International Mac Podcast

The short answer to the question posed in the title is a resounding yes. Both are very able browsers and both perform excellently when it comes to standards compliance and speed, but they are not equal when it comes to security. There are many other grounds for arguing that FireFox is a better browser, their extension architecture for example, but I will be ignoring those today and only looking at security.

Although Apple like to talk the talk when it comes to security they often fail to walk the walk. There are a lot of open source components in OS X and Apple are often disgracefully slow at patching them. The SAMBA flaw last year was a dramatic example of this which I blogged about at the time. When it comes to Safari Apple’s attitude to security is also worrying. Their insistence that the so-called carpet bombing attack is not a security issue but instead a feature request is the most recent example of a lax attitude towards security.

For those of you not familiar with the carpet bombing attack allow me to explain. If a site offers a download Safari will accept it automatically without asking you. If a site offers a thousand downloads Safari will happily download them all without asking you. You can visit a malicious site with Safari and suddenly find your Desktop or Downloads folder littered with literally thousands of files. This is called carpet bombing. Security researchers have pointed this flaw out to Apple and suggested that Safari needs to be updated in some way to prevent this kind of attack. Apple refuse to act promptly, fobbing it off as a feature request for the next version.

There is also another major flaw in the default configuration of Safari which Apple have been under pressure to change for years, but which they still resolutely refuse to do anything about. Not only does Safari automatically download files, it also automatically opens files of certain “safe” types. The thing is, there is no such thing as a safe file type. PDFs, images, disk images, all have been used in attacks. Users can disable this automatic opening if they wish but the fact that it’s on by default puts millions of users at risk needlessly. If Apple were serious about security they would not do this.

It is a rather unfortunate reality that the internet is crawling with criminals and fraudsters and they are after your money and your identity. Because anyone can get an SSL certificate the padlock on your browser means very little. All it means is that your communication is not being eves-dropped on, it says nothing about the authenticity or trustworthiness of the site you’re communicating securely with! An improved certificate system has now been created to deal with this problem. These new certificates are only issued to companies after they have jumped through a significant number of hoops to prove they are who they say they are. Hence, you can be sure that a site with one of these so-called EV Certs is legitimate. IE and FireFox users can instantly recognise EV Certified sites because they turn the address bar a reassuring shade of green, Safari users miss out on this completely since the browser doesn’t have any support for these certs.

Finally, JavaScript is an inherently dangerous technology that is regularly used to automate web based attacks. It’s also the engine that drives what we know as “web 2.0″ so it’s clearly not practical to browse the web with it permanently disabled. However, that doesn’t change the reality that it’s not safe to browse with it permanently enabled, although many people do. You need finer control. Microsoft’s Internet Explorer provides this fine control through what they call “Internet Zones” where you can specify different preferences for sites you trust and the rest of the internet, including only allowing JavaScript on trusted sites. FireFox users have even better control through the fantastic NoScript plugin. Safari users have no per-site control over JavaScript at all. They must either place themselves in needless risk by having it permanently enabled, or loose the great functionality JavaScript brings to the web. Not a nice choice to be forced into making!

Although Safari is a very fine browser I do not feel safe using it on the internet because of it’s security shortcomings. If you care about your online security I’d urge you to give serious consideration to switching to FireFox.