Yes, it's true: The updated version of Microsoft Internet Explorer (IE) 6.0 in Windows XP Service Pack 2 (SP2) is a lot more secure than earlier IE versions were. But, for a variety of reasons, some people can't upgrade to XP SP2. If you're one of those people, what can you do to improve Web browsing security? You can use an alternative browser, such as the Mozilla Organization's Firefox 1.0, until you can upgrade.
Firefox is an excellent solution. It's lightweight and offers a multitude of useful features, including pop-up blocking, plug-in control, extension control, advanced cookie control, advanced software-installation control, advanced download control, NT LAN Manager (NTLM) authentication, automatic software updates, quick turnaround for security patches, and much more.
After you review Firefox's features, I think you'll agree that it deserves serious consideration as a way to boost Web browsing security on the desktop and server in lieu of XP SP2. Plus, Firefox is open-source software and is freely available to everyone.
Authentication
Many Web sites that are based on Microsoft IIS use NTLM with a Web browser to authenticate to Windows-based systems. For example, your Web content management interface or specific Web-based applications might require NTLM authentication, particularly on your intranet. During earlier phases of its development, Firefox didn't support NTLM authentication, but during its evolution the developers added NTLM support, better positioning the browser as a viable IE alternative. Keep in mind that Firefox's NTLM authentication isn't completely transparent; the browser displays a dialog box that you use to enter your username and password.
For other types of secure communication that require authentication, Firefox currently supports Secure Sockets Layer (SSL) 3.0, SSL 2.0, and Transparent LAN service (TLS 1.0) and has a built-in certificate-management system that uses content revocation lists and the Online Certificate Status Protocol (OCSP) to validate certificates. Firefox also has built-in support for security devices, such as smart cards, that secure communications often use for authentication.
Plug-ins and Extension Management
The updated IE 6.0 supports a new add-on manager that lets you control whether to enable add-ons. Firefox calls add-ons plug-ins and typically adds support for third-party content (e.g., Adobe Acrobat PDF files, Apple Computer Quicktime movies). Firefox also has a plug-in manager that lets you enable or disable plug-ins and whatever action a given plug-in performs. You can also improve Firefox's functionality by adding extensions. For example, you can add the IE View extension, which adds a link to your pop-up menus that opens a given URL in IE instead of Firefox if that site requires IE. The extension manager lets you update installed extensions.
Firefox lets you enable or disable extensions and plug-ins entirely or selectively. When you visit a Web site that offers an extension to Firefox and extension installation is turned off, Firefox displays a message at the top of the Web page that alerts you that extensions are turned off.
When you select Tools, Edit Options, the Options dialog box displays the Web Features option; you can select Allow web sites to install software and click Allowed Sites to define which sites you'll allow to install software. When you visit a site that displays the message that Figure 1 shows in the message bar, you can click Edit Options (to the right of the message) and easily add the site to the Allowed Sites list.
Figure 2 shows the message Firefox displays when you've enabled the Allow web sites to install software option but haven't defined any sites in the Allowed Sites list. When you click Edit Options, the Allowed Sites dialog box displays the Web site address, which you can add by clicking Add.
To manage browser extensions that you've already installed, select Tools, Extensions to open the Extensions dialog box that Figure 3 shows. The dialog box lets you uninstall extensions, update extensions, configure options for a given extension if the extension has such options (some extensions don't), and click a link that opens the Mozilla Web site, which, at the time of this writing, contains more than 160 popular extensions. You can quickly add new extensions with a few mouse clicks.
To manage browser plug-ins such as Adobe Acrobat Reader, select Tools, Options, Downloads, and click Plug-ins, which displays a Plug-Ins dialog box like the one that Figure 4 shows. You can control which plug-ins to enable for which file types by clicking the dot next to file type under Enabled. Checkmarks mean the plug-ins are enabled, and dots mean the plug-ins are disabled. When you download plug-ins and extensions, Firefox displays a dialog box that tells you whether the plug-in is cryptographically signed, so you can choose whether to install the plug-in or extension if you feel uncertain about its authenticity.
Blocking Unwanted Pop-Ups
You can use the Firefox pop-up manager (under Tools, Options, Web Features) to selectively configure which sites can display pop-ups by entering the URL of the site for which you want to allow or block pop-ups. You can configure Firefox to block all pop-ups by default but allow pop-ups from sites you select.
When a site tries to open a pop-up window that you want blocked, Firefox displays the message that Figure 5 shows. You can click anywhere on the message bar for a drop-down menu that lets you quickly adjust pop-up settings. The menu options include the ability to disable the pop-up warning notice bar, edit overall pop-up manager settings, allow pop-ups for the domain you're visiting, and display selected pop-ups from the site you're visiting.
Security Zones and ActiveX Controls
As you probably know, IE lets you configure its various security zones so that they have different security settings, then places Web sites in the zones you select. For example, IE contains a My Computer zone that gives more access to the underlying OS to Web sites that are members of that zone. Unlike IE, Firefox doesn't use zones to control how the browser treats Web site content. Aside from customized per-site settings (e.g., cookies, extensions, pop-ups), Firefox handles each site with the same general security settings. So, from IE's perspective, Firefox essentially has only one security zone.
The single-zone technique seems to work well. Because Firefox isn't integrated directly with the underlying OS, it doesn't need more than one security zone and doesn't present nearly as much risk as IE does when handling Web content. You can use Firefox to navigate your hard disks, but for Web-based content Firefox renders HTML, Java, and Javascript applications. Therefore, intruders can't exploit your system unless one of those technologies has a bug.
Firefox doesn't have native support for ActiveX or VBScript. The benefit of this strategy is that malicious ActiveX controls and Visual Basic (VB) scripts won't run in Firefox. The disadvantage is that if you need to use ActiveX controls or VBScript, you have to use IE for those instances, a setup you can easily facilitate by using the IE View Firefox extension, which is available in the Firefox extensions repository on the Mozilla Web site.
For typical Web use, that limitation should present only minor, infrequent problems. The majority of public Web sites are designed to work with any Web browser that comes close to supporting official Web standards, and popular Web-based plug-ins (from large companies such as Adobe Systems, Apple, Macromedia, and RealNetworks) are designed to work with Firefox as well as IE and other Web browsers.
Security Updates
Another benefit of Firefox is that it isn't targeted for attacks nearly as often as IE is. And although Firefox's obscurity doesn't provide a tremendous amount of security, it does provide some measure of safety.
When the Mozilla Organization discovers security problems in Firefox, it addresses them much more quickly than Microsoft fixes IE flaws. Installing Firefox patches is quick and painless because Firefox is a small download and has a built-in software update and packaging feature. Selecting Tools, Options, Advanced displays a dialog box that presents a list of options. Under the Software Update option, you can enable Firefox to periodically check for updates to the browser and for updates to extensions and themes that you've installed. You can also click Check Now to immediately check for updates. But you can't configure how often Firefox checks for updates, and the documentation doesn't offer any information about the interval.
When update checking is enabled and an update is available, Firefox displays a red circular icon with an arrow directly under the Minimize, Maximize, and Close buttons, as Figure 6 shows. When you click the icon, Firefox immediately begins downloading and installing the software update.
Privacy Features
Firefox has several useful privacy features. People often complain about cookies, which are sometimes used to track their Web use. Firefox offers fine-grain control over cookies. You can configure Firefox to allow a Web site to set cookies, then ask you whether to allow the cookies. Whenever it receives a cookie, the browser displays a dialog box, which you can use to decline the cookie, accept it, or accept it only for that particular Web session. You can also tell Firefox to remember your choice for all future visits to that Web site so that you don't have to deal with the same dialog box every time you visit the site. By denying cookies from some sites and accepting them from sites you need to visit (such as merchant sites) and by allowing session cookies only from sites you visit rarely, you can minimize the opportunities to track your Web use.
Firefox remembers form field data that you enter for a given Web page, so you don't have to reenter it every time you visit. It also has a password manager that remembers logon details for sites that require secure access and uses strong encryption to store passwords. The password manager uses a master password to prevent other people from gaining access to your logon credentials. The first time you use the password manager, you have to create your master password; from then on, access to stored passwords is transparent.
Firefox has a download manager that remembers which files you've downloaded and compiles a list of files you've downloaded that you can erase manually or automatically after you finish downloading a file or when you close Firefox. The browser also lets you control Web caching and the history of sites you've visited.
A new Firefox feature is built-in support for Web-based news feeds that use the Atom and Really Simple Syndication (RSS) standards. The news feeds feature works in conjunction with bookmarks. When you visit a Web site that offers an Atom or RSS feed, Firefox displays an icon on the bottom right of the status bar. When you click the icon, Firefox adds the news feed to your bookmarks as a top-level entry and automatically updates the list of the most recent articles as subentries under that top-level entry for quick and easy access.
Compelling Features
I've given you a brief overview of many of Firefox's security and privacy features, but the browser has other compelling features you might find useful. For example, Firefox offers tabbed browsing windows, a new search bar at the bottom of the screen (which appears when you press Ctrl+F), the ability to highlight search terms on any Web page, and a quick-search feature that locates text on a Web page as you enter a matching word or phrase. Firefox also has an incredibly small installation footprint that you can customize with third-party themes or your own themes, an open extension programming interface, more than 160 ready-to-use extensions, numerous custom search engine plug-ins, custom tool bars for Yahoo! and other services, and much more than I have room to list. If you're even slightly curious about Firefox, download a copy and take it for a test drive. You'll find its feature set worth considering, especially if you can't upgrade to the latest version of Windows. You can download Firefox from http://www.getfirefox.com.
