Mozilla rubbishes Microsoft web browser security tests
Tests leave out important techniques, say open source developers
By Gregg Keizer | Computerworld US | Published: 10:43, 14 October 2011
Mozilla has responded to Microsoft's new browser security test with jabs against Internet Explorer.
Earlier this week, Microsoft launched a website that rates the security of IE, Google's Chrome and Mozilla's Firefox.
The site, yourbrowsermatters.org, uses the agent string of those browsers to call up a score between 0 and 4. IE9, Microsoft's latest browser, reaps a perfect 4, and 2009's IE8 collects a 3. Month-old versions of Chrome and Firefox, however, return ratings of 2.5 and 2, respectively. Microsoft registered the site, the ".org" top level domain, typically reserved for non-profits.
Related Articles on Techworld
Mozilla didn't think much of the test.
"Mozilla is fiercely proud of our long track record of leadership on security," said Johnathan Nightingale, the company's director of Firefox engineering. "We believe that being safe on the web means having a robust browser that defends against malware and phishing, includes new technologies to help sites and users secure themselves, and a responsive security team that gets security updates out quickly and reliably."
Nightingale knocked the test, saying, "[It] is more notable for the things it fails to include," then cited three examples of criteria it lacks: HSTS, Do Not Track and patch response time."
HSTS (HTTP Strict Transport Security) is a still-unapproved standard that allows website servers to tell browsers they can connect only using a an encrypted link, such as HTTPS. Firefox and Google's Chrome both support HSTS, Microsoft's Internet Explorer does not.
HSTS and encrypted connections in general made news a year ago when a Seattle developer released the "Firesheep" Firefox addon that let "pretty much anyone" scan a Wi-Fi network and hijack users' access to Facebook, Twitter and a host of other services.
"Do Not Track," the umbrella term for initiatives that let users opt out of the online tracking conducted by websites and advertisers, has also been a hot-button issue this year.
Firefox jumped on the Do Not Track bandwagon last January with an implementation that transmits special information with every HTTP page request to tell the site that the user does not want to be tracked. It added the feature to Firefox 4, which launched in March.
That same month, Microsoft added support for Mozilla's Do Not Track concept to IE9 as another approach to its own "Tracking Protection" announced in late 2010.
Nightingale's third criticism of the test, that it doesn't account for patch response time, was another implied criticism of IE. Mozilla updates Firefox with security patches every six weeks, while Microsoft fixes IE flaws every two months.
Google, the only other major browser that Microsoft's new site rates, has not replied to a request for comment on Chrome's score.