94

We received a message from the IT bods this week stating:

Summary of the issue: IT will disabling and blocking the use of the browser Firefox next Thursday the 03.12.20 on all IT managed devices. Due to certain vulnerabilities and security risks associated with the use of this browser it will be blocked from use as of next Thursday.

Has a new exploit been found? I've checked https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/ but not seen anything that's currently open.

Does anyone know of a reason for this ban?

Improve this question
9
  • 101
    There's almost certainly not a good reason for this and your IT department is just clueless.
    – Joseph Sible-Reinstate Monica
    Commented Nov 29, 2020 at 0:15
  • 49
    Have you asked them? You're asking to guess their reasons.
    – schroeder
    Commented Nov 29, 2020 at 8:29
  • 6
    @JosephSible-ReinstateMonica not necessarily clueless they might simply want to reduce the software to keep track of. It is a bit telling to single out Firefox of all the browsers (then again, its core features seem to have been a bit neglected for a bit and you kill lots of variants with one go if they also block derivative browsers).
    – Frank Hopkins
    Commented Nov 29, 2020 at 9:17
  • 68
    That's stupidity if they are allowing Google Chrome. Only Microsoft Edge is updated through Windows update. The real reason is firefox uses its own certificate store which prevents your employer to MITM your traffic without getting detected.
    – defalt
    Commented Nov 29, 2020 at 12:52
  • 9
    @defalt Coming soon: Chrome has its own cert store, too.
    – Michael come lately
    Commented Nov 29, 2020 at 20:03

5 Answers 5

Reset to default
164

Assuming that you work in the bank industry, this is likely due to their inability to intercept Firefox's traffic.

Due to Firefox's support of DoH and eSNI most banks and regulated industries are resorting to block Firefox because firewalls can't snoop encrypted traffic easily.

On the other hand, if you use Chrome, IE or Edge, you can push changes through Active Directory without users' knowledge/consent. Actually most hardware firewall vendors with DPI (deep packet inspection) have started to recommend enterprise customers to get rid of Firefox because their edge firewall isn't able to intercept Firefox's traffic any more.

Note: One can enforce policies on Firefox enterprise, but most privacy-conscious users will use Firefox portable to flout it, hence blocking is easier.

  1. https://live.paloaltonetworks.com/t5/blogs/protecting-organizations-in-a-world-of-doh-and-dot/bc-p/319542
  2. https://www.venafi.com/blog/fight-over-dns-over-https
  3. https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk98025
Improve this answer
1
  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Commented Dec 1, 2020 at 12:32
59

TLDR - It might not be even about security. This could just be due to your company's preference.

A friend of mine faced a similar issue. Firefox is blocked on his office laptop. When asked they simply said it was for "security reasons". After filing request that he needs to test the websites on Firefox, he got a different answer. It stated that they had an extension installed on Google Chrome to monitor their web activity and determine "work time/productivity". The extension was made available on Google Chrome only and all other browsers are banned citing "security reasons", while in reality it is just a preference of the extension development team.

Improve this answer
4
  • 24
    That is "security reasons", the problem being that Firefox is secure.
    – OrangeDog
    Commented Nov 30, 2020 at 13:03
  • I should note that this reasoning is rather sloppy as well. With Windows Administrator rights you can silently push monitoring software to employee machines that work at the OS level to monitor usage (i.e. it doesn't matter what browser you use). Plugins are fiddly things that don't always work the way you expect.
    – Machavity
    Commented Nov 30, 2020 at 13:13
  • @Machavity There was a Windows program that ran alongside the extension. The extension was collecting history from the browser. I suspect that is it used for some analytics like what websites the employees spent their time on, etc... while the windows program was collecting details about what program was being used.
    – Kolappan N
    Commented Nov 30, 2020 at 13:20
  • @KolappanN Ah, it was profiling via JavaScript. That would make sense
    – Machavity
    Commented Nov 30, 2020 at 13:21
13

Most likely IT didn't want to be responsible for centralized updates.

Without concerted updates individual installations fall out of date and vulnerabilities, once found, may remain unpatched. So they banned it rather than taking on the extra work of making sure it got patched.

Improve this answer
20
  • 10
    What's sad is that it's not even any extra work. They just have to not disable the automatic updates that are enabled by default.
    – Joseph Sible-Reinstate Monica
    Commented Nov 29, 2020 at 2:50
  • 1
    @JosephSible-ReinstateMonica but people can install mods and somehow fuck the browser up or use adblockers and js blockers and then ask IT why this and that page not works etc. So if they are responsible that stuff works and FF is an additional browser option it might just be their way to reduce overall user support effort.
    – Frank Hopkins
    Commented Nov 29, 2020 at 9:30
  • 4
    @JosephSible-ReinstateMonica , automated updates can be a serious issue for companies - if suddenly (badly-written own) business critical applications fail (in the newest browser version), the company could be dead in the water for days, not being able to execute. Sure, not the browser's fault, but reality.
    – Aganju
    Commented Nov 29, 2020 at 17:46
  • 4
    @Joseph, Firefox lacks the ability to self-update when it isn't in use, which is a problem in an enterprise environment. I'm not aware of any good way to keep it up to date across an entire fleet, even if you can afford the effort. My organization is considering partially dropping support for this reason.
    – Harry Johnston
    Commented Nov 30, 2020 at 2:49
  • 2
    Meh, centralized control of Firefox is pretty straightforward these days.
    – Craig Tullis
    Commented Nov 30, 2020 at 17:50
2

TLDR - It's remotely possible that Firefox's implementation of Javascript is incompatible with some other part of the organization's infrastructure, or insecure in a very narrow way.

Javascript implementation is my daily headache, in that I support a framework that is intended to work identically no matter how you access it. Problems arise infrequently around some third party content pieces.

Off the top of my head, Firefox is probably the only remaining major browser that can still use a pagehide or unload events to do anything that actually posts back data, or do anything more complicated than confirm navigation away. Chrome and every version of IE or Edge I support doesn't allow a post during those events (to prevent the JS from hijacking a zombie tab). When Firefox encounters that event, there is no issue at all with the data post. In my case, my code actually owns what's in that post, but the content could write basically whatever it wants into a pagehide event and, with Firefox, it'll probably go through if it's fast enough.

Another thing I just thought of is string templating in JS. IE in no way supports it, and some of my clients mandate browser usage around that. I don't use JS string templating because I must support IE back to IE9, but it stands as an example of how browser bans may not be security related. There's this narrow chance that an inbound piece of infrastructure might simply not be compatible in some way they haven't been inclined to mention.

Improve this answer
-2

They maintain company sites and/or tools which work with browsers, don't want to support Firefox, and don't want to deal with support requests from unaware Firefox users.

They may be unaware of any damage beyond aesthetic preference. Or not care.

Improve this answer
1
  • 6
    That's not a "security reason" or "vulnerability"
    – schroeder
    Commented Nov 30, 2020 at 18:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .