92

We received a message from the IT bods this week stating:

Summary of the issue: IT will disabling and blocking the use of the browser Firefox next Thursday the 03.12.20 on all IT managed devices. Due to certain vulnerabilities and security risks associated with the use of this browser it will be blocked from use as of next Thursday.

Has a new exploit been found? I've checked https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/ but not seen anything that's currently open.

Does anyone know of a reason for this ban?

Criggie
  • 518
  • 3
  • 12
Sam
  • 673
  • 1
  • 4
  • 6
  • 100
    There's almost certainly not a good reason for this and your IT department is just clueless. – Joseph Sible-Reinstate Monica Nov 29 '20 at 00:15
  • 48
    Have you asked them? You're asking to guess their reasons. – schroeder Nov 29 '20 at 08:29
  • 6
    @JosephSible-ReinstateMonica not necessarily clueless they might simply want to reduce the software to keep track of. It is a bit telling to single out Firefox of all the browsers (then again, its core features seem to have been a bit neglected for a bit and you kill lots of variants with one go if they also block derivative browsers). – Frank Hopkins Nov 29 '20 at 09:17
  • 68
    That's stupidity if they are allowing Google Chrome. Only Microsoft Edge is updated through Windows update. The real reason is firefox uses its own certificate store which prevents your employer to MITM your traffic without getting detected. – defalt Nov 29 '20 at 12:52
  • 9
    @defalt Coming soon: Chrome has [its own cert store](https://www.zdnet.com/article/chrome-will-soon-have-its-own-dedicated-certificate-root-store/), too. – Michael Nov 29 '20 at 20:03
  • 1
    @schroeder I could, only I doubt I'd get any useful answer from them other than closing the ticket with a canned response. – Sam Nov 29 '20 at 21:40
  • @defalt: But Mozilla has addressed that use case (reported on in a recent [Security Now](https://en.wikipedia.org/wiki/Security_Now) episode. [Episode 794](https://pdst.fm/e/chtbl.com/track/E91833/cdn.twit.tv/audio/sn/sn0794/sn0794.mp3), from 26 min 23 secs, I believe). Perhaps the IT department [didn't get the memo](https://www.youtube.com/watch?v=0flsg4GMQxQ)? – Peter Mortensen Nov 30 '20 at 15:01
  • My question from 3 years ago, which I was never satisfied with, is very related: https://security.stackexchange.com/questions/165706/is-implementing-an-ssl-proxy-server-considered-a-good-practice – Nacht Nov 30 '20 at 22:46
  • @Michael while that's true, it looks like this won't force corporate proxies to change, they will still be able to use local, see third paragraph: https://www.chromium.org/Home/chromium-security/root-ca-policy – Nacht Dec 01 '20 at 03:38

5 Answers5

161

Assuming that you work in the bank industry, this is likely due to their inability to intercept Firefox's traffic.

Due to Firefox's support of DoH and eSNI most banks and regulated industries are resorting to block Firefox because firewalls can't snoop encrypted traffic easily.

On the other hand, if you use Chrome, IE or Edge, you can push changes through Active Directory without users' knowledge/consent. Actually most hardware firewall vendors with DPI (deep packet inspection) have started to recommend enterprise customers to get rid of Firefox because their edge firewall isn't able to intercept Firefox's traffic any more.

Note: One can enforce policies on Firefox enterprise, but most privacy-conscious users will use Firefox portable to flout it, hence blocking is easier.

  1. https://live.paloaltonetworks.com/t5/blogs/protecting-organizations-in-a-world-of-doh-and-dot/bc-p/319542
  2. https://www.venafi.com/blog/fight-over-dns-over-https
  3. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98025
schroeder
  • 125,553
  • 55
  • 289
  • 326
mjoao
  • 886
  • 1
  • 5
  • 5
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/116847/discussion-on-answer-by-mjoao-why-does-my-it-department-block-firefox). – Rory Alsop Dec 01 '20 at 12:32
58

TLDR - It might not be even about security. This could just be due to your company's preference.

A friend of mine faced a similar issue. Firefox is blocked on his office laptop. When asked they simply said it was for "security reasons". After filing request that he needs to test the websites on Firefox, he got a different answer. It stated that they had an extension installed on Google Chrome to monitor their web activity and determine "work time/productivity". The extension was made available on Google Chrome only and all other browsers are banned citing "security reasons", while in reality it is just a preference of the extension development team.

Kolappan N
  • 2,672
  • 14
  • 27
  • 22
    That is "security reasons", the problem being that Firefox is secure. – OrangeDog Nov 30 '20 at 13:03
  • I should note that this reasoning is rather sloppy as well. With Windows Administrator rights you can silently push monitoring software to employee machines that work at the OS level to monitor usage (i.e. it doesn't matter what browser you use). Plugins are fiddly things that don't always work the way you expect. – Machavity Nov 30 '20 at 13:13
  • @Machavity There was a Windows program that ran alongside the extension. The extension was collecting history from the browser. I suspect that is it used for some analytics like what websites the employees spent their time on, etc... while the windows program was collecting details about what program was being used. – Kolappan N Nov 30 '20 at 13:20
  • @KolappanN Ah, it was profiling via JavaScript. That would make sense – Machavity Nov 30 '20 at 13:21
12

Most likely IT didn't want to be responsible for centralized updates.

Without concerted updates individual installations fall out of date and vulnerabilities, once found, may remain unpatched. So they banned it rather than taking on the extra work of making sure it got patched.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • 9
    What's sad is that it's not even any extra work. They just have to not disable the automatic updates that are enabled by default. – Joseph Sible-Reinstate Monica Nov 29 '20 at 02:50
  • 1
    @JosephSible-ReinstateMonica but people can install mods and somehow fuck the browser up or use adblockers and js blockers and then ask IT why this and that page not works etc. So if they are responsible that stuff works and FF is an additional browser option it might just be their way to reduce overall user support effort. – Frank Hopkins Nov 29 '20 at 09:30
  • @FrankHopkins It's easy to disable add-ons though. – Joseph Sible-Reinstate Monica Nov 29 '20 at 15:39
  • 4
    @JosephSible-ReinstateMonica , automated updates can be a serious issue for companies - if suddenly (badly-written own) business critical applications fail (in the newest browser version), the company could be dead in the water for days, not being able to execute. Sure, not the browser's fault, but reality. – Aganju Nov 29 '20 at 17:46
  • @Aganju But an automatic update breaking Firefox is the same as banning Firefox: in both cases, either you have another browser or you're out of luck. – Joseph Sible-Reinstate Monica Nov 29 '20 at 18:29
  • @JosephSible-ReinstateMonica no it's not the same and it doesn't matter whether it's easy from your perspective to work around some issues. It are issues the IT department needs to bother about. They need to keep the respective knowledge around and keep guidelines in their help rule books around. Blocking the app means you don't need to worry and it's the employees problem to get used to another browser. It suddenly failing when it's supported is the IT department's problem and they a re expected to fix it ASAP. It's not a question whether FF can work, it sure can. – Frank Hopkins Nov 29 '20 at 21:55
  • @JosephSible-ReinstateMonica is it a big deal? probably no, but it's something they need to deal with. Lots of little pieces matter. And if this is the underlying reason in OP's case then perhaps someone from IT was just frustrated because something did not work for someone and they spent too much time from their perspective to figure out for that "niché browser" they don't know. Would it be sad to drop FF for such reasons when it arguably can be *more* "secure" than other browsers exactly because it allows for customization, easy ad blocking and tracking protection? Sure. – Frank Hopkins Nov 29 '20 at 21:59
  • 4
    @Joseph, Firefox lacks the ability to self-update when it isn't in use, which is a problem in an enterprise environment. I'm not aware of any good way to keep it up to date across an entire fleet, even if you can afford the effort. My organization is considering partially dropping support for this reason. – Harry Johnston Nov 30 '20 at 02:49
  • @HarryJohnston Isn't that what the Mozilla Maintenance Service does? – Joseph Sible-Reinstate Monica Nov 30 '20 at 02:51
  • @Joseph, no, that allows Firefox to self-update without needing to ask for administrator credentials. (Which doesn't work entirely reliably either!) – Harry Johnston Nov 30 '20 at 02:52
  • 2
    Meh, centralized control of Firefox is pretty straightforward these days. – Craig Tullis Nov 30 '20 at 17:50
  • 1
    @Craig, can you be more specific? If you can point to a good solution to the problem of keeping Firefox up to date across a large fleet, I for one would be most appreciative. :-) – Harry Johnston Dec 01 '20 at 07:40
  • @Harry Johnston Well, presuming you're using Active Directory, you can download admx files (https://support.mozilla.org/en-US/kb/customizing-firefox-using-group-policy-windows). You can also use AD to run scripts that make sure Firefox's autoupdate service is installed and running, seek and delete instances of portable Firefox, and so on. Also, and I don't really mean this as a blatant product endorsement, but Heimdal Security is one good example of a cloud-based antimalware and patching system that keeps Firefox and a host of other non-Windows-update software updated. No GPO's in Azure AD. :( – Craig Tullis Dec 01 '20 at 21:01
  • Other operating systems have hooks into multiple directory services for central authentication and control, and scripting environments of their own. – Craig Tullis Dec 01 '20 at 21:04
  • @Craig, I'm afraid that anything that would cost us money is going to be out of the question under current circumstances. :-) If Firefox's auto-update service was able to do completely background updates like Chrome's does, we wouldn't have a problem, we don't even need to do the group policy thing. But when we run a software currency report on Firefox the results don't look at all good. – Harry Johnston Dec 01 '20 at 21:55
  • (At a guess, we will wind up removing Firefox in our teaching labs, because they're too much of a problem, and stop installing it on staff machines by default but make it available on demand via Software Center. The self-update mostly works OK if the user is actually *using* Firefox regularly. And perhaps we can automate the process of uninstalling it if it isn't being used, or something.) – Harry Johnston Dec 01 '20 at 22:01
  • @Harry Johnston Heimdal is free for patch management, FWIW. If you're running on-premise Active Directory, the admx files for Group Policy are also free, as are any scripting solutions you put together. – Craig Tullis Dec 01 '20 at 22:40
  • @Craig, thanks, but I've just checked [the licence terms](https://heimdalsecurity.com/license-agreement-and-privacy-policy) and it is only free for personal use. (Nonetheless, I've bookmarked their web site and will suggest them as a possibility next time we're looking at security vendors.) – Harry Johnston Dec 01 '20 at 22:45
  • @HarryJohnston Yeah, I just checked too. I think that's a more or less recent change. I've implemented it as an enterprise solution fairly recently. It definitely isn't free, but it compares favorably to other solutions in the market. Good luck with whatever you come up with! – Craig Tullis Dec 01 '20 at 22:48
  • This is what such people typically say. It is just an excuse. – peterh Dec 06 '20 at 01:53
2

TLDR - It's remotely possible that Firefox's implementation of Javascript is incompatible with some other part of the organization's infrastructure, or insecure in a very narrow way.

Javascript implementation is my daily headache, in that I support a framework that is intended to work identically no matter how you access it. Problems arise infrequently around some third party content pieces.

Off the top of my head, Firefox is probably the only remaining major browser that can still use a pagehide or unload events to do anything that actually posts back data, or do anything more complicated than confirm navigation away. Chrome and every version of IE or Edge I support doesn't allow a post during those events (to prevent the JS from hijacking a zombie tab). When Firefox encounters that event, there is no issue at all with the data post. In my case, my code actually owns what's in that post, but the content could write basically whatever it wants into a pagehide event and, with Firefox, it'll probably go through if it's fast enough.

Another thing I just thought of is string templating in JS. IE in no way supports it, and some of my clients mandate browser usage around that. I don't use JS string templating because I must support IE back to IE9, but it stands as an example of how browser bans may not be security related. There's this narrow chance that an inbound piece of infrastructure might simply not be compatible in some way they haven't been inclined to mention.

-2

They maintain company sites and/or tools which work with browsers, don't want to support Firefox, and don't want to deal with support requests from unaware Firefox users.

They may be unaware of any damage beyond aesthetic preference. Or not care.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Emilio M Bumachar
  • 507
  • 2
  • 9