Browser Security

Believe it.

IE8 is considered the most secure when used in Protected Mode and running in a Standard Account.
 
SiriusB said:
IE8 is considered the most secure when used in Protected Mode and running in a Standard Account.
Click to expand...

True as that is, that report only seems to compare the browsers on the percentage of malware sites they blocked, which is a lot different to testing the browsers' overall security.

The report says that they chose 562 malware URLs from a list of 12,000. Which URLs were chosen would have a crucial effect upon which browser came out best. You could happen to choose 562 that were all blocked in one browser, even if it didn't block the other 11,438. So by what means were they selected? NSS Labs don't tell you.

And guess what? Microsoft certainly funded the first of the NSS reports. I don't know if they still do. It doesn't necessarily mean that the results are biased, but they don't provide enough methodology information to exonerate them from suspicion.
 
If these tests were based purely on browsers URL block lists, then I don't really consider that a firm basis (or a worthwhile one) for a meaningful security evaluation.

That kind of measure is something right at the highest level of the chain. A check that reads something akin to IF URL IS-IN BLOCK_LIST -> DONT_DONTLOAD_PAGE(), is hardly a security focal point. And it wouldn't in any way effect my choice of browser.

A good survey would analyse things across the board on a OS-neutral level covering topics such as code isolation, arbitrary code protection mechanisms, etc in addition to malware url blocking. And then cover additional OS protections if relevant e.g IE's close coupling with Windows security mechanisms.

EDIT: my bad, the OP is just a summary report, full report is here: http://nsslabs.com/test-reports/NSSLabs_Q12010_GTRBrowserSEM_FINAL.pdf

It is still just URL blacklist examinations, so a poor test with limited use IMO.

From an initial list of 12,000 new suspicious sites, 1,756 potentially-malicious URLs were pre-screened
for inclusion in the test and were available at the time of entry into the test. These were successfully
accessed by the browsers in at least one run. We removed samples that did not pass our validation
criteria, including those tainted by exploits or that contained invalid samples. Of the initial 1,756 URLs,
ultimately 562 URLs passed our post-validation process and are included in the final results,
Click to expand...

Not sure why they chose not to use all malicious URLs with random selection, fair enough though I suppose.
 
Last edited:
I've not read the full report, but I'm assuming this is the SmartScreen Filter which is also useful against phishing attacks. It's not really a test of the browser as an exploitable vector but if it keeps malware off some PCs then it's all good. The report doesn't surprise me really as there have been some nice stats for SmartScreen out for a while.
 
Chiiives said:
In virtually every other way , apart from this report's results , Firefox and opera are far better.
Click to expand...

The web browser debate certainly is an interesting one. I wish people would take more of a neutral stance though as opposed to stating things as if they were fact when it really comes down to the users needs and what they like and dislike as well as their own personal experience, which differs among everyone.

In regards to security, it really shouldn't come of any surprise that Internet Explorer 8 is one of the securer web browsers. If we take a look at what it has going for it; Data Execution Prevention, Address Space Layout Randomization, Protected Mode, Smart Screen Filter, as well as other low level security enhancements. Taking this into account, it's no surprise Internet Explorer 8 is a pretty secure web browser. Whilst it may be possible to bypass these defences, it undoubtedly makes it much harder for attackers to exploit vulnerabilities and cause any significant damage to the users system.

It's a bit of a shame to see other web browsers, excluding Google Chrome's rather impressive sandbox capability, aren't taking advantage of the Windows Integrity Mechanism / User Interface Privilege Isolation, despite the fact it was introduced into Windows Vista which was released over 3 years ago. I'm not a software developer so I'm not quite sure of the specifics but considering you can implement similar functionality like Protected Mode for web browsers which don't take advantage of the Windows Integrity Mechanism / User Interface Privilege Isolation yourself, it's a little disappointing to see there are only two web browsers which take advantage of this by default; Internet Explorer and Google Chrome.

There are of course other things we may take into consideration when deciding on which web browser to use:
  • Speed
  • Features
  • User Interface
Whilst one individual may prefer using Mozilla Firefox due to it's very large extension database, another person may be fully contempt with the out-of-the-box configuration of Opera, for example. The best thing you can do is to try each of the most popular web browsers (Mozilla Firefox 3.6, Opera 10.50, Internet Explorer 8, Safari 5 and Google Chrome 5) and see which one you prefer. :)
 
Fire Wizard said:
It's a bit sad to see other web browsers, excluding Google Chrome's rather impressive sandbox capability, aren't yet taking advantage of the new security features which are available in Windows Vista and Windows 7, namely the Windows Integrity Mechanism (User Account Control). This security feature has been available for over 3 years when it was first introduced into Windows Vista and yet there are only two web browsers which take advantage of this. I'm not a software developer so I'm not quite sure of the specifics but considering you can get Protected Mode like functionality by setting the appropriate directories to low integrity yourself which only takes a couple of minutes, it's a little disappointing to see there are only two web browsers out of the well-known which five take advantage of the Windows Integrity Mechanism.
Click to expand...

I think the key reason for this is that it would be a development nightmare due to the other browsers being cross-platform. They would have to have a separate code branch of Windows only security code, and obviously it's good to keep security implementations as simple as possible. I agree it's a shame they aren't utilized more though.
 
tntcoder said:
I think the key reason for this is that it would be a development nightmare due to the other browsers being cross-platform. They would have to have a separate code branch of Windows only security code, and obviously it's good to keep security implementations as simple as possible. I agree it's a shame they aren't utilized more though.
Click to expand...

But Google Chrome is cross platform :confused:
 
Burnsy2023 said:
But Google Chrome is cross platform :confused:
Click to expand...

True, a fair majority of their security code is all portable though, or they have implemented equivalents for each supported OS. For example their sandboxing uses significantly different code on Windows that Linux, but the end result is fairly similar. This is a lot of work from a dev point of view though.

I think Chrome sandboxing utilizes windows access tokens to help with its sandboxing? I suppose they have put the extra work in to develop some platform specific code, maybe Mozilla developers are just lazy :p
 
Burnsy2023 said:
But Google Chrome is cross platform :confused:
Click to expand...

More to the point, (speaking from experience) Firefox has a tonne of platform-specific code which gets switched on or off depending on build flags or what you're compiling on. It's just non-trivial to do in a sensible timescale; just breaking plugins into a separate process has taken a while and Chrom{ium,e} came from essentially nothing.
 
You must log in or register to reply here.
Back
Top Bottom