Which is the Most Secure Web Browser?

Okay, you can make Chrome private by
Turn off = Use a web service to help resolve navigation errors
Turn off = Use a prediction service to help complete searches and URLs typed in the address bar
Turn off = Automatically send usage statistics and crash reports to Google
Turn off = Predict network actions to improve page load performance
Turn off = Enable Autofill to fill out forms in a single click
Turn off = Offer to save passwords I enter on the web and select in the advanced section go to the privacy setting and select allow local data to be set until I close my browser and block third party cookies and site data and go into about:flags and enable disable sending hyperlink auditing pings and use Gorhill's extension ublock with dynamic filtering and install EFF's extension HTTPS everywhere. I would also recommend you have enable "click to play" plugins in chrome's settings and disable "Allow some identifiers to be set" and disable "allow sites to see my real location" and disable "allow a site to access my webcam" before I did that I tested it with this program( http://www.telerik.com/fiddler )like 3 years ago and it sent everything you typed to Google when you used Chrome but after you disable the first 4 things I got listed it sends nothing and is private test it with that program.

 

Must read: http://www.insanitybit.com/2012/06/02/the-definitive-guide-for-securing-chrome/ and http://www.insanitybit.com/2012/06/23/srware-iron-browser-a-real-private-alternative-to-chrome-21/ Iron browser is not an alternative at all to any browser it should be banned read the above article.

 

Google Chrome is by faaar the most secure web-browser-everyone knows this, its sandbox is by faaar the toughest you can get.

 

Did it installed fine for you?

I tried it on Win 7 64 but the install gave error about aviatorupdate file in appdata couldn't be accessed. I manually accessed that file & tried running it & got the same error. I checked AV, nothing was blocked. I tried disabling AV & also tried running the installer as admin but same error.

Any info?

 

@Malwar i have the exact same configuration, but since you run ublock with all the Chrome switches, you may as well TURN OFF - "Sending Do Not Track Request". Its just another unnecessary communication.

regards.

 

On the PRO site: it is only a tiny text field see http://en.wikipedia.org/wiki/Do_Not_Track so impact is near zero.
On the CON site: it is supposed to be self regulatory, so a very weak "please do not track me "

 

firefox less secure then internet explorer?

 

Is anyone aware of exploits in the wild last year against a browser, other than those involving Plug-ins (PDF, Flash, Java, etc)?

The only one I know of is CVE-2014-1776 (Internet Explorer Memory Corruption Vulnerability):

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1776

https://cve.mitre.org/news/

From my point of view, exploits against browser plug-ins don't count, because the problem is not the browser, but what the user plugs into the browser.


----
rich

 

I don't use Iron anymore but it isn't scamware. I believe it is even offered in some Linux distros. It can be a tad buggy however, hence why I ceased using it. It was fast though, some tests put it ahead of Chrome. I think that the obsession with browser speed and the results it got prompted some to attack SRWare for a variety of reasons. I'll admit its author was originally pandering to fears about Google's data mining policies in his native Germany. The German government was one of the first EU member states to take Google to task over this issue. Ever since, the faithful devotees of the big 'G' have regarded this browser with suspicion and there is a certain amount of FUD regularly circulated about it. I'll say one thing for Iron, when you uninstall it from Windows, it really does completely go. That's more than can be said for Chrome.

 

It is a shame that it cannot be strictly enforced attentively. To be honest and i doubt many web sites will respect this request, so i figure might as well disable it. As you said very weak.

Sarah Downey, an attorney and privacy advocate who works for the online-privacy firm Abine asserts that, and makes for an interesting read..

"Two big associations, the Interactive Advertising Bureau and the Digital Advertising Alliance, represent 90% of advertisers. Downey says those big groups have devised their own interpretation of Do Not Track. When the servers controlled by those big companies encounter a DNT=1 header, says Downey, "They have said they will stop serving targeted ads but will still collect and store and monetize data.”

www.zdnet.com/article/why-do-not-track-is-worse-than-a-miserable-failure/

regards.

 

Hi,
Yes Aviator installed OK, (Win 7 64 bit) but I don't run an AV - just Voodooshield which I ran in 'install' mode. I used Aviator for a little while but found it a little buggy - for example it never started maximised, and even after changing it to 'start maximised' it still tried to start minimised. Considering it is supposed to be designed for security and safety I was surprised to see that Javascript was enabled by default. I must admit I didn't care for it, but I don't like Chrome either, so uninstalled it and carried on using my trusted Palemoon with Noscript.

Regards

 

Someone earlier asked for the definition of "most secure". I'm not sure that we have an agreed upon definition. So, I'm not sure that you can say "everyone knows this". Furthermore, just to say that Chrome is the most secure doesn't make it so. IMHO, it doesn't really matter which browser you use for "secureness" if you run every browser under Sandboxie. At that point, they all pretty much would have the same degree of "secureness". (Again, depending upon your definition of "secure".)

 

Tried Aviator. Buggy. Uninstalled it a few minutes later. Sticking with Chrome.

 

To me, the most secure web browser is Firefox with NoScript running under Sandboxie. After 6 years of using this combo, I have never seen anything that looks, acts or sounds like malware. Not once. And the best part of it all is that since all sites that I visit function well and I never experience issues between the mentioned programs or slowdowns, etc, I have no need to install another browser. For me, browsing cant get any better.

Bo

 

"Do Not Track" in its current form is a joke, as is anything that requires voluntary cooperation. It's actually more useful to identify those who are concerned about being tracked, being that users need to opt in to it. The only effective anti-tracking measures are those that can be enforced by the user, like those made possible by Request Policy, NoScript, Proxomitron, etc. Defeating all forms of tracking, profiling, and data mining is nearly impossible. Protecting yourself from malicious code is easy by comparison.

I doubt that we could agree on a definition or even what that definition should include. Some consider privacy issues like tracking, data mining and storage, etc as a separate issue. Some feel that they're one and the same. Still others feel that they're separate but completely intertwined. Trying to reach a consensus is pointless. A definition that supports one groups position won't be accepted by the others.

This has been a recurring issue with all security products from the beginning. The issue is the comparing of dissimilar products and vendors exploiting those differences in order to make their products appear superior. This is almost exactly the same issue we've seen with firewalls. Firewalls with HIPS are compared to those that don't have them, then touted as superior. They're never compared to a package that uses a separate firewall and HIPS. Why does a sandbox have to be part of the browser? How about a script filtering browser extension or a filtering proxy?

If you go back 10-15 years, the issue was what should an AV detect? We had anti-virus, anti-trojan, anti-spyware, anti-adware, etc. Each vendor had their own definitions, definitions that were written more for the purpose of promoting their product than protecting the user. This separation resulted in little more than confusion and often missed detections with each saying that the other should have caught it.

For all purposes, this is a variation of the firewall vs security suite marketing which is completely misleading once vendor marketers gets involved. The real issue is combined package (Chrome) vs separate components (browser + SandBoxie for instance). You can't compare dissimilar products and get meaningful results.

 

Mozilla is in the process of implementing Chrome's opensource sandbox code into Firefox. That speaks volumes about how the developers themselves feel.

There is a question here also whether most private also means most secure.

 

IMO, the sandbox should be separate and freestanding, just like firewalls, HIPS, and web content filtering. A sandbox integrated with a browser is only useful to that browser. A freestanding sandbox can be used with any attack surface application. It's the same with content filtering. NoScript only protects the browser that it's installed on. A filtering proxy protects any browser whose traffic is routed through it. Integration also complicates the update process. With an integrated package, you have to update/reinstall the entire package. To fix a browser flaw or a sandbox weakness, you have to replace them both and hope that any custom settings you've made are kept. It's the same for NoScript. If the browser design is altered, NoScript may have to be altered to work on it. Will the new version properly import all of your settings? Will the changes to the browser break some of those settings? With a freestanding filtering proxy, they can update the browser all they want without affecting your filtering. The vendors of extensions like NoScript, Request Policy, etc have better things to do than keeping their work compatible with a moving target.

The developers are obsessed with imitating Chrome. They're not even considering the concept of a freestanding sandbox. By imitating Chrome, they're promoting Chrome. Mozilla has completely lost the ability to think and innovate for themselves.

 

Every time Firefox updates, the developers of add ons have to adapt to browser changes.

You want Mozilla to start a separate development process for a free standing sandbox that will work on Windows, Linux and OsX?

 

There's no reason that a freestanding sandbox has to be theirs. It could be SandBoxie or a separate Open Source project. On non-MS operating systems, it could be part of the OS. They don't have to imitate Chrome. Since Mozilla stopped being themselves, started adopting a corporate mentality, and became more concerned with imitation and market share, their work has steadily gone downhill.

 

Again, Google Chrome, if you count its sandbox, is actually more secure than if you put it under Sandboxie (because, as Yuki said, Google Chrome's sandbox is more restrictive than Sandboxie's untrusted integrity level, plus unlike Sandboxie, Google Chrome and its sandbox do not have access to entire Windows system (while Sandboxie has), while with Sandboxie with internet access restrictions and start/run restrictions you simply can't block drivers and several other crucial components-with Google Chrome you don't have access to drivers or anything else on entire Windows system-so yes Google Chrome is, by faaar, the most secure web-browser of all, when it comes to pure sandboxing technology, implementation and security and protection.

However, if we talk about social engineering, downloading, running and opening files on the net (like pdf readers, Microsoft Office documents and etc.) and similar than Google Chrome is not the most secure this is where Sandboxie comes to the rescue.
Actually in that category, I think so far the most secure web-browser is Internet Explorer 11, while Google Chrome is second.

 

Palemoon here as well with NoScript and Adblock Latitude (EasyPrivacy +EasyList) within the secure walls of Sandboxie. Been using this combo, Palemoon and Sandboxie for about 3 years now since migrating from FF and had nary a problem so far.

 

There was a time when Mozilla was innovative and thought for themselves.
When they came out with a browser to compete against Internet Explorer I jumped
on board and road that train a long time until Mozilla IMO started de-railing the browser.
User imput seemed to take a back seat or ignored when complaints came rolling in.

Sadly I feel those days are gone and devs now seem more interested in chasing after Chrome.


I also setup content filtering that is able to work on different browsers. I do however keep an
older version of Request Policy that works so far even when updating the browser.

Sandboxie still remains my choice of sandboxing a browser and other apps as well.

 

Behind the scenes, Firefox is still very different from Chrome and has a number of unique implementations that are quite equivalent, if not better, than what Chrome is doing. They lost the plot only on the UX front, the rest all is fine. I still think Firefox is reasonably secure as a browser tbh, with the proper extensions and something like Sandboxie.

 

If Sandboxie was only for running browsers, the sandbox could be as restricted as Chromes. But Sandboxie is not a browser in a sandbox. Sandboxie is a sandbox program where you run all kind of programs. This programs have to have access to all kind of files in the system, etc, otherwise they wouldnt run.

And we want all kind of programs to run in the sandbox, Dont we? the way that it is now is how Sandboxie has to be. And that is, programs that run sandboxed can not modify files outside the sandbox, sandboxed programs have Read only access to files outside the sandbox, if files are modified, the changes are redirected to the sandbox. The end result, you can run all type of programs in the sandbox and no matter what they do while running under SBIE, the sytem remains intact.

Keep in mind, if you run Chrome without SBIE and you get hit by malware and click install, Guess what happens? Or if you open your webmail and run an attachment that's trying to fool you into thinking that is a PDF when actually is Cryptolocker, Guess what happens? Or if you execute an infected Java applet, Guess what happens? In this three examples, if you run Chrome without SBIE, you get infected. The Chrome sandbox wont do nothing. But if you ran Chrome under Sandboxie, the infection is gone when you delete the sandbox.

Bo

 

With SandBoxie you also have the ability to create multiple sandboxes, each with its own permissions. One can easily make a sandbox specific for browsers using only the specific permissions it requires.

All of this is getting farther off topic. A sandbox, whether integrated or separate isn't the beginning or end of browser security. It's one of several possible methods for improving that security, a security that can't even be defined to everyone's satisfaction. All this proves is that there is no single best option. The best (and most secure) option is the one that best fits the users needs and best matches their criteria for what constitutes security.