Should IE stay or should IE go?

Don't go ripping out Microsoft's Internet Explorer just yet.

It certainly has proven vulnerable to attack in the past, and the constant patching to add the latest security updates can be a nuisance. CERT last year even warned people to stop using Internet Explorer. And Mozilla Foundation's Firefox has been getting a lot of buzz lately - to the tune of 25 million downloads in less than 100 days on the market.

Attack profiles: Browsers go head-to-head in common attack scenarios
Archive of Network World tests
Subscribe to the Network Product Test Results newsletter

But our testing of both browsers shows that it's not an easy decision - particularly in an enterprise environment. Internet Explorer's vulnerability to attack might in part be because it's rich in features and thereby presents a larger "attack surface." On the other hand, Firefox's perceived edge in security comes with a price - fewer features and possible inability to access some Windows-based Web applications.

So before you make a decision, weigh the trade-offs. One compromise to consider is using Internet Explorer internally and Firefox for pure Web browsing.

Our hands-on test focused on security rather than ease of use. Our Internet Explorer 6.0 implementation ran on a Windows XP client (a WinBook Pentium 4 with 512M bytes of RAM) with Service Pack 2, and the latest Microsoft updates. With the help of VMware Workstation, we installed Mozilla Firefox 1.0.1 on the same system inside its own virtual machine. This test machine was connected to the Internet through a 384K bit/sec DSL line.

We used the browsers side by side for a variety of tasks such as reading public Web sites, checking e-mail with Microsoft Outlook Web Access, and accessing our Apache-based Web server to reach internal resources and management tools. Additionally, we tried surfing to known hacker Web sites to see how the browsers would behave when under attack.

Accessing conventional Web sites, such as CNN or Yahoo, gave similar results. They both block pop-ups and offer a variety of plug-ins to support additional forms of data such as Macromedia Flash or Adobe PDF files.

However, the key difference is that because Internet Explorer contains Windows-related features that are not available in Firefox - Active X, .Net, Active Server Pages - it is difficult, if not impossible, to use some Web-based applications with Firefox.

Both Internet Explorer and Firefox have facilities to digitally sign plug-ins. However, the signature feature is not ubiquitously used, and users are quite likely to accept and execute unsigned and potentially dangerous code.

This is why you should back up your browser with an intrusion-prevention system or adequate anti-virus (ours was running F-Secure's Anti-Virus Client Security), that can detect, notify and/or block malicious code that arrives through the browser.