There are currently heated debates raging on the DSL Reports forums and on more than a few tech blogs about the recent discovery that Firefox 3.0 uses Internet Explorer 7 security settings to boost its user security. In short, some downloads, if IE7 is set to extreme levels of security, may also be blocked in Firefox 3. The question is, should this be seen as a bad thing?
Some users upset over Firefox using security settings managed in IE7. (IMG:J.Anderson)
The simple answer is no. Layered security, even cross-vendor layered security, is a good thing, and you’ll see more of this in the future. The reality of what Mozilla has done is small. According to them, “Starting in Firefox 3, downloads of executable files (e.g., .exe or .msi) may fail,” with the reasoning displayed in the download window. The download window will display a simple message, “This download has been blocked by your Security Zone Policy.”
What developers Mozilla appear to have done is make Firefox 3 honor “Windows security settings for downloading applications and other potentially unsafe files from the Internet.”
According to Brian Krebs, a security reporter for the Washington Post: “This may seem like an abrupt about-face by Mozilla, and probably for some loyal Firefox users, too. But the company is clearly making a bigger play here for the corporate environment by attempting to respect the security settings already in place on the browser most commonly used by businesses.”
And Krebs is right. This looks to be exactly what Mozilla is doing. However, there is more. Firefox 3 is adding the ability to layer security. Another added security option, is to launch your anti-virus after a download and scan the file. Again, like the security tie-in to Internet Explorer, this too is seen as “selling out,” or, in the case of one DSL Reports comment:
“It's the responsibility of the AV app to scan files upon their creation, and the user to tell it to (or not to) do so. If I don't want a file to be scanned on creation, that's between me and my antivirus software.”
Another comment on the Washington Post said, “I don't like the changes at all. I already disliked some of the visual differences, and if it's going to depend on IE settings, I may not install Firefox 3 on my home machines. I want Firefox to work independently of IE.”
Both the Internet Explorer 7 tie as well as the AV tie can be disabled. However, the question is, should you do that? After all, using the security settings in Internet Explorer 7 is the default best practice expectation regarding security and external network access. This also replicates some security add-ons for Firefox making them moot. For example, the add-on NoScript has a trusted list, and users without this add-on can use IE’s trusted settings.
Layers work, and if Mozilla can somehow improve the speed of the scanning, then the AV scanning after downloads might see fewer complaints. However, some users will never forgive Mozilla for using IE security settings, no matter how smart it was for the corporation to do so.
The MozillaZine KB has tips to disable both of these features.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)