Mozilla bashes Microsoft's browser security test
'More notable for the things it fails to include,' says director of Firefox engineering
Computerworld - Mozilla has responded to Microsoft's new browser security test with jabs against Internet Explorer (IE).
Earlier this week, Microsoft launched a website that rates the security of IE, Google's Chrome and Mozilla's Firefox.
The site, yourbrowsermatters.org, uses the agent string of those browsers to call up a score between 0 and 4. IE9, Microsoft's latest browser, reaps a perfect 4, and 2009's IE8 collects a 3; month-old versions of Chrome and Firefox, however, return ratings of 2.5 and 2, respectively.
Microsoft registered the site -- the ".org" top-level domain, typically reserved for non-profits, is unusual for the company -- last July, according to WHOIS records.
Mozilla didn't think much of the test.
"Mozilla is fiercely proud of our long track record of leadership on security," Johnathan Nightingale, the company's director of Firefox engineering, said in an email. "We believe that being safe on the Web means having a robust browser that defends against malware and phishing, includes new technologies to help sites and users secure themselves, and a responsive security team that gets security updates out quickly and reliably."
Nightingale knocked the test, saying, "[It] is more notable for the things it fails to include," then cited three examples of criteria it lacks: HSTS, Do Not Track and patch response time.
HSTS (HTTP Strict Transport Security) is a still-unapproved standard that allows website servers to tell browsers they can connect only using a an encrypted link, such as HTTPS. Firefox and Google's Chrome both support HSTS; Microsoft's Internet Explorer (IE) does not.
HSTS and encrypted connections in general made news a year ago when a Seattle developer released the "Firesheep" Firefox add-on that let "pretty much anyone" scan a Wi-Fi network and hijack users' access to Facebook, Twitter and a host of other services.
"Do Not Track," the umbrella term for initiatives that let users opt out of the online tracking conducted by websites and advertisers, has also been a hot-button issue this year.
Firefox jumped on the Do Not Track bandwagon last January with an implementation that transmits special information with every HTTP page request to tell the site that the user does not want to be tracked. It added the feature to Firefox 4, which launched in March.
Nightingale's third criticism of the test -- that it doesn't account for patch response time -- was another implied criticism of IE: Mozilla updates Firefox with security patches every six weeks, while Microsoft fixes IE flaws every two months.
Google, the only other major browser that Microsoft's new site rates, has not replied to a request for comment on Chrome's score.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Google reverses field, promises to restore Chrome's scrollbar arrows
- Update: Google ships Chrome 33, patches 28 bugs
- Mozilla's top exec defends in-Firefox ads, revenue search
- Mozilla taps in-Firefox ads as it searches for more revenue
- Mozilla ships Metro Firefox beta for Windows 8
- Mozilla defers Firefox's new 'Australis' UI to April
- Mozilla resets Metro Firefox ship date to mid-March
- Mozilla ships Firefox 26 with opening click-to-play move
- Mozilla banked $274M in '12 from Google-Firefox search deal
- Google trumpets Chrome's SPDY gains
Read more about Desktop Apps in Computerworld's Desktop Apps Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Desktop Apps White Papers | Webcasts