Anyone who has spent more than a minute or two administering a Microsoft Windows PC knows about Internet Options. It's a dialog box that you can call up from the Tools/Internet Options menu of Internet Explorer (IE). It also appears as an icon in the control panel. Inside that dialog box is the security tab, where zones are to be found. You pick a zone, and from then on the collection of features that make up that zone dictate how secure surfing the Web with IE will be. Nailing down the right zone cocktail is one of the first tasks a network administrator thinks about when there's a heap of users all needing access to the Web.
Now that Firefox is knocking on the door of enterprise environments, it's natural to ask: Where's the equivalent Firefox security settings? Surely, there must be something that needs to be clicked, ticked, checked or changed? Where is the Firefox security button?
The short answer is: there isn't one. Firefox's security model is different from Internet Explorer's. The basic premise of Firefox, and of all Mozilla tools, is that Web security is not something that you can define to suit yourself. That's different from Internet Explorer, where you can create a custom zone and permit or refuse whatever options seem like a good idea on Tuesday.
Firefox treats security as a promise, not as a creative arrangement. Security is a complex matter, and the Mozilla developers have opted to plug every imaginable security hole as emphatically as possible. In practical terms, there's very little that the user can unknowingly press in the Firefox user interface that will open up a hole in the security system.
Of course, security is never quite that simple, and I'm sure you're hankering after longer explanation of Firefox's security model.
So, let's start in the Tools/Options dialog box of Firefox. There, the user can peck at the edges of security a little bit. He can enable a few window pop-up features that might allow denial of service attacks or confusing messages. He can even save Web site passwords locally, where idle wayfarers might find them. (He can do those things in Internet Explorer too). More controversially, he can choose to trust extensions delivered from Web sites other than the default site of http://update.mozilla.org.
None of these modifications represent a whole new security regime. There's only one security regime in a standard Firefox install, and it aims to provide complete safety.
The standard Firefox install can also be modified in a number of minor ways, which can also have an impact on security. Clever people such as John Haller have unpacked the standard Firefox install (with tools UPX and 7-Zip), modified some configuration items and re-packed that same install into a new distribution. This is the kind of strategy that IT managers looking to deploy Firefox should examine closely.
With its basic security promise always in place, only very small customizations are ever required to the standard Firefox install. These small customizations can't negotiate away that basic promise, so such re-bundled versions of Firefox can be used as confidently as the standard install.
Whether user-tweaked, rebundled or standard, it's the central idea of a single security promise that keeps Firefox deployment simple. Don't bother looking for a security button.
Nigel McFarlane is an open source software analyst and technologist, as well as a site expert for SearchEnterpriseLinux.com. His latest book is Firefox Hacks from O'Reilly Media.
