The German government's Firefox hysteria
At this rate there will be no browsers left that governments approve of.Having only weeks ago suggested its citizens dump Internet Explorer as insecure, the German Government has extended a similar warning to its main rival, Mozilla...
Having only weeks ago suggested its citizens dump Internet Explorer as insecure, the German Government has extended a similar warning to its main rival, Mozilla Firefox.
According to a warning put out by the Federal Office for Security in Information Technology, a new vulnerability in Firefox not due to be patched until 30 March makes Firefox 3.6 too risky to use. Users could, in the meantime, use a patched beta version but presumably not everyone fancies doing something as incredibly dangerous as using software that has - horror of horrors - not been fully tested.
I think it is a near certainty that no measurable percentage of users in any country will pay a blind bit of attention to the German government warning, and frankly they are right to be a bit sceptical. All browsers suffer a degree of vulnerability at any moment, whether known or not, and Firefox is no different.
The first and lesser question is whether government warnings such as this are worth anything. From a distance, it looks like a kind of bureaucratic butt-covering exercise to 'advise' users to stop using Firefox altogether when all browsers have such flaws whether we are aware of it or not.
My own view is that it would be more helpful to give people alternatives, but governments are loathe to recommend any course of action in case that too is later shown to have a degree of hidden risk. Better to say nothing.
A second question is whether the best alternative is now Google’s Chrome. It comes with a high-rated sandbox system that imposes some long-overdue limits on what can happen from inside a browser and it is also a more recent code base. Its tiny market share might also make it less of a target for the flaw jihadists.
Beyond changing browser altogether, it is also possible to change the environment in which the browser runs.
I’ve written up several such approaches in recent weeks, starting with Trusteer’s Rapport system, a plug-in that can be used to secure access to certain websites, in the most recent example the HSBC banking site. The disadvantage is that it secures a banking login but ideally needs to be tied to that site in hidden ways (such as encryption) that limit its use for other sites. It is still worth having, even for ordinary Firefox users.
Another approach is to run everything the browser does through an encrypted proxy service, an approach pioneered by a company called Network Intercept. The disadvantage is you have to pay for it because the cloud ain’t cheap.
My own personal favourite is a recently-announced product from US company IronKey, which fits a browser on to a USB stick, which then boot into a virtual environment. The IronKey drive is intended to be a whole computing environment and not just a secure browser, but perhaps that’s where the future of the browser lies.
The downside is that it’s overkill for most users and requires that what the computer is being used for becomes browser-centric, but perhaps virtualised versions of popular browsers are an option the developers could look at in future.
The important thing is keep an open mind on browsers without falling into the mild hysteria trap that befell the Germans this week.