The Browser State

[Mrkvonic]

For most people, the choice of the Web browser is a funny formula of I-used-it-first, whatever is installed by default, followed by look and feel, speed, perceived security, and finally, last but not the least, actual functionality. On top of that, users tend to be quite loyal, or rather quite habitual, to their browsers, and they rarely venture about exploring new options and possibilities, even if they might be technologically superior. And now, you click the link to read more, that's how it works.

http://netrunner-mag.com/?p=1990


Cheers,
Mrk

[chronomatic]

Quote:

Security wise, from a pragmatic standpoint, Firefox is just as secure as the rest of them, especially on Linux.

I don't think so. Chrome wins the security battle hands down, even on Linux.

[Mman79]

Quote:

Originally Posted by chronomatic

I don't think so. Chrome wins the security battle hands down, even on Linux.

I agree with that. I certainly wouldn't call Firefox insecure, but there's no doubt whatsoever that Chrome was designed with security in mind and has much stronger default security. Firefox can be locked down via extensions which is great of course, but out of the box Chrome beats it by a pretty good amount.

As to Flash, I would want to reassess my browser situation far sooner than 4-5 years down the road. That doesn't seem to be very good advice, especially for a new user. I want my new users to have to do as little as possible, whether through repository searching or manually tweaking/updating software choices. Yes, you need to leave the "safety" of the repositories for Chrome. However, what you get in return is a lot more safety in your everyday browsing and the ability to not have to deal with insecure and outdated plugins and updating.

[Mrkvonic]

Well, security being discussed on a security forum, how quaint.

How exactly, apart from personal feeling, is Firefox any less secure than the rest? Not scare articles by security companies, not pseudo-scenarios, not the list of how many vulnerabilities being counted and patches as any measure of security. Real life examples please.

And the focus is NOT just security - other things come into mind, try to address those too dear fellas.

Mrk

[Hungry Man]

You consider everything a scare article/ pseudo-scenario Mrkvonic.

If we take the assumption that least privilege makes a difference in security, and I think that most people would agree on this, it's clear to see which browser implements that least privilege better.

Yes, this is "theory". It's not based on someone being attacked in the wild (although obviously there have been Firefox attacks in the wild, there are metasploit modules for it, and there aren't for Chrome) it's based on what we know makes a program secure.

[Wild Hunter]

I'm in a tiny minority then. I don't have any kind of "faith" in web browsers, I change my favs very often and I don't hesitate to test and use non-mainstream browsers.

BTW, Midori now has a gold version for Windows: http://twotoasts.de/?/pages/midori_summary.html

[Mman79]

Quote:

Originally Posted by Mrkvonic

Well, security being discussed on a security forum, how quaint.

How exactly, apart from personal feeling, is Firefox any less secure than the rest? Not scare articles by security companies, not pseudo-scenarios, not the list of how many vulnerabilities being counted and patches as any measure of security. Real life examples please.

And the focus is NOT just security - other things come into mind, try to address those too dear fellas.

Mrk

One thing alone makes Chrome more secure..its sandbox. We can also talk about separation of tabs in which if two tabs are open and something bad happens to one tab, the other is safe. Firefox doesn't do that. Personal feeling has nothing to do with it, and I'm not sure why a member who has so many great articles on his website and is usually right on would even bother to argue over the security merits of Chrome vs Firefox. I would think they would be crystal clear to you.

[ComputerSaysNo]

I have more faith in Chrome than I do Firefox. But that's just me. Honestly Chrome getting popped is rare at the moment, sure once every pwnium it get's owned but that's pretty rare.

I'm also turned off at the direction Mozzila has taken with these monthly updates, really get your stuff in order and bring in a auto update like Chrome.

[Mman79]

Quote:

Originally Posted by ComputerSaysNo

I have more faith in Chrome than I do Firefox. But that's just me. Honestly Chrome getting popped is rare, sure once every pwnium it get's owned but that's pretty rare.

That won't last, I mean its rare attacks. Eventually it will become easier to break, but Chrome is extremely fast in getting patched. If Google doesn't start taking more responsibility for its Chrome store and paying more attention, attacks will come more frequently. You simply just cannot half-butt it like Google seems content to do.

[ComputerSaysNo]

Quote:

Originally Posted by Mman79

That won't last, I mean its rare attacks. Eventually it will become easier to break, but Chrome is extremely fast in getting patched. If Google doesn't start taking more responsibility for its Chrome store and paying more attention, attacks will come more frequently. You simply just cannot half-butt it like Google seems content to do.

I think it's getting harder to attack Chrome, not easier. They are very serious about bugs hence the $2 Million bug bounty they have put out.

[Mman79]

Quote:

Originally Posted by ComputerSaysNo

I think it's getting harder to attack Chrome, not easier. They are very serious about bugs hence the $2 Million bug bounty they have put out.

That's very true. But the one rule in security you should never forget is that the bad guys are always ahead of the good guys. Neither Google or any other security vendor can stay ahead of or even keep up with threats. It will always be cat and mouse and, if you've ever watched Tom and Jerry cartoons, the mouse is one smart, determined creature.

I have found it impossible to get Flash working properly in Firefox on one distro. Chrome comes with Flash installed already, so I prefer it for web apps that require Flash (nessus for example). And of course we all deal with the windows apps that only run in IE.

So my conclusion is that the best browser is the one that gets the job done, depending on whatever the job is at any given time.

[SpikeyB]

Quote:

Originally Posted by Hungry Man

You consider everything a scare article/ pseudo-scenario Mrkvonic.

That is probably because he is a scientist and wants facts and evidence rather than anecdote and speculation.

[Hungry Man]

There's nothing wrong with it. I know plenty of people who I respect who also follow that same line of reasoning.

There are a lot of different views when it comes to security. Some people need the exploit out in the wild and running on systems to feel that a vulnerability is a security threat and others feel that just the idea of that vulnerability existing is a security threat.

[chronomatic]

Quote:

Originally Posted by SpikeyB

That is probably because he is a scientist and wants facts and evidence rather than anecdote and speculation.

There's no speculation. Chrome is more secure by default than Firefox mostly because of its sandboxing technology which Firefox doesn't have.

[SpikeyB]

Quote:

Originally Posted by chronomatic

There's no speculation. Chrome is more secure by default than Firefox mostly because of its sandboxing technology which Firefox doesn't have.

Thank you, you have just demonstrated my point exactly.

[noone_particular]

One factor I didn't see mentioned is trust. I have to trust what I use, or at the very least be able to mitigate those aspects of the application, OS, etc that I don't trust. For me, Chrome is a no go because I don't trust the company behind it. AFAIC, any gain in security provided by Chrome is offset by the privacy implications. IMO, its built in sandbox is overrated. It's already part of the same old penetrate, patch, repeat game. Another instance of the same old story. Given a choice, I'll take a separate sandbox from a company with no ties to user applications such as browsers.

[tlu]

Just my 2 or 3 cents:

1. There is no doubt that the Chrome sandbox(es) is (are) great, and I wish that Mozilla will implement the planned Firefox sandbox, which has a high priority in their Security Roadmap, better sooner than later.

2. However, there are threats where a sandbox doesn't really help. XSS is rather widespread, and so is Clickjacking. While Chrome does protect against XSS via their XSS Auditor, and it obviously also has some protection against Clickjacking (although I couldn't find any details), the question remains if it is on par with Firefox in combination with Noscript in those areas. I haven't seen any related detailed research.

3. Brian Krebs recently compared the leading browsers and wrote:

Quote:

If we count just the critical zero-days, there were at least 89 non-overlapping days (about three months) between the beginning of 2011 and Sept. 2012 in which IE zero-day vulnerabilities were actively being exploited....
For that same time period, I couldn’t find any evidence that malicious hackers had exploited publicly-disclosed vulnerabilities in Chrome or Firefox before those flaws were fixed.

Thus, from a practical, real-world point of view, the threat situation for Firefox users isn't really worse compared to Chrome users.

To sum up: While Chrome undoubtedly offers technological advantages, Firefox is still a good choice if it comes to security - particularly if it's apparmored

[Mman79]

Quote:

Originally Posted by noone_particular

One factor I didn't see mentioned is trust. I have to trust what I use, or at the very least be able to mitigate those aspects of the application, OS, etc that I don't trust. For me, Chrome is a no go because I don't trust the company behind it. AFAIC, any gain in security provided by Chrome is offset by the privacy implications. IMO, its built in sandbox is overrated. It's already part of the same old penetrate, patch, repeat game. Another instance of the same old story. Given a choice, I'll take a separate sandbox from a company with no ties to user applications such as browsers.

I don't agree that the sandbox in Chrome is overrated. It has proved itself in the time it has existed. Certainly it's a part of the patch and repeat game, anyone who thought it wouldn't be was fooling themselves. I agree with you in regards to privacy and trust however. I do not trust Google, and I will not trust Google. I'm not the paranoid, everybody is watching me type of person. I am however the type of person who pays attention, and everything I've seen from Google in the last few years has not given me warm, fuzzy feelings.

Of course, everything involving the Internet itself these last few years has not comforted me. But that would be an entirely different topic

[wat0114]

Nothing I do on the Internet is going to interest Google anyway, other than my surfing habits might provide them a minuscule and typical sample of the overall Chrome user base, so I've no privacy concern. I like the Chrome browser, especially in its default state, in terms of usability and security, so I use it.

[Mman79]

Quote:

Originally Posted by tlu

Just my 2 or 3 cents:

1. There is no doubt that the Chrome sandbox(es) is (are) great, and I wish that Mozilla will implement the planned Firefox sandbox, which has a high priority in their Security Roadmap, better sooner than later.

2. However, there are threats where a sandbox doesn't really help. XSS is rather widespread, and so is Clickjacking. While Chrome does protect against XSS via their XSS Auditor, and it obviously also has some protection against Clickjacking (although I couldn't find any details), the question remains if it is on par with Firefox in combination with Noscript in those areas. I haven't seen any related detailed research.

3. Brian Krebs recently compared the leading browsers and wrote:

Thus, from a practical, real-world point of view, the threat situation for Firefox users isn't really worse compared to Chrome users.

To sum up: While Chrome undoubtedly offers technological advantages, Firefox is still a good choice if it comes to security - particularly if it's apparmored

In my own opinion, NoScript has no equal. There should be no argument that Chrome security measures are strong and effective. But Chrome security is based on mitigating damage for the most part, where NoScript doesn't do any damage control, it simply doesn't let any damage happen. On the other hand, Chrome security is a hands-off approach for users and NoScript needs some babysitting. Both work very well, they simply operate differently.

If I absolutely was forced to pick one option, and felt like dealing with a hands-on approach (I'm not lazy perse, I'm just not the "babysitting" type.), I would pick Firefox with NoScript and Sandboxie without even making an attempt to think it over. Firefox can really be that strong if you just take the time handcraft your setup.

As to the Firefox sandbox, that has been a long time coming and I too hope they'll settle down some with some of the less needed bloat like social implementation and work on seemingly left behind projects like the sandbox. As a developer, I personally would work on my weaknesses before I ever thought about the "cool toys".

[ComputerSaysNo]

Yes No-script is the business, but Firefox is lagging behind Chrome in security these days.

[Mman79]

Quote:

Originally Posted by ComputerSaysNo

Yes No-script is the business, but Firefox is lagging behind Chrome in security these days.

So are the other vendors. No one, not even IE has the mechanisms in place Chrome does. It's a bit humorous that everyone has copied every other aspect of Chrome almost except security. With NoScript however, I'd argue that those mechanisms aren't needed as much. Again, it's about lack of damage period rather than damage control. That's not taking anything away from what Chrome has done though. Google raised the bar high.

Just to stir the pot...

I was able to perform a cross-site scripting attack on Chrome much easier than on Firefox.

It was a confined test on my own closed system. But I had standard out-of-the-box Chrome & Firefox browsers running, no alterations.

[Mman79]

Quote:

Originally Posted by BrandiCandi

Just to stir the pot...

I was able to perform a cross-site scripting attack on Chrome much easier than on Firefox.

It was a confined test on my own closed system. But I had standard out-of-the-box Chrome & Firefox browsers running, no alterations.

An XSS attack made easier through a "naked" Chrome was easier than through a naked Firefox? I'm genuinely surprised and curious. I understood Chrome to have weaknesses in that area, but I would have placed my bets on Chrome being more difficult to work against than Firefox, especially right out of the box.