Is Firefox still the safest web browser?

Er, what are you trying to say?

 

That latest IE is safer than latest Chrome thanks to SmartScreen.

 

And how does smartscreen protect you from Flash exploits?

I think that depending on the user IE9 can be more secure than Chrome. But it's less clear cut than Chrome v Firefox or Chrome v Opera.

 

I am talking about out-of-the-box. IE doesnt come with Flash out-of-the-box... Anyways latest IE isolates all plugins and latest Flash updates itself automatically.

 

Link to info on isolated flash?

 

My "absolutist" statement is fact well backed up by plenty of information. So, no, there are no denials, just fanboys. Smartscreen does not isolate anything. It's nothing more than a built in scanner that can and has failed. You seriously think a scanner is more secure than a sandbox?

 

Well, I think it depends on teh scanner and the sandbox. Chrome's sandbox does not attempt to isolate files that the user downloads. IE9 does block/allow.

Is that secure? I personally don't think so - anything that interacts with a user is inherently insecure. Is it effective? Not sure.

The point is that they're both trying to accomplish two different things.

Chrome and IE9 have very similar security policies, both run at Low Integrity with sandboxed tabs. I personally hold Flash exploits to be a bigger security hole over socially engineered malware. I also really hate blacklists and anything that bugs me with popups.

 

Isolating files downloaded won't matter really, so it's not a weakness of Chrome, in my opinion. Also, 9 times out of 10 a user clicks allow, so why bother? I know IE 9 isolates its tabs and the plugins running in the tab, but I don't think there is a true "sandbox". It's basically more crash protection than anything I think. Chrome, however, truly isolates the plugins (minus the glaring exception of Java). To me, that is far and away more secure. Either way it's ridiculous to use Smartscreen as an example of IE 9 being more secure than Chrome, considering what it actually is.

 

I don't think Chrome isolates any plugins other than Flash.

As for IE9 it uses Low Integrity, which is indeed a full and proper sandbox.

I don't know that it runs Flash at low integrity though. If it does that's fairly powerful. Not as powerful as Chrome's but still.

 

But how is running at low integrity, which is basically permissions, the same as a sandbox? My thinking of a sandbox is isolating whatever happens in it, whether it's high, medium or low integrity. I also thought that it was possible to sandbox Silverlight as well in Chrome? I thought there was just some weird quirk with Java that kept it from being sandboxed.

Edit: I remember a thread here about adding lines to the Chrome executable that allowed more plugins to be isolated, including Java, but that Java tended to crash everything when it was tried, more often than not.

 

A sandbox is (or can be) just a restriction on permissions. If I restrict write access to only low integrity areas (which is what running at low integrity is) it's sandboxing.

I don't believe there is a silverlight sandbox. Chrome's specific sandbox is incompatible with Java or in reality Oracle was unwilling to change to work with the sandbox.

Flash is the only sandboxed plugin except possibly the updater.

 

Oracle..lol, I won't even get started on that company. Well, okay, I had always thought of a sandbox as allowing things to happen, but never really affecting anything, much like Sandboxie. Integrity in my mind was about limiting damage, not keeping the damage from happening at all.

 

Sandboxie uses virtualization, which is commonly utilized in sandboxes. It's a powerful technique but sandboxing itself just means restrictions in general on a file/application.

The idea of a sandbox in general is to limit. In the case of sandboxie a file is limited from touching the file system, it's stuck in a virtualized area. Its limitations are broken by the user when the user assigns access to an area.

Integrity is the same thing. If I run an application at low integrity it's stuck in a portion of the file system. The only difference is that the file system is legitimate and not virtualized.

 

Gotcha. Okay, thanks for explaining it to me Hungry.

 

Yep. Any time.

 

http://www.winrumors.com/mozilla-picks-holes-in-microsofts-browser-security-test-site/

Make of it what you will.

As I said before some browsers are objectively more secure in some areas it's how you subjectively weigh those areas that decides what you believe.

I personally consider IE9 and Chrome to be the two most secure.

 

@dw

Oh yeah, SmartScreen is totally useless. Who cares about phishing or malware? And only chrome provides true sandbox... Oh wait. . This plenty of informations seems all wrong... But then again there is aways the fanboy accusation. Which is funny because I dont even use IE as my default browser.

 

I think his point is that blacklists are often circumvented easily and ultimately aren't the best way to secure a system. Some might disagree with that. I would agree though in the case of smart screen I think it can be very helpful.

 

I'm not sure I understand this.
Do you mean Sandboxie w/Chrome or Sandboxie w/Firefox?

Also, since Chrome has its own sandbox feature would there be some type of conflict running the browser with Sandboxie?

 

For a ling time now I haven't liked the blacklist approach no matter what the application. That said, I keep smartscreen filter forced enabled, since it provides at least some additional security and it's part of the browser, as opposed to a separate program like antivirus, even if it's not as effective as Chrome's sanboxing technique. I use IE because:

1. I can harden it somewhat through Group Policy

2. It's far more secure than earlier versions, especially 7 and less.

2. It supports my goal of acheiving a secured system without 3rd-party additions.

 

Interesting goal.

 

Can't this be done with others browsers, too? (I'm asking this because I moved to Linux so I'm no longer that familiar with these things )

I'm sure it is. Nevertheless, I wonder if the critique presented by Giorgio Maone in former times regarding the inferior protection of IE against XSS and ClickJacking is still valid (I'm just curious). See

http://hackademix.net/2009/01/28/ie8s-clickjacking-protection-exposed/
http://hackademix.net/2009/05/19/paypal-xss-an-ie-exclusive/
http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities/

Has this critique become invalid in the meantime?

(BTW: Is his remark here that Chrome ships with its XSS auditor disabled still true?)

Understood, but not a valid goal by itself if at the price of reduced security, IMHO.

 

Talking of Opera, it does have some security measures. There are also some security extensions like WOT, Ghostery, VirusTotal Extension, Flag Button & Swiss Knife.

 

Right, although I'm pretty confident with what I've achieved through here and here.

 

Quote:
Originally Posted by dw426
Chrome, however, there is no denying it is the safer option, IF you leave out alternatives like Sandboxie. With Sandboxie brought in, it really won't matter.

he meant SBie + Firefox or Opera.
i have used Chrome and SBie together in the past.
i don't anymore because i feel that in my case, SBie is not needed with Chrome.

keeping in mind of course what that works for me doesn't necessarily work for somebody else.