Is Firefox still the safest web browser?

[funkydude]

Quote:

Originally Posted by Hungry Man

http://www.winrumors.com/mozilla-pic...ity-test-site/

Make of it what you will.

As I said before some browsers are objectively more secure in some areas it's how you subjectively weigh those areas that decides what you believe.

I personally consider IE9 and Chrome to be the two most secure.

HSTS isn't an official spec by any means. IE9 didn't implement WebSockets because at the time it was an unstable and unofficial spec, yet now that's changed and IE10 implements it, the same will probably happen with HSTS if it becomes official.

I also wouldn't class HSTS as "securing your browser". It just reinforces SSL/TLS connections, but it's not going to stop you from the next exploit or malware attack.

[tlu]

Quote:

Originally Posted by wat0114

Right, although I'm pretty confident with what I've achieved through here and here.

Pretty impressive Although these measures wouldn't help against the mentioned XSS and ClearClicking issues (providing that they still exist in IE).

[tlu]

Quote:

Originally Posted by funkydude

I also wouldn't class HSTS as "securing your browser". It just reinforces SSL/TLS connections, but it's not going to stop you from the next exploit or malware attack.

No, but Content Security Policy (CSP) does that. Lastpass, e.g. is using that.

Quote:

Originally Posted by tlu

Pretty impressive Although these measures wouldn't help against the mentioned XSS and ClearClicking issues (providing that they still exist in IE).

Thanks tlu! From an IE 8 SCM Toolkit document:

Quote:

Security and Privacy Features in Internet Explorer 8
User safety, choice, and control are key themes in Internet Explorer 8, which includes many innovations that contribute to a more trustworthy Web browsing experience. This section introduces some of the security and privacy features and technologies offered in Internet Explorer 8 including:
• SmartScreen Filter
• Phishing and Malware Protection
• ClickJacking
• Cross-Site Scripting (XSS) Filter
• Domain Highlighting
• Internet Explorer Protected Mode
• ActiveX Opt-In
• InPrivate Browsing
• InPrivate Filtering

From IE8 it loooks as though there is at least some level of protection against XSS & clickjacking. Of course I have no idea how effetcive it is but it sems to be there and I know I've enabled in in the GP editor.

My appologies for taking this thread OT

[dw426]

Quote:

Originally Posted by guest

@dw

Oh yeah, SmartScreen is totally useless. Who cares about phishing or malware? And only chrome provides true sandbox... Oh wait. . This plenty of informations seems all wrong... But then again there is aways the fanboy accusation. Which is funny because I dont even use IE as my default browser.

If it sounds like a fanboy statement, it is one. Regardless, I'm not going to bicker. I never once said Smartscreen is "useless"...here we have another case of someone not reading again. All I said was that I believed Chrome to be the more secure option due to what I considered a "true sandbox". I also stated that comparing Smartscreen to sandboxing was ridiculous, and I still mean that. Smartscreen is nothing more than a scanner at heart, that's it. It relies on a list, and lists do very little in today's world.

@Cjs Dad: Yes I meant Sandboxie with another browser. There aren't any conflicts between Sandboxie and Chrome that I am aware of at the moment.

[CJsDad]

@ dw426 Thanks

@ moontan thanks, but now I have another question. Can you please further explain why you feel there is no need to run Chrome along with Sandboxie? Thanks.

Amazing how this thread has turned out in helping me learn more about the functions of browsers, good job people, keep it coming

[Hungry Man]

Here's the thing about clickjacking/ malicious js/ whatever. How does it effect me as a Chrome user?

I haven't seen a single drive-by exploit** for Chrome. So... who cares what I click?


**Exploit that initiates the download and executes the file without user interaction.

Some things I'm worried about and some things I'm not. I still recognize them as valid dangers - clickjacking is an issue - but I don't worry about it nearly as much as a flash exploit, which I can do much less to control.

[atomomega]

Quote:

Originally Posted by strongsword

Re: Is Firefox still the safest web browser?

IME, I decided to test it by myself so I decided to install FF and GC on the same machine... truth be told... extensions (in case of GC) and add-ons (in case of FF) make me feel both can achieve a great level of security... enough for me.

A couple of interesting clickjacking-related links, the second one in particular is of interest because it applies to 3rd party browsers as well.

-http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

-http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

[moontan]

Quote:

Originally Posted by CJsDad

@ moontan thanks, but now I have another question. Can you please further explain why you feel there is no need to run Chrome along with Sandboxie? Thanks.

because Chrome is sandboxed already.

Chrome's sandbox might be as good as SBie or not, i'm no expert.
but for me it is quite sufficient.
and the less of these bloody security apps i have to install and babysit the better.

i am not overly concerned about social engineering, only exploits.
and Chrome is very well protected against exploits.

[tlu]

Quote:

Originally Posted by wat0114

A couple of interesting clickjacking-related links, the second one in particular is of interest because it applies to 3rd party browsers as well.

-http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

-http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

Okay, but that means that a website must use the X-FRAME-HEADER to have the browser use that security feature. I don't know how many sites do that (and with which tokens). The Clickjacking protection in Noscript works without that, though - regardless if a website uses that http header or not.

[Hungry Man]

I personally would not run Chrome in Sandboxie. It offers no further protection (except for Java) and increases the browsers attack surface.

Chrome has no need for sandboxie. IT already has protection from exploits and it's got a great track record - a single undisclosed exploit on the flash player after three years.

You can get the same level of security simply sandboxing your downloads folder. In fact I'd say you can get even better security having a downloads-folder-specific sandbox because you won't have to give it access to places you'd give Chrome access to and definitely no internet access.

[Baserk]

Quote:

Originally Posted by tlu

Okay, but that means that a website must use the X-FRAME-HEADER to have the browser use that security feature. I don't know how many sites do that (and with which tokens). The Clickjacking protection in Noscript works without that, though - regardless if a website uses that http header or not.

Exactly. The same with Chrome.
From the Google Browser Security Handbook;
'So far, the only freely available product that offers a reasonable degree of protection against the possibility is NoScript (with the recently introduced ClearClick extension). To a much lesser extent, on opt-in defense is available Microsoft Internet Explorer 8, Safari 4, and Chrome 2, through a X-Frame-Options header (reference), enabling pages to refuse being rendered in any frames at all (DENY), or in non-same-origin ones only (SAMEORIGIN).' link

Noscript offers this functionality without having to rely on the goodwill/expedience of every single webmaster/website dept. on earth.
Whatever opinions some folks seem to have about Georgio Maone as a dev or the functionalities of lesser imitations as ScriptNot, Noscript indeed offers browser protection against ClickJacking (and more) like no other add-on.
As f.i. listed in a previous post, about MS stating that IE8/IE9 offers protection against ClickJacking, if only every single website on earth will adapt, seems somewhat laughable in comparison.

[CJsDad]

Would it be worth it to run NoScript and Sandboxie together w/ Firefox?

[dw426]

Quote:

Originally Posted by CJsDad

Would it be worth it to run NoScript and Sandboxie together w/ Firefox?

If you can handle white-listing websites, then yes it would. Sandboxie will do a LOT of the protection work for you, but NoScript will speed up page loading and handle extras like cross-script attacks and such.

[CJsDad]

Much thanks dw426

[J_L]

Quote:

Originally Posted by strongsword

Apparently Lynx Browser is also a choice

Might even beat Chrome lol, very little run on there.

[Hungry Man]

Lynx is secure in that you cant access 99% of a webpage.

Its insecure in that it does nothing to stop teh 1% from hurting a user.

[J_L]

What is the 1%? Other than downloads.

[Hungry Man]

Exploits in the browser still exist. It's a reasonably complex program, which means we can be fairly certain that an exploit exists.

It does have security through obscurity though but I personally don't consider that security.

Lynx is a text only browser. Fine for those who want to surf uneventfully in the stone age.

[vasa1]

Quote:

Originally Posted by guest

That latest IE is safer than latest Chrome thanks to SmartScreen.

Provided the figures are correct and correctly interpreted.

[Daveski17]

Quote:

Originally Posted by vasa1

Provided the figures are correct and correctly interpreted.

I suppose it all depends on if those figures are from Microsoft or from an independent source. Sometimes figures can be massaged somewhat. Sometimes there are pork pies.

[Kees1958]

Quote:

Originally Posted by moontan

you're late to the party, Firefox hasn't been the safest browsers for a few years.

Firefox and Opera don't have any type of 'sandboxing'.

which leaves IE9 and Chrome for the top spot, as far as security goes.
IE9 is better for 'social engineering' type of malware.
Chrome is better vs exploits.

of course, any browser can be made as secure as you want with extra security added in.
but 'out of the box' ; definetely Chrome and IE9 are the safest.

Second that when you run Windows7. Just read this thread (were I showed that FF was making up ground) http://www.wilderssecurity.com/showthread.php?t=272374

IMO FF had an advantage up to IE6 and possibly on IE7 because the FF community took real proud in fixing bugs way earlier than Microsoft.

The launch of Chrome was considered a knife in the back (Google sponsors Mozilla development substantially).
http://www.zdnet.com/blog/btl/mozill...iversify/27670

Because Chrome outpaced development of any browser with 6 weeks releases, the FF developers community is now entangled in a release-to-market race. This focus on new functionality has dropped bug fixing considerably and way to many bugs are open for to long.

Big names in the FF community are disappointed in the release-race and the bug-legacy. Some of them decided to stop with FF/Mozilla. http://news.slashdot.org/story/11/08...r-bug-handling

Just my 2 cents

[vasa1]

Quote:

Originally Posted by Kees1958

...
The launch of Chrome was considered a knife in the back (Google sponsors Mozilla development substantially).
http://www.zdnet.com/blog/btl/mozill...iversify/27670

Because Chrome outpaced development of any browser with 6 weeks releases, the FF developers community is now entangled in a release-to-market race. This focus on new functionality has dropped bug fixing considerably and way to many bugs are open for to long.

Big names in the FF community are disappointed in the release-race and the bug-legacy. Some of them decided to stop with FF/Mozilla.

Just my 2 cents

2 cents, exactly.