Firefox is Insecure? Not So Fast.

Deprecated: category_link is deprecated since version 2.5.0! Use term_link instead. in /home/ on line 5088

Deprecated: category_link is deprecated since version 2.5.0! Use term_link instead. in /home/ on line 5088

Deprecated: category_link is deprecated since version 2.5.0! Use term_link instead. in /home/ on line 5088

So there is a story today about Firefox being deemed too insecure to be part of the Pwn2Own competition. Now I run Firefox and kinda prickle at the notion that I am doing something insecure. So let’s try to get to the truth of this matter.

Claim: All of the browsers for which prize money is available have made significant progress in security over the last year. For instance they have all decomposed the browser to run in multiple processes unlike Firefox which runs in a single process: network, renderer, plugins, add-ons etc.

Truth: I hope all of the competitors have made progress. This time last year we saw malware tear through Chrome and Safari but let’s call this unproven… As to Firefox, Firefox does isolate plugins in heavy weigh Processes like Safari and Chrome separate from the main Process.


Claim: Edge, Chrome and Safari are more secure than Firefox.

Truth: Security is hard to measure. As a stand in for security let’s examine publicly reported vulnerabilities. The Common Vulnerabilities and Exposures Database counts reported code execution vulnerabilities for 2015 as 101 for Safari, 83 for Firefox, 8 for Chrome and 19 for Edge which was only available for part of the year. By this measure Safari is the least secure and Chrome is wildly more secure… Take this with a grain of salt. One of the places that employs many of the people reporting security vulnerabilities is Google. On the plus side they are finding them and fixing them in Chrome but that probably biases this count more than a little in favor of Chrome.

Claim: Firefox has sold out and keeps changing the UI rather than focusing on Security?

Truth: I don’t think Firefox is unique in this regard. When we replace client computers I find that Firefox users are typically right at home because these changes have been phased in gradually and largely without breaking the functionality that they depend upon.  The adoption  of the menu button similar to Chrome and removal of the menu bar on Windows has been the most jarring change. Safari has however been a steep learning curve as client are moved from Mac OS X 10.6 and thus Safari 5.1 to Safari 9.0. In fact one of my least favorite UI changes in a web browser of late is Safari choosing to not show complete URLs


Sort of reminds me of Internet Explorer from about a decade ago. What could go wrong?

Counter Claim: Chrome gobbles up memory.

Truth: True. For an interesting denial of service make a website that opens a few pop under windows and get a Windows Server admin to open this page in Chrome on their server. Now it takes about 60tabs opened to a popular knitting social media site to eat up all 16GB of memory in my wife’s computer so plan accordingly.

Claim: All browsers need to improve dramatically

Truth: Oh boy do they ever. There is a trivial javascript issue that has been described in security literature for  two decades, is easy to exploit and no browser on the market has done anything to fix… I am of course talking about the invariant infinite loop. There is no reason in javascript to ever write a while loop with an invariant condition. Yet this was exactly the code used in March 2015 along with Safari and Chrome’s persistent state feature to trick many people into allowing fake IT  people access to their computer and conned too many into paying for fake malware removal services.

Despite, it’s warts I still like Firefox (no seriously Firefox devs please end Pocket, Hello and Yahoo search. They are useless, useless and terrible). It has good performance, with the Keychain Integration Services add-on it uses the Mac OS X keychain like a well behaved Mac App unlike Safari and Chrome. The private browsing mode offers a decent experience while limiting the information I share with  websites like Google. In fact the biggest change in the past year for me is not a browser feature but the fact that I increasingly use private browsing mode to access the top websites like Google and Amazon because by being more anonymous I have a better browsing experience. Though I’m not going to complain if this media spurs Mozilla to improve the security of Firefox.

Recommendation: Use the browser of your choice so long as it is not made by an antivirus vendor, Safari or Internet Explorer. Use Private Browsing whenever reasonable. Oh and uninstall Flash, Java and Silverlight.