Firefox - Features - Security

Security

Firefox uses a sandbox security model, and limits scripts from accessing data from other web sites based on the same origin policy. It uses SSL/TLS to protect communications with web servers using strong cryptography when using the HTTPS protocol. It also provides support for web applications to use smartcards for authentication purposes.

The Mozilla Foundation offers a "bug bounty" (up to 3000 USD cash reward and a Mozilla T-shirt) to researchers who discover severe security holes in Firefox. Official guidelines for handling security vulnerabilities discourage early disclosure of vulnerabilities so as not to give potential attackers an advantage in creating exploits.

Because Firefox generally has fewer publicly known unpatched security vulnerabilities than Internet Explorer (see Comparison of web browsers), improved security is often cited as a reason to switch from Internet Explorer to Firefox. The Washington Post reports that exploit code for known critical unpatched security vulnerabilities in Internet Explorer was available for 284 days in 2006. In comparison, exploit code for known, critical security vulnerabilities in Firefox was available for 9 days before Mozilla issued a patch to remedy the problem.

A 2006 Symantec study showed that, although Firefox had surpassed other browsers in the number of vendor-confirmed vulnerabilities that year through September, these vulnerabilities were patched far more quickly than those found in other browsers – Firefox's vulnerabilities were fixed on average one day after the exploit code was made available, as compared to nine days for Internet Explorer. Symantec later clarified their statement, saying that Firefox still had fewer security vulnerabilities than Internet Explorer, as counted by security researchers.

In 2010 a study of the National Institute of Standards and Technology (NIST) based on data compiled from the National Vulnerability Database (NVD) Firefox was listed as the 5th most vulnerable desktop software. Internet Explorer ranked only 8th on the list, and Google Chrome as 1st.

InfoWorld has cited security experts saying that as Firefox becomes more popular, more vulnerabilities will be found, a claim that Mitchell Baker, president of the Mozilla Foundation, has denied: "There is this idea that market share alone will make you have more vulnerabilities. It is not relational at all."

In October 2009, Microsoft's security engineers acknowledged that Firefox was vulnerable since February of that year due to a .NET Framework 3.5 SP1 Windows update that silently installed a buggy 'Windows Presentation Foundation' plug-in into Firefox. This vulnerability has since been patched by Microsoft.

As of February 11, 2011, Firefox 3.6 had no known unpatched security vulnerabilities according to Secunia. Internet Explorer 8 had five unpatched security vulnerabilities, the worst being rated "Less Critical" by Secunia.

Mozilla claims that all patched vulnerabilities of Mozilla products are publicly listed. However, the corporation has been caught multiple times fixing vulnerabilities silently or with delayed notice.