Preston Gralla

The Microsoft and Firefox browser security fight -- why they're both wrong

October 13, 2011 4:35 PM EDT

By

Microsoft and Mozilla have been engaged in taunting each other over whose browser is more secure. They can taunt all they want; here's why both companies are likely wrong.

Microsoft started the spat when it launched a Web site that gives security ratings for a number of browsers, including Internet Explorer, Chrome, and Firefox. The site, yourbrowsermatters.org, gives a rating to browsers that visit the site, with a top score of 4. IE gets a 4, while Chrome 14 rates only 2.5, and Firefox 7 weighs in at a lowly 2. IE 6, meanwhile, rates a 3.

As for Opera and Safari, if you visit the site with them, you get the message ""We can't give you a score for your browser."

The rating system was put together by Microsoft in conjunction with security researchers and groups such as the Anti-Phishing Working Group (APWG), Identity Theft Council and Online Trust Alliance. Computerworld's Gregg Keizer notes, "Microsoft is a premium member of APWG and on the steering committee of Online Trust Alliance."

The rating system is suspect, given that it was developed by Microsoft, gave IE the highest rating, and gave its major competitors poor ones.

Mozilla, unsurprisingly, faults the tests on a number of counts. Johnathan Nightingale, the company's director of Firefox engineering, wrote to Computerworld in an email that the test "is more notable for the things it fails to include," such as support for HSTS (HTTP Strict Transport Security), patch response time, and the Do Not Track opt-out privacy feature.

You won't be surprised to hear that Firefox and Chrome both support HSTS, and IE doesn't, or that Firefox offers security patches every six weeks, but IE patches are issued every two months.

So Firefox's response is just as self-serving at Microsoft's ratings.

The only way to truly know which browsers are the most secure is to set up an objective, industry-wide standard for judging browser security. That way, no company can slant tests towards its own browser. And it would also drive browser makers to work harder to improve security based on an objective, agreed-upon standard.

Will such a standard ever be set? Not likely. The problem is not a technological one; it would not be excessively difficult for a group to agree to a common set of browser security standards. Each browser maker, though, wants to set up tests that favor its own software. Having them all agree on a common methodology is about as likely to happen as getting Democrats and Republican singing Kumbaya together around a campfire.