Tuesday, December 14, 2004
Does Firefox risk your security? Geeks vs. suits.
Normally I'd take the side of geeks. I'm one myself, a former Microsoft programmer and so on. But I ran into something that reminds me, your business's geeks can be wrong sometimes.
A leaked memo from an unnamed IT manager said the shop would standardize on Microsoft's Internet Explorer web browser instead of Firefox because "FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.".
So what?
First question is, "what does that mean?" What the guy's saying is that when Firefox keeps things around in case they're needed later (every browser does), it's not cleaning up afterward and it's saving things it should know are confidential. The real-world impact is that if a machine gets stolen, there's one more place the thief could look for confidential material.
Internet Explorer's continuing and severe security problems dwarf the issue of whether there are copies of Web pages on disk. "Look at the big picture" actually means something in this case. Security is a game of tradeoffs and deciding where you want to take risks. Geeks can get tunnel vision. If you have solid information, say from a security consultant like me, you may sometimes be safe in overruling your company geeks.
The bottom line
That IT manager is flat wrong besides lacking perspective. Firefox doesn't save encrypted pages (technically oriented link for your geek employees). Firefox has knobs you can turn to prevent anything from being saved on disk between sessions.
How can you tell if your IT manager is giving you good information? Check whether s/he is telling you the real tradeoffs to a Firefox migration:
|
A leaked memo from an unnamed IT manager said the shop would standardize on Microsoft's Internet Explorer web browser instead of Firefox because "FireFox saves encrypted pages to disk and does not give you override capability. It also does not allow automatic cache clearing when closing a browser. These are security risks.".
So what?
First question is, "what does that mean?" What the guy's saying is that when Firefox keeps things around in case they're needed later (every browser does), it's not cleaning up afterward and it's saving things it should know are confidential. The real-world impact is that if a machine gets stolen, there's one more place the thief could look for confidential material.
Internet Explorer's continuing and severe security problems dwarf the issue of whether there are copies of Web pages on disk. "Look at the big picture" actually means something in this case. Security is a game of tradeoffs and deciding where you want to take risks. Geeks can get tunnel vision. If you have solid information, say from a security consultant like me, you may sometimes be safe in overruling your company geeks.
The bottom line
That IT manager is flat wrong besides lacking perspective. Firefox doesn't save encrypted pages (technically oriented link for your geek employees). Firefox has knobs you can turn to prevent anything from being saved on disk between sessions.
How can you tell if your IT manager is giving you good information? Check whether s/he is telling you the real tradeoffs to a Firefox migration:
- You may have some vital business applications on your internal web that depend on features only Internet Explorer has
- There are still a handful of nonstandard web sites that won't work in most web browsers. You might depend on one of them
- You may incur a training cost even though it's possible to make Firefox look and feel like IE
- The big problem with most free open-source software including Firefox is that it's relatively weak on features to let you administer it centrally. Even though your staff could install Firefox using their Microsoft infrastructure, it's still not as easy to control every desktop as it is with an all-Microsoft solution.
# posted by Frederick @ 8:50 AM Email to a friend:
Haloscan: they provide trackback