Mozilla picks holes in Microsoft’s browser security test site

By Tom Warren, on 14th Oct 11 12:41 pm with 37 Comments

Microsoft's browser security test site

Mozilla has responded to Microsoft’s new browser security test site by claiming it lacks some key comparisons.

Microsoft launched its new YourBrowserMatters.org site earlier this week to highlight the risks of running an old browser. The company revealed that around 340 million PCs worldwide use an outdated version of their browser software. YourBrowserMatters.org serves as a portal for end users to test their browser security. Microsoft ranks each browser from 0-4 on a scale system. The ranking system uses data from various third parties to asses the important aspects of browser security. The site also encourages users to upgrade to the latest version of their browser.

Mozilla isn’t too impressed with Microsoft’s new site however. “Mozilla is fiercely proud of our long track record of leadership on security,” said Johnathan Nightingale, Mozilla’s director of Firefox engineering, in an email to ComputerWorld. “We believe that being safe on the Web means having a robust browser that defends against malware and phishing, includes new technologies to help sites and users secure themselves, and a responsive security team that gets security updates out quickly and reliably.” Nightingale believes Microsoft’s tests lack some key comparisons. “[It] is more notable for the things it fails to include,” said Nightingale, highlighting three missing factors. Microsoft’s site does not test for HSTS, Do Not Track and patch response time.

HSTS (HTTP Strict Transport Security) is a proposed web security policy that allows websites to instruct browsers to connect via an encrypted link. Mozilla’s Firefox browser and Google’s Chrome browser both support HSTS. Microsoft has not yet announced any plans to support the unapproved standard. Nightingale also cites Microsoft’s lack of comparisons on “Do Not Track” technologies. The feature allows users to prevent websites from storing tracking cookies on their machines. The third criticism of the test is over Microsoft’s patch response times. The software maker patches Internet Explorer flaws every two months and Mozilla updates its Firefox security every six weeks.

  • Frylockns86

    Mozilla has no room to talk. They still leave it up to users to guess the trustworthiness of the file up to the users. Bad idea. Big flaw right there when over 90% of malware come through Trojans.

    • Test1ngi23

      Very true. But given the fact the Mozilla is about 1/700th the size of Microsoft, I don’t think that Mozilla has the resources to run blacklist/whitelist servers with the same level of availability as Microsoft can.

    • Guest

      Bullcrap. Mozilla has just as many people working on their browser as MS does. And at least until recently was receiving large funding from several MS competitors. So neither lack of manpower nor money is an excuse.

    • Test1ngi23

      Manpower is not the issue here. Money is. Running servers that are going to be accessed multiple times a day (for whitelist updating) by 25% of the world’s users (Firefox users) is going to require some massive servers that will easily cost millions of dollars per year.

      Yes Mozilla runs huge download servers but you only access them once every 6 weeks or so or whenever Firefox updates itself. These whitelist servers will be hit many many times more often than their download servers.

      I mean I do agree that it would be really nice if Mozilla had a whitelist system built into Firefox but I understand why they don’t.

      And BTW, Mozilla gets the vast majority of its funding from a single source, Google.

    • Fatlady

      Nothing prevents Mozilla from using Google’s servers, or Amazon’s, or even MS’s. Again, you’re clutching at straws.

    • http://project3825.blogspot.com/ 3825

      If they think a whitelist is a good idea, they will implement it. They don’t seem convinced it is a good idea. Plain simple.

    • http://project3825.blogspot.com/ 3825

      So when Mozilla blocks misbehaving add-ons, it becomes disenfranchisement but when it refuses to play Internet cop, it has no room to talk? Do not run executables from websites you don’t trust. How difficult is that?

  • Jinge

    Using Opera: “We do not have any data for your browser, so we can’t give your browser a score.”
    Not good MS… 

    • http://twitter.com/Pieter_Kroon Pieter Kroon

      Apple’s Safari isn’t on there either… :(

    • Frylockns86

      Who the Hell uses Safari????

    • Guest

      Hardly anyone. Just every iPhone, iPod Touch, iPad, most Macs, and a few million PCs.

    • Anonymous

      @guest I think he’s talking on a Windows pc. Hardly no one uses Safari on Windows

    • Zaksousa23

      I only use Safari to go to Apple’s main site, that’s it Lol

  • http://twitter.com/DavidElroyGreen Antonio Raga
  • vinuthomas

    @682b575480b3358965b3ad05e15a101b:disqus but then isn’t that the case with all browsers? unless you have an anti-virus or malware scanner installed which detects the trojans?

    • Stuart

      No. IE has built in scanning via signatures (like virus/spyware scanners) and by checking against malicious file black list.

    • vinuthomas

      hmm.. it’s been years since I used IE, I should check that feature out on IE. Thanks for pointing that out.

    • Frylockns86

      No, IE uses SmartScreen technology to compare the file and the domain it came from against a list of known malicious sites. Even if no comparison is found, IE then makes the user jump through hoops to download the file, stating: “XYZ.exe is not commonly downloaded”. It builds a collective reputation of file downloads. 

  • Tom Thumb

    YourBrowserMatters dot org  is nothing but a FUD marketing tool trying to force Windows XP users to upgrade to Windows 7.

    “Oh, your browser is out of date and you can’t install ie9 on your XP S3 system so you better buy Windows 7, blah, blah, blah….

    • Tom

      If the security aspects were extended a little (e.g: patching cycle, HSTS, other OSs),  it would be quite well established comparsion. The evalulation of the result is surely marketing oriented, do not know how should get rid of it.

    • http://project3825.blogspot.com/ 3825

      The solution is to scratch it and don’t let marketing dictate engineering but that’s not going to happen.

  • Tom

    DNT header does nothing with security, the publisher of a web site can simply deny it.  However I think the implementation of different TLS/SSL version could be mentioned.

  • Anonymous

    The only time I ever got a virus on Vista was when I was using firefox.

    • Test1ngi23

      Well back in the Vista days, you would have most likely used IE7 which wouldn’t have protected you much either. Besides, was your anitvirus not working?

    • http://twitter.com/SCGreyWolf GreyWolf

      “when I was using firefox”

  • Tim

    Mozille really seems to be grasping at straws with the things they are complaining about. Its laughable that they mention HSTS.

    There are certainly some things wrong with it, such as the way they scored it (MS misses a few checkmarks but still geta 1 pt, for instance). But this amounts to a bunch of reactionary whining.

  • http://profiles.google.com/carlosrfonseca Carlos Ribeiro da Fonseca

    Nightingale also cites Microsoft’s lack of comparisons on “Do Not Track”
    technologies.”

    He’s kidding, right?

    “The feature allows users to prevent websites from storing
    tracking cookies on their machines.”

    No it doesn’t, that setting merely tells the site that the user doesn’t want to be tracked but doens’t really enforce it in any way so site owners can still send tracking cookies if they want to.

    On IE 9, not only does one have black lists — sites that the browser will not call in 3rd party requests –, the InPrivate filter actively and automatically blocks tracking cookies.

    • Anonymous

      Yeah. Last I checked, Firefox’s implementation of “Do not track” just flags your session as a do not track session and hopes websites honor it.

      IE9′s implementation actually blocks tracking (although it is opt-in).

  • Anonymous

    Press like if you think Mozilla needs another cupcake from Microsoft. 

    • Anonymous

      Go back to youtube.

    • Anonymous

      Quiet fart sound 

  • http://twitter.com/TheSeph The Seph

    Really?!!! Mozilla’s only arguments are that Microsoft’s browser security test site doesn’t include a couple of things that are NOT standards and that MS ships patches every 8 weeks instead of every 6 weeks like they do. This is completely laughable.

    • Guest

      Well, Mozilla had to find something to complain about, right?

      I say no more cupcakes for them. They’re literally biting the hand tat feeds them ;-) Plus, they’re just entirely too whiny.

    • Anonymous

      Its common use to manipulate the length by stating things like months vs weeks. Months seem so much longer than weeks don’t they.

      Stating 6 vs 8 weeks wouldn’t really impress…

      I’m not saying Firefox is a bad browser, on the contrary. But recently I started to dislike their “1 new version a month”, instead of x.1 x.2.

  • MyNameHere

    Mozilla didn’t actually pick holes in anything. I’m wondering though why they think it is a good idea to play this card, seeing as…

    https://www.nsslabs.com/research/endpoint-security/browser-security/socially-engineered-malware-global-q3-2011.html

    They will lose this argument quickly and in an embarrassing way.

    [Sorry for posting a link that was already posted, but it is quite relevant]

  • Anonymous

    The only level of security that Mozilla has is the fact that it isn’t mainstream.

  • http://twitter.com/laserfloyd Lewis McCrary

    Mozilla doesn’t patch every 6 weeks.  They come out with a completely new version every six weeks.  By the time I got 6 installed I was asked into 7 beta.  By the time I got to 7 I immediately got an 8 beta prompt.  Annoying!