At the Pwn2Own contest all browser went down in the first day, except Chrome.

It clearly states the benefitse of the Policy Sandboxing (reducing attack surface), while others Firefox, Safari and IE8 felt within minutes http://www.computerworld.com/s/article/9174078/iPhone_Safari_IE8_Firefox_all_fall_on_day_one_of_Pwn2Own

:thumb:

Opera wasn't even tested so can't say all browsers but good show by chrome nonetheless. FF's hype of being secure browser went up the sky. Sad part was that my favorite line of defense, DEP was bypassed which makes it quite risky in a sense.

-{ Quote: "Opera wasn't even tested so can't say all browsers but good show by chrome nonetheless. FF's hype of being secure browser went up the sky. Sad part was that my favorite line of defense, DEP was bypassed which makes it quite risky in a sense." }-

Okay stand corrected.

FF security is overrated:, it runs by default with medium level integrity (Chrome tabs and IE8 run with Low integrity), it offers several ways of creating plug-ins (from low level programming to high level scripting) which do not have a signing mechanisme like Active X with IE (as far as I know), it stores it plug-ins in the admin space.

FF should have taken an example to Opera when they redesigned/overhauled their browser from version two to three.

Regards Kees

-{ Quote: "Okay stand corrected.

FF security is overrated:, it runs by default with medium level integrity (Chrome tabs and IE8 run with Low integrity), it offers several ways of creating plug-ins (from low level programming to high level scripting) which do not have a signing mechanisme like Active X with IE (as far as I know), it stores it plug-ins in the admin space.

FF should have taken an example to Opera when they redesigned/overhauled their browser from version two to three.

Regards Kees" }-


Thats why even at cost of user base, Opera is so resilient to the idea of plugins, the Widget is far safer in that sense but limited nonetheless.

-{ Quote: "Opera wasn't even tested so can't say all browsers but good show by chrome nonetheless. FF's hype of being secure browser went up the sky. Sad part was that my favorite line of defense, DEP was bypassed which makes it quite risky in a sense." }-

I just wish Opera was capable of providing at least CLOSE to the functionality of Noscript and AdBlockPlus. I might be willing to finally break down and use Opera for more than a day and ignore my other mostly cosmetic issues with it. FF is really starting to lose quality, however, I am very curious to know if NoScript was installed during this attack. It COULD make a difference. DEP and ASLR being circumvented is rough news. When the supposed toughest measures out there fail, and, now, with a 64bit rootkit rumor going around, things aren't looking pleasant whether you believe, as one person put it "the malware card is overplayed".

New Chrome let's you control content: cookies, pop-ups, images, javascript and plug-ins, so why stay with FF? (see pic)

In stead of crippling your FAT browser use the LEANEST browser in the world Lynx (a text browser), no need to control content, there is only text :;D

With NOscript it is impossible for you to :-[ me :argh:

-{ Quote: "New Chrome let's you control content: cookies, pop-ups, mages, javascript andplug-ins, so why stay with FF?

In stead of crippling your FAT browser use the LEANEST browser in the world Lynx (a text browser), no need to control content, there is only text :;D

With NOscript is impossible to :-[ me :argh:" }-

I'm too much into the internet for a text only browser I'm afraid ;D

I can't say I still trust Google very much, in fact, I have a lot of issues with their business. But, the fact can't be ignored that, at least so far, they have the better security model out of all the well-known browsers. *twitches as he visits the Chrome download page....can he do it? Will he finally take the splash? Stay tuned!*

-{ Quote: "New Chrome let's you control content: cookies, pop-ups, images, javascript and plug-ins, so why stay with FF? (see pic)

In stead of crippling your FAT browser use the LEANEST browser in the world Lynx (a text browser), no need to control content, there is only text :;D

With NOscript it is impossible for you to :-[ me :argh:" }-

For the security paranoid Lynx could be the perfect browser since it is text based. However, the Internet has evolved from a text based environment. Lynx could have been quite popular in the 90s and gives Netscape and IE a good run for their money ;D. In the 21st century web interaction rules and there is no way that Lynx could have a concrete foothold in the browser market.

Thanks.

So why does "cripple FF Noscript" has so many fans? Why not go for the real thing text based security. Or . . . go for a fully functioning web browser wiith a decent well designed software architecture like Chrome or Opera.

The egg heads from Berkeley, Washington and Stanford, predicted in 2008 that the well designed architecture of Chrome would make it 60 to 70 more secure than monoliths like IE8 and FF , see http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf guess what the Pwn2Own competition indicates it was an accurate guestimate. Two years in a row is not bad luck, which makes the difference: it is good design.

-{ Quote: "I just wish Opera was capable of providing at least CLOSE to the functionality of Noscript and AdBlockPlus. I might be willing to finally break down and use Opera for more than a day and ignore my other mostly cosmetic issues with it. FF is really starting to lose quality, however, I am very curious to know if NoScript was installed during this attack. It COULD make a difference. DEP and ASLR being circumvented is rough news. When the supposed toughest measures out there fail, and, now, with a 64bit rootkit rumor going around, things aren't looking pleasant whether you believe, as one person put it "the malware card is overplayed"." }-

Actually fanboyz adblock filters do a great job of blocking ads, as for noscript, Opera lets you turn off javascript selectively for particular site or you can turn off javascript totally as I do. As for noscript equivalent, take a look here http://my.opera.com/community/forums/topic.dml?id=241208

Does SRWare Iron have all the good sides of Chrome without the bad ones?

If I go Iron, will I have the same functionality like with regular Chrome?

Does Chrome still collect user data for Google from its users?

-{ Quote: "Does SRWare Iron have all the good sides of Chrome without the bad ones?

If I go Iron, will I have the same functionality like with regular Chrome?" }-

Maybe this will fit your bill better but I hear that Google has done away with the unique id.

http://www.comodo.com/home/internet-security/browser.php

-{ Quote: "Actually fanboyz adblock filters do a great job of blocking ads, as for noscript, Opera lets you turn off javascript selectively for particular site or you can turn off javascript totally as I do. As for noscript equivalent, take a look here http://my.opera.com/community/forums/topic.dml?id=241208" }-

Fanboy looks just fine, so thanks for that. As far as that Noscript replacement, I see a few issues. There's no cross-site or XSS protection? No click-jacking either? Also, it seems as if he has begun to incorporate Unite into his scripting program. Call me silly, but by personal preference I can't really get behind that.

Not to take anything away from Chrome, but no one tried.
http://lifehacker.com/5502835/day-two-no-one-even-attempts-hacking-chrome-at-pwn2own-competition

Thanks for the info. I have java script disabled by default and am currently creating a white list. You can select per site which to add to the white list, then just hit refresh and you are good to go. The site will show up automatically in the exceptions list.

-{ Quote: "FF security is overrated" }-FF may be overrated on integral security, but I believe it is nonpareil as to *securability*.

Perhaps FF standing alone can be crashed, but it readily lends itself to being configured/augmented so as to present major obstacles to malware. IMO, the ability to crash a browser does NOT necessarily connote its securability against admitting malware.

With NoScript & DropMyRights & HIPS in place, FF is very well shielded against admission of malware.

Actually I like Chrome (but I prefer Chrome+ for those rare occasions when I want to go chroming around the internet).

By the way -- does Chrome offer anything equivalent to the full-spectrum of defenses provided by Noscript? (Honest question - not a challenge.) Here are a few examples of the MANY possible configs/coverages by NS over & above merely blocking JS. . .

+Turn cross-site POST requests into data-less GET requests
+Enable Application Boundaries Enforcer
+Block JAR remote resources being loaded as documents

216614

the problem with iron is that its not as up to date as chrome.
is there anyothers that are as up to date as chrome?

i do try the daily builds but want a stable version of chrome that is regularly updated.

Chrome may be more secure than the rest but out of every time I've tried to use it, I've had nothing but stability issues. I think I'll stick to my Firefox.

Nice Google :D

Yep Google has an issue with privacy matters, but then again the DNS server I use also knows where I loom around on the internet.

For the Google tracking, just run Chrome Privacy Protector, make the Local State file read only and privacy issue is gone.

Add Trusteer Rapport Free or Free Facebook PrevX safe online to Chrome and you really have a strong worry/hassle free browser. With the free facebook PrevX you get extra phising protection to deal with social engineering. For people using Trusteer I recommend ad the Site Advisor Free extention for chrome. The combo PrevX, Google search, Open DNS or (with Trusteer) SiteAdvisor, Google Search and Open DNS are nearly as effective as IE's smartscreen (only differs 2 to 3 percent maximum).

@IODORE, try the chrome portable versions

-{ Quote: "the problem with iron is that its not as up to date as chrome.
is there anyothers that are as up to date as chrome?

i do try the daily builds but want a stable version of chrome that is regularly updated." }-

http://www.srware.net/forum/viewtopic.php?f=18&t=1280&sid=86d6f42de724c5e2ae11fd18f8191a7f

If I were to use a chromium port, it would be Iron. I wouldn't touch Chrome itself, nor one made by Comodo.

all this aside. the customization of FF is what keeps me hooked and no browser is even close to matching it. (even chromes attempt at addons is half assed IMO and doesnt allow the customization and control i want)

-{ Quote: "Does Chrome still collect user data for Google from its users?" }-
i have the same question,even gmail had to add more secuity lately...

-{ Quote: "the problem with iron is that its not as up to date as chrome.
is there anyothers that are as up to date as chrome?

i do try the daily builds but want a stable version of chrome that is regularly updated." }-
Agreed. As I pointed out some months ago Iron really lacks behind in terms of security updates. With the unique-/user-id removed since Chrome 4.1 I don't see any reason to use Iron any longer.

-{ Quote: "Agreed. As I pointed out some months ago Iron really lacks behind in terms of security updates. With the unique-/user-id removed since Chrome 4.1 I don't see any reason to use Iron any longer." }-

I raised this very point on the SRWare forums & the admin got back to me & claimed that Iron (4.0.280) uses a different branch to Chrome so doesn't need the same updates. Secunia (http://secunia.com/advisories/product/28729/?task=advisories) seems to think that it is very safe.

-{ Quote: "Agreed. As I pointed out some months ago Iron really lacks behind in terms of security updates. With the unique-/user-id removed since Chrome 4.1 I don't see any reason to use Iron any longer." }-

Let's not forget all the other reasons not to use Chrome. http://www.srware.net/en/software_srware_iron_chrome_vs_iron.php

@Daveski17
The fact Secunia has not a single vulnerability reported for Iron makes me wonder how active they watch it. When talking about browser security patches I'd better be safe then sorry.

@funkydude
I'm aware of the list posted by SRWare, however most of those 'problems' can be disabled in Chrome as well. The biggest problem was the Client-ID witch got removed.

or you could just use a build of Chromium itself then. You don't deal with the lack of updates that Iron does since it's a dev build and there's literally a new build almost every other hour.

and it doesn't have the Google privacy problems that Chrome does.



I'd say the only real issue with Chromium vs Chrome is that Chromium doesn't have h264 HTML5 support. That's probably a non-issue for most people though.

Why not use Google Chrome and replace the default search engine with Ixquick (http://www.ixquick.com/)? Instructions to add Ixquick to your browser are here (http://eu.ixquick.com/eng/download-ixquick-plugin.html).