News
Commentary
2/15/2005
05:57 PM
Commentary
Commentary
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Firefox And IE: The Enterprise Odd Couple

As Firefox wins new fans and Internet Explorer clings to its captive audience, IT managers have to accept that two browsers are better than one.

Claim: Firefox is promoted as a stable, simple, and secure Web browser that allows users to limit what sites can do and control how Web pages are presented.

Context: Security is Firefox's biggest selling point, and despite planned new features, that won't change anytime soon. Although it isn't the only challenger to IE, its success is assured because it's both cross-platform and free.

Credibility: Everyone who uses IE should consider migrating to another browser, or at least confining IE's use to sites tucked safely behind the firewall. Firefox is the leading alternative, but not the only one.


Worried about security threats on the Web? According to the CERT, one of the most important steps you can take is to use a browser other than Microsoft's Internet Explorer (IE). Many people have followed that advice: The Mozilla Foundation estimates that more than 23 million people downloaded its free Firefox browser in its first four months of release. According to the Gartner Group, its share at some sites went from zero to 25 percent over the same time period.

Security is just a part of what the open-source browser has to offer. Users are also attracted by its surfer-friendly features, from tabbed browsing to bookmarks that can update themselves based on RSS feeds. Best of all, Firefox aims to wrestle control of the browsing experience back from Web sites, and avoiding spyware is just the first step. For example, Firefox users can turn off the most frequently abused JavaScript commands--not just pop-ups, but other annoyances such as resizing windows or disabling the right mouse button.

While individual users have flocked to Firefox, enterprises have been more cautious. Part of this is just corporate conservatism, but there are also legitimate concerns. Firefox currently lacks centralized installation and management features, and many enterprises rely on in-house or third-party intranet applications that require IE. The first problem will be solved within months, but the second is more difficult to overcome.

SPREADING LIKE FIRE

Firefox has become the Web's most popular open-source project, attracting the support of volunteers and big companies alike. This has enabled it to progress very rapidly: The Foundation already has three new releases of Firefox planned for later this year.

The exact feature set of Firefox 2.0, due by the end of 2005, is still under discussion. (Likely improvements include simplified management of cookies, passwords, and other personal information.) In the meantime, two "point" releases aim to make the browser as popular among IT managers as end users by simplifying large-scale installation.

The first of these, Firefox 1.1, will be released as a "preview" (beta) next month, with the finished form due by June. Version 1.1 will allow more customization at install time and be available as a Microsoft Installer (MSI) package, making it compatible with Microsoft's Systems Management Server (SMS). Firefox 1.5, due later in 2005, will add further centralized management features, such as the ability to preinstall extensions or download patches from an internal server instead of mozilla.org. While these options are currently available, they need to be configured manually on each machine.

BEAR OR RACCOON?

Although Firefox itself only shipped last November, it can trace its ancestry back much further. It shares much of its code--including the all-important Gecko layout engine, the part that actually renders Web pages on the screen--with the Mozilla suite, a set of applications based on Netscape Communicator. Firefox is a deliberate decoupling of the browser from the other applications. The principle is that a browser is simpler, faster, and more secure if it isn't integrated with an e-mail client, contact database, or calendar, let alone an OS.

Firefox isn't the only standalone browser, of course. Much of its functionality was pioneered by Opera Software. However, Firefox does have one huge advantage: It's free. Opera's main selling point is that it can run on almost any platform, from OS/2 to a cell phone.

The division between browser and layout engine isn't unique to Mozilla. In IE, the layout engine is the part that's truly inseparable from Windows. (It's also used for help files and some folder views.) Because Gecko is free and IE is always present in Windows, both are also used by many other browsers. The two most famous are both from AOL: The client for its ISP service uses IE's layout engine, while Netscape uses Mozilla's Gecko.

In theory, this should make it easier for Web sites to ensure that they display properly on a wide variety of browsers because pages only need to be tested with each layout engine, not each individual browser. Firefox's growing popularity is forcing many IE-only sites to adapt, but a few still depend on its quirks.

Incompatible plug-ins and extensions are much harder to fix. All modern browsers can support Java and JavaScript, and Mozilla has teamed up with Apple and Opera to improve the original Netscape Plug-in API (NPAPI), a cross-platform method of adding functionality to Web browsers. But Microsoft isn't part of this effort, and its ActiveX controls require IE on Windows.

OUTSIDE THE BOX

On the public Internet, many Firefox users see incompatibility with ActiveX as a plus. Unlike Java and JavaScript, whose operations are confined to a sandbox, ActiveX controls can do almost anything, including install spyware and Trojans. The browser is supposed to ask users for permission first, but many people are in the habit of clicking "Yes" to everything, and some IE security holes allow malicious ActiveX controls to get past even the most vigilant users.

On the intranet, it's a different story. Many applications require ActiveX, but because their servers are behind the firewall, its functionality isn't such a security risk. Individual users who install Firefox on a work PC often find that they need to keep IE around for these sites, and enterprises may find the same thing.

Some analysts have questioned whether Firefox extensions will themselves be used to install spyware. This is unlikely. Like Web pages themselves, extensions are written in a combination of XML and JavaScript, so their functionality is limited. Furthermore, Web sites must be on a whitelist before they can even give users the option of installing an extension. By default, the only site on the list is mozilla.org itself.

Even sticking with IE won't avoid all intranet incompatibilities. This is because many IE-only applications don't rely on ActiveX or the browser's own quirks, but Microsoft's version of Java. As part of the settlement of its lawsuit with Sun Microsystems, Microsoft has agreed not to ship this anymore--something that may be good for the industry in the long term, but bad in the short term. That's because Microsoft has embraced and extended the technology in ways that aren't compatible with Sun's implementation.

To run any Java application, users need a Java Virtual Machine (JVM) installed, usually from either Sun or Microsoft. Sun's JVM works with most browsers and is included with Opera and Apple's Safari. (Firefox and IE users must download it from Sun.) Microsoft's JVM requires IE, but customers must get it elsewhere--usually from the vendor of the intranet application that requires it. The only way to ensure compatibility is to run both JVMs, which in turn means running two browsers--usually IE with Microsoft's and Firefox with Sun's.

IT managers may bristle at the thought of supporting two browsers. But until either Microsoft fixes IE or vendors of Web-based applications adapt their products, it could be the best strategy. From a security perspective, using one browser for the intranet and another for the Internet is helpful because it forces users to recognize the difference between accessing a trusted internal application and surfing the Web.

Chief Technology Editor Andy Dornan can be reached at adornan@cmp.com.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.