Is Firefox really less secure than Internet Explorer?
I need help settling a professional debate that I am having at work regarding browser security. A colleague of mine is making the case that open source is less secure than closed source software. He says that Firefox is a good example of this and says that Internet Explorer is more stable, reliable and secure.
Although articles and opinions can be found supporting either side, he says that high quality/unbiased sources often credit IE as being better and uses these two as examples:
- https://www.nsslabs.com/reports/browser-security-comparative-analysis-socially-engineered-malware
- http://www.accuvant.com/capability/accuvant-labs/security-research/browser-security-comparison-quantitative-approach
I thought, rather than looking up my own information, why not go to this support forum and get some feedback from a different point of view.
Modified
All Replies (5)
It depends on your definition of Secure. Firefox on average will fix reported vulnerabilities much faster than IE (often in 24 hours or less) while IE takes weeks or months to fix reported vulnerabilities. Once a security vulnerability is reported it's important to fix it ASAP, as bad guys will being using it until it's fixed.
Open Source is also more secure as anyone can see the source and fix holes. Also, there is less change of a privacy issue in Open source. In IE, you have to trust they aren't doing anything to invade your privacy, in Firefox, you can prove it by reading the source.
Thanks for your feedback. Can you point to any quality research done that confirms what you say?
For what it's worth, I've always been in agreement with what you say regarding open source but I'm trying to keep an open mind about this topic and basing any new opinions on supporting documentation.
Thanks for the link. That article reminded me that PGP is one of the best examples of secure software that is open source.
When you review the NSS report, you see that Microsoft has an excellent reputation filter that blocks dangerous downloads. Google's isn't quite as good, but you can see that by comparison, the SafeBrowsing service Google licenses to Mozilla is much less potent than the one it uses in Chrome. Regardless of browser, users should supplement built-in reputation filters with regularly updated security software.
But that has nothing to do with open source vs. closed source development methodology. It simply reflects the allocation of resources toward one particular feature: compiling a really thorough database of malicious URLs.
The second paper, which evaluated Firefox 5, is a bit out of date now. This part is particularly quaint, as users upset about constant releases can confirm:
"As seen in Figure 9, Firefox has no pre-set pattern that determines release updates. In some instances, Mozilla has released updates in quick succession, within only a few days. Other times, up to three months passed without an update release."
The paper's negative assessment of Firefox 5 compared with Chrome in the sandboxing tests results from different designs. Again, there is nothing about open source vs. closed source development that dictates a product's design.
The bottom line is that each comparison needs to be made on its own merits; there is no reason to think that any given closed source software will invariably be more secure than any given open source software.