It is widely asserted as "fact" that Firefox is more secure, but does that assertion really hold up under intense scrutiny? Peter Torr of Microsoft doesn't seem to think so. I can hear the howling now to the effect of "but the guy is just a Microsoft lackey on Bill Gate's payroll". While it is certainly true that he works for Microsoft and is clearly giving a point of view favorable to Microsoft, no one can deny any of the serious criticisms that he lays on Firefox. Here is a list of Peter's grievances that show a pretty flagrant disregard for the most basic of security principles.
- Installing Firefox requires downloading an unsigned binary from a random web server
- Installing unsigned extensions is the default action in the Extensions dialog
- There is no way to check the signature on downloaded program files
- There is no obvious way to turn off plug-ins once they are installed
- There is an easy way to bypass the "This might be a virus" dialog
Since the initial posting and much "fanfare" from Slashdot, someone pointed how you can turn off plug-ins so Peter has since then conceded the fourth point. While there has been a huge firestorm of responses on the other points, I haven't heard any acceptable explanations on any of the other four points that Peter has raised. The most serious issue is the first where Firefox might even send you to a raw IP address link (the favorite tactic of phishers) to download unsigned code.
The other problem with Firefox is compatibility with IE. The first issue is HTML formatting and the second problem is the lack of support for ActiveX.
John Carroll wrote about the formatting issue over a month ago in this column. Chris Jablonski posted this blog on why Enterprise IT organizations are turning a cold shoulder to Firefox. I've personally experienced problems with my own home page in the way Firefox renders the Macromedia Flash banner. The blog that Peter Torr posted mentioned above also doesn't render correctly with Firefox. I can already hear the Firefox crowd say "so what" as they did to John Carroll last month, "that's Microsoft's fault for not following the HTML standards". While following the HTML standards is fine and dandy, you're not going to win over any hard-core IE users who rely on web pages tuned to IE which has over 90% of the market share. It's not a question of who's right or who's wrong and who's not following the HTML standards, it's a question of market reality which Firefox can choose to ignore at its own detriment if the goal is to win over IE converts. I would like to suggest a nice compromise. Firefox should look to see if a page is optimized for IE and abide by Microsoft's nonstandard formatting and render the pages as their authors intended. For Websites that abide by the HTML standards, Firefox could use it's current formatting engine. This would make Firefox the best of both worlds.
ActiveX support is a double edged sword because any mechanism that launches executable code can be abused, but I do think the dangers have been grossly exaggerated since the modern version of IE that comes with Windows XP SP2 is sufficiently locked down by default. Any ActiveX code that has or hasn't been digitally signed will be blocked by default and you really do have to go out of your way to infect yourself with something nasty. Firefox's method for securing ActiveX is to simply not support it, but that's kind of like securing your Internet connection with a sharp pair of scissors instead of using a Firewall. From a corporate perspective, ActiveX is simply too important and entrenched for most corporations to give up. I personally love the ability of Microsoft PowerPoint or Visio to output HTML with a rich user interface and vector scaled images. Most people who have ever seen the pan and scan controls of Visio 2003 HTML output will never want to return to a flat HTML and GIF format. Outlook 2003 Webmail probably has one of the nicest web interfaces of any web application I've ever seen, view it through Firefox and it's back to a privative static HTML format. For the Firefox camp, it's easy to discount some or all of these benefits but corporations simply don't see it that way. Even Macromedia Flash has it's share of security patches but I think still think Flash is too valuable a medium to give up. A lot of technical people prefer no flashy interfaces and just plain old text, but I have no interest in going back to the stone ages of animated GIF files or ASCII art. I personally like Flash (when used sparingly with low bandwidth in mind) and rich user interfaces, and I can't stand reading the plain text formatting of the IETF RFCs when I need to do research.
Having levied all these gripes about Firefox, I will say that it is probably one of the best IE alternatives I've seen to date. Firefox did an impressive job importing all of my Internet Explorer settings and it doesn't take an eternity to load like the newer versions of Netscape (although a little slower than IE). I really love the modular search bar (especially Google, Dictionary.com, and Wikipedia) and I do love the HTML source viewer. But if Firefox is ever to succeed, it must do the following things.
- Firefox should support IE formatting in addition to HTML standard formatting
- Swallow Peter Torr's criticism and fix their serious security shortcomings
- Support and secure ActiveX without throwing the baby out with the bath water
I expect to get a lot of flame for this, but keep in mind that success comes from listening to your customers and not insulting them. I hope the folks at Firefox will look at this blog as a fair and honest critique and give it some serious consideration. The success of Firefox would bring much needed competition back in to the Web Browser. A healthy competition between Firefox and Microsoft would bring the best out of both companies and benefit all of us.