New Research Says Chrome Browser "Most Secured" Against Attacks

Discussion in 'other security issues & news' started by lotuseclat79, Dec 9, 2011.

Thread Status:
Not open for further replies.
  1. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Sorry JR, I was using an analogy. You're right, it's best not to mention the 'R' & the 'P' word. Most English pubs have rules about this LOL! :D
     
  2. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr

    We're going to have to agree to disagree about this one. ;)
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I suppose so =p
     
  4. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    My understanding of FUD is that it involves spreading untruths.
    If all information presented is true, then FUD is, in my opinion, in the eye of the beholder, and probably says more about that individual's own set of prejudices than it does about the intent of the presenter of facts.
    A fine definition of FUD can be found online.
    It says:
    Another source defines FUD this way:
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    That's how I understood FUD as well but I suppose you could use facts to scare people? I just usually think of FUD as being lies.

    Either way, whether it's FUD or not doesn't detract from it being full of great and true information.
     
  6. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    It's all just bollocks semiotics. To even consider that this 'report' isn't a thinly veiled attack on Firefox would be just patently dishonest.
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    Or, as Dan Goodwin notes in the article that vasa1 linked in post#2...
     
  8. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    It all looks so innocuous doesn't it? I'm not fooled for one minute. As I said earlier, it's just business to Google.

    "So what if we're evil: We're going full steam ahead, no matter what happens with the settlement." ~

    Dan Clancy, Google Books executive (& possibly stroking Mr Bigglesworth at the time) about accusations on copyright infringements by Google.
     
  9. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Uncertainty and doubt is obviously the goal in the paragraph of possible FF extension vulnerability implications and the pic of a Noscript install.

    It's like describing the possible hazards of having consumed alcohol before driving a car, listing possible injuries and worse and then posting a pic (of a random WSF member, taken when he had one beer) accompanied by the text 'This person only had one beer'.
    It doesn't mean squat that he only had one beer and a picture was taken in his garden before he walked into his house, off to bed.
    Due to the combination of text and pic, he'd be associated with drunk driving, death and mayhem.
    Even if just 'facts' have been used.
    Imo, I'd be creating fear and doubt about a person instead of presenting two separate 'facts'.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    :eek: :eek:

    I downloaded the paper yesterday, but only a few seconds ago I started reading it. I'm on page 12 by now. So far, I found no FUD and lies, at all.

    The first pages mention the sandboxing protection or lack of. It's all valid information and accurate. They didn't make the mistake of saying Google Chrome is invulnerable; they mentioned it's the most secure, and if we understand its sandboxing mechanism, well... it is the most secure. That doesn't mean it's bulletproof, it simply means it will be harder for it to be attacked.

    I can't comment more, as I haven't gone that far in the paper. But, so far it's all very much valid information. No FUD.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    It's a good read.

    You won't be finding any lies in there - I read the whole thing and I've gone back to different parts.

    It goes very far in depth. I had no idea how significant the differences between IE9 and Chrome's sandboxes are.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    There's one thing that wasn't mentioned about Google/Google Chrome, and that's the fact that there's no vetting, in what comes to extensions in Google Chrome Web Store.

    They did mention that Mozilla vets them.

    In what comes to this, it's :thumb: for Mozilla and :thumbd: for Google. This is something Google cannot neglect, any longer.

    (Yes, I did search the pdf for the extensions. lol But, I'm still on page 17. I'm going to read more tomorrow.)
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yeah, I agree m00n. It's also important to keep in mind that extensions in Chrome are given less freedom (more limiting APIs) and I think that they should have mention both of these things.

    Chrome does do a "Verified Author" though, it's just not a strong way to vet.
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    http://www.nsslabs.com/assets/noreg-reports/2011/The Browser Wars Just Got Ugly.pdf

    NSS response.

    They bring up that Google now implements application reputation heuristics and that's why their socially engineered malware scores are skyrocketing up.

    They criticize this move because they aren't sharing it with their usual Safebrowsing API.


    I'd love for NSS labs to release a comprehensive study like Accuvant has.

    NSS's report lost a lot of respect when they said this:
    This is idiotic.

    It's very evident in this quote how they feel about the raw information:

     
    Last edited: Dec 16, 2011
  15. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Perhaps but read the following from the Accuvant report, page 17.
    "The chart depicts the total number of vulnerabilities patched within the period of the dataset....However, what this could indicate is that Firefox has the most vulnerabilities because researchers have an easy time exploiting the vulnerabilities and thus pay more attention to Firefox.
    Chrome may have the second most because they offer a bounty program so researchers pay more attention.
    ...The point is, any conclusion drawn from the data is speculation and the data does not aid in discovering which browser is most secure.
    "


    Ok, that's really funny, the data gives no solid reason for any conclusions because that would be just plain speculation. According to Accuvant, that is.

    Still, there is reason enough for Accuvant to speculate that 'what this could indicate is that Firefox has the most vulnerabilities because researchers have an easy time exploiting the vulnerabilities...' and Chrome just hasn't got such issues because they've got money-driven bug hunters which means something completely else than easy exploitable vulnerabilities.
    Two times speculation doesn't equal logic in my book also.
    Yes, NSS Labs gives praise where praise is due but they and others point out also what is plain old propaganda, FUD and gross and imo insincere speculation.
    One can wrap a turd with quality data but it still remains a turd.
     
  16. guest

    guest Guest

    Explains a lot of things. Especially:

     
    Last edited by a moderator: Dec 17, 2011
  17. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    This is hardly an argument. So, the malware sites are of public knowledge. The issue here is that Mozilla on its own gathers no data to protect their users. Their malicious domains protection data comes from Google's Safe Browsing.

    lol
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I agree that calling them out for using public lists is a nonargument. They took malware samples from public verifiable sources and tested the browsers against them.
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    They throw those out as possible wrong conclusions, conclusions that may typically be drawn by data like that when the data itself is inherently faulty. They point out right away that all of these conclusions make no sense.
     
  20. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Perhaps you've downloaded/read a different PDF version. Mine clearly states;

    "The chart depicts the total number of vulnerabilities patched within the period of the dataset. A naïve interpretation would be that Firefox is the least secure, Chrome is in the middle and Internet Explorer is the most secure.
    However, what this could indicate is that Firefox has the most vulnerabilities because researchers have an easy time exploiting the vulnerabilities and thus pay more attention to Firefox.
    Chrome may have the second most because they offer a bounty program so researchers pay more attention.
    Internet Explorer may have the least because they require more quality assurance overhead before creating a patch.
    The point is, any conclusion drawn from the data is speculation and the data does not aid in discovering which browser is most secure."


    Only the bold part is discarded as 'naïve'.
    Did you notice the following word 'However'?
    That's where they start the 'let's go wild speculation' tour until the last sentence, when all of a sudden any conclusion drawn is silly speculation.
    But smartly put, only silly if it's based on the data.
    Their gut feeling or hunch or guesstimate or whatever was reason enough though to write down the possible reasons for the different scores.

    Just face it Hungryman, I know you're tenacious but you just can't make this turd smell like perfume. It's a turd. And it smells really bad.
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Their conclusions, hypothetical and (as they pointed out) purely speculative as they are are seemingly bias.

    I've said that right from the beginning.

    It really doesn't belittle the research in my opinion. I haven't seen a paper this comprehensive before dedicated to browser security.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.