 Fucking scary that people even think like this anymore. Get away, dogbert! We (normal people, non-telecom companies) don't fire people for installing essent
Re:Install it anyway (Score:4, Informative)
As for why they don't allow Firefox, it's probably that they don't want to support it. With XP, IE, Outlook and Office on everybody's desktop, with some relatively simple tools, they can update everybody at once. So in theory, they should be able to keep up on patches and such, and keep it as secure as possible (as MS software ever is, anyways.)
When people start installing their own software, then that either adds more things for IT to support, or adds things that IT does not update. If it's the latter, then it's possible that a hole will appear in Firefox that does not exist in IE, and the company could be compromised that way. (Yes, if the hole appears in IE, the company is compromised that way. But they like to limit the number of vulnerabilities.)
I'm not saying this attitude is correct, but it's pretty pervasive. When IT tells you to not do something, and you do it anyways, that's the sort of thing that can get you fired at many places, or at least make them think again about your name when making lists of people to sack for the newest round of layoffs ...
(For the record, I work in a land of Microsoft software, but I do run Linux (and the assorted applications that go with it) on my boxes at work. And I even have permission to do so -- but it certainly wasn't easy to get. But at least I know I won't get fired for it. (Ultimately, I was told to stop, and so I pushed for official permission rather than stop.))
What difference...? (Score:2)
On top of this, I get the tabs and all of those bazillions of nice, easy-to-reach extensions and themes. It's almost as good as Konqueror (except that Konq's JavaScript sucks).
The eternal conflict... (Score:2)
This must be the oldest conflict in IT. The paranoid sysadmin wants to keep everything everywhere the same and under their complete control. On the face of it, that's not unreasonable. They are, after all, the ones who have to clear up the mess when something goes wrong.
On the other hand, an informed user may know full-well that certain non-standard tools would help them to do their job better than the officially-recognised alternatives, and may be perfectly competent to install and maintain the non-stand
Re:The eternal conflict... (Score:2)
Re:The eternal conflict... (Score:3, Insightful)
When you've got this sort of thing going on, I don't see why any competent user should be denied the right to use appropriate software in their job
Because everyone who knows how to make text bold in Word thinks they're a competent user.
However, understanding why IT does this doesn't stop me from running lots of non-standard stuff myself...
Re:Install it anyway (Score:2, Insightful)
They'll Know It Is There If They Want To (Score:3, Insightful)
Besides, there's every chance they will know he installed, if not immediately, then sooner or later. I used to work at a place where each workstation was, in effect, periodically spidered to determine if any unauthorized software was present. If it was, it was removed.
Re:Install it anyway (Score:4, Informative)
If they use a system like M$'s Systems Management Server [microsoft.com], they can create an automated query for Firefox binaries that will inform them of who has it installed. The data is collected with the default inventory schedule of the individual machine's SMS agent.
I think there would be a Control Panel called "Advertised Packages" on your machine if this was in use. There is another, but I'm not certain what it's called; it would show you information on the SMS server and the schedule it uses to check in.
Even better (Score:5, Insightful)
Add an autorun.inf [moonvalley.com] to fire up firefox.exe (with command-line switches -- see the first link's discussion) automatically upon insert and you're good to go.
Re:Even better (Score:5, Interesting)
Re:Even better (Score:5, Informative)
Re:Even better (Score:2)
now all you need is an accessible USB port, something your boss may not be willing to give you...and a wife who thinks Firefox was worth your getting the chop a month before Christmas.
Who's going to know? (Score:2)
Okay, suppose you work for IngSoc, and you really can't risk it, but you really, really want to surf the light fantastic. Get yourself a cheap-ass laptop (try retro box [retrobox.com] or ebay), get a t-mobile card and their cellular service (about $30/month, but it is all yours), and you're golden.
Re:Your admin is an MCSE, isn't he? (Score:2)
There is a slim-but-not-zero chance that the organization is using an internal website with SSL to distribute something they consider confidential.
If this is true, and if the admin's claims about caching were true (apparently they're not), then the admin might have identified a valid security concern. But it sounds like he just doesn't want to deal with alternate browsers, and used something he remembered reading so
Re:Funny! (Score:2)
Somehow, this possibility rarely gets mentioned in
And, of course, 1), 2) and 3) can all be true for the same admin.
Anyone got a good 4) to contribute to the list?
Re:New way to get support on /. (Score:2)
True, but this isn't at all new. I've often used just this sort of approach to good effect in the old IBM/MS-vs-unix marketing war. The argument goes: With proprietary software like the stuff you get from IBM or MS, if you have a problem, and you can't find an answer in your docs, you have to go to the vendor, who has little motive to waste time digging out an answer. You can beg and pl
Re:...Uh-huh... Dumb. (Score:2)
Yet.