Which is the Most Secure Web Browser?

Microsoft data on relative empirical risk of various Internet Explorer versions

 

There is some data on which vulnerabilities are exploited by recent exploit kits in Exploit kits discussion thread.

 

Yes, but I was talking about protection against exploit-kits. I'm also not sure how real the threat is from the things that you described. Of course, Opera can still be exploited by Flash and Silverlight holes, so anti-exploit and/or sandboxing is still needed.

 

The reason I like to distinguish between attacks on the Browser, and those on applications that use the Browser to launch something, is that it helps me to understand the exploit better. I'm not interested in what the exploit does after it infects; rather, I want to see what triggers the exploit at the perimeter and how it can be prevented from infecting.

Thus, with the much-feared PDF exploits I used as my example, they were often referred to as "Browser Exploits" in the general media, when the focus should have been on the Plug-in itself. Controlling the plug-in action made the brand of Browser used irrelevant, IMO, since I was able to see the exploit dead in the water using several Browsers where the default action was to save the file, rather than open it automatically in the Browser window.

Now, you make a good point that some Browsers control Plug-in action without user help, but that doesn't refute my original contention.

Yes, I was thinking also of targeted attacks, since I mentioned earlier the RTF file which in some cases, was downloaded by trickery. The emails I saw were targeted to specific companies.

Internet Explorer is an unusual case, since it is so integrated with the Operating System. Often, attacks make use of a trusted file as the trigger. Early examples were the .ani (Animated Cursor file) exploit from 2005, and the .chm (Microsoft Help File) exploit, also from 2005. The latest IE exploit in 2014 uses extra help:

A Technical Analysis of CVE-2014-1776
http://blog.fortinet.com/post/a-technical-analysis-of-cve-2014-1776

Aren't the descriptions almost comical! Heap Spray -- I can imagine someone walking around with a spray can, "spraying the heap."

• Note that it makes use of JavaScript. Assuming the HTML page is a landing page and not a trusted page, wouldn't JavaScript whitelisted prevent this exploit from finishing?

I've had difficulty in the past in identifying which version of a Browser is being exploited. The CVE database for Opera lists one exploit in the wild for 2014, version 12.xx (I forget which) and an update from Opera ensued shortly after.

Another amusing label - Sandbox. I can envision a box of sand for the malware to play in, later discarded, as one would remove dog poop from a playground!

There are so many effective solutions these days to help the Browser prevent malware infections from occurring...

I agree!

By the way, "Which is the best, most secure, etc, is not limited to Browsers and computer security products. Even Pencils have their fan clubs. But you knew that, didn't you? Well, if not, see here!

http://forums.welltrainedmind.com/topic/502914-so-ticonderoga-question/


regards,

-rich

 

Chrome is not my default browser, I use it as a secondary. For about a month I have noticed that it has been loading initially rather slow, about 18 seconds. I've had it on my computer since it first came out. After trying to speed it up the usual ways, I thought I might uninstall it and re-install it from Google. I noticed a few seconds off the time after that. Then later I loaded it and got hit by a drive by which my AV blocked. Now every time I load it initially I get hit with the same drive by. The drive by is o24x7.com which is from Godaddy.com. Then today I clicked on a favorite website and got a porno AD which I deleted. What the heck is up with my Chrome? I never got any crap like this since day one. I have an AD blocker, Malwarebytes, and Emsisoft, and this is supposed to be a secure browser. I made scans which found nothing. Any comments?

 

It seems one could debate this subject on & on and not come to any agreeable conclusion.
Not everyone uses the same OS platform and browser(s) to begin with.
Not everyone configures their browser(s) the exact same way.
Not everyone seems to agree what the definition of "the most secure browser" means.

To many variables, but common ground could still be found to run whatever browser you decide
to use and make it as secure as possible on your system.

Do some configuring of the default browser options settings.

Also checkout advanced configuration settings:
http://www.askvg.com/how-to-access-...firefox-google-chrome-and-opera-web-browsers/

Browser security & privacy:

Just-In-Time hardening (JIT)
Plug-In Security
Popup blocking
Add-on install notify
Private browsing mode or similar feature name
Proxy settings
Control of cookies
Content blocking
JavaScript control
Sandboxing
Availability of security & privacy extensions
How often & for what browser "phones home".
Certificate validation
Security tls
File download control
Password manager
Cross-site-scripting filtering (XSS)

 

I wonder what other methods other than sandboxing are successful to prevent malware infections?
K-9 Web protection for example, or you meant something else, Rmus?

 

I've always felt that methods of preventing malware infections start at the perimeter, the entry points.

Entry points other than the Browser include:

• Firewall. Remember Conficker? The first version entered via open Port 445. Prevention: Secure open ports.

• USB. Subsequent versions of Conficker used autorun.inf trickery to install the malware. Prevention: Disable Autorun.

• Email. Social Engineering trickery to install malware from attachments. Prevention: Confirm the source of the email w/attachment.

For exploits using the Browser as the entry point, my suggestions are:

• White list JavaScript. This has not been a popular recommendation because so many sites won't work without JavaScript enabled. So, the user has to enable JavaScript, then refresh the page. Nonetheless, it is protection for when a user is redirected to a landing site which uses JavaScript to trigger the malware code. The recent Internet Explorer exploit uses JavaScript.

• White list or enable on demand, Plug-ins. The Plug-in that auto-loads a PDF file into the Browser window is a very convenient feature, especially for those who read many PDF files daily in their work. Nonetheless, the Plug-in action can be controlled to prevent loading of unauthorized PDFs.

• Other techniques ___________

Note that none of the preventative measures above require the addition of a security program.

If the malware payload somehow gets through the perimeter and attempts to intrude into the system, then security programs will be necessary.

• Blocking the payload: malware writing to disk -- anti-execution protection, either stand-alone products or incorporated into a HIPS, other suite, or in the Operating System.

• Blocking the payload: malware residing in memory -- there are discussions in the Other Anti-malware Software Forum of anti-exploit protection which monitors memory and behaviors.

• Other Blocking techniques _________

If the malware succeeds in getting into the system:

• Firewall: Outbound monitoring will alert to malware that uses an application (PDF Reader, Java, etc.) to connect out to download stuff. (see my Post #86 above)

• Containment: A Sandbox program.

• Reboot and Restore: these programs discard anything written to disk that has not been authorized by the user.

• Windows User Account Control (UAC) - various opinions on the effectiveness of this.

• Detection: See MrBrian's very informative thread on malware detection programs and techniques:

What non-signature-based malware detection programs and techniques do you use? I'm interested only in programs/techniques that can indicate the presence of malware
https://www.wilderssecurity.com/thre...on-programs-and-techniques-do-you-use.372052/

• Other techniques __________

(Feel free to suggest some Other techniques_______ in the above categories.)

I've avoided listing specific products because there are so many! I read about them in the other sub-forums here, but can not speak with authority on most of them, so I leave it up to the user to choose which product suits her/his needs and computing habits.

A discussion of specific products might be better served in the Other Anti-malware Software Forum.

regards,

-rich

 

Those threats are real. While top major browser employ XSS filter, it might not be the case in minor browser (I don't count Opera in minor though). Though XSS is website's problem, it can be prevented from client side and can cause serious consequence such as session hijack (BTW Opera 12.14 or before had XSS vuln which matters in certain condition). CSRF is another common website bug, it potentially can change your router setting or can abuse your online accont e.g. change your Facebook settings to disclose your privacy, post a comment which is not by you and include malicious url to trick your friends, etc. There's already some cases where CSRF is used in real criminal. DNS rebinding can also be used in similar way but a bit weaker (it can't pass logon process by itself). Click jacking is another widely seen attack, originally it is used to make user unknowingly click invisible "yes" button which, say, download malicious contents so it's a kind of social engineering. Now at least Adobe Flash already took measure for it, but recently more common is like-jacking which tricks user to click Facebook (or other service) "Like" button, and there's case this exposed user's privacy.
TLS attack is another thing. There're attack against crypt such as POODLE, and attack against authentication like MITM. While there's no reported case of the former, POODLE (and maybe BEAST, CRIME, Lucky13, etc. too?), there're already cases of the latter and Google said if their browser didn't employ cert pinning those attack would be identified much more later.

Some addons like Noscript, Request Policy, Policeman, uMatrix, Kiss Privacy,
etc. and best practice based on correct knowledge and latest info can prevent most of them.
And same goes RCE. As noone_particular suggested, I also think blocking RCE or malware is relatively easy (unless you're targeted). So it will be reasonable to spend more effort in other threats than RCE.

 

I can understand you, it has a certain value but at the same time I have to say it is one point of view and won't be necessarily shared with other member. In fact some member have interest about what exploit does after it infects. For me, protection against RCE is just a part of browser security which is the topic here (it's not "What browser provides the best perimeter defense against RCE w/ any extras?").

I agree, confusing plugin exploit with browser one is not good, can well make confusion. Hoever, IMHO it's not much fair saying brand of browser is irrelevant cuz many plugin exploit can be prevented by natural user decision regardless what browser you use. We know novice user sometimes make unbelievable decision. If old plugins are off by default, it puts a obstacle for such user (he have to manually enable them). Plugin sandbox too. I think more and more exploit targets plugins, it's more and more important how each browser counter-attack them. It's not intended to refute your opinion. As I said in #78, many opinion w/out exact consensus still can well make sense. I'll only resist argument that such discussion is meaningless and we have to establish the same viewpoint with the same basis exclusively.

Yup, disabling Javascript blocks many use-after-free, heap spraying, and others. Also agree to your last comment.

Wow, I didn't know that! And actually I've been thinking I'm one of strange man who spend dezens of minuites to finally decide what mechanical pencil or ball-point pen I buy, what a coincidence! lol.

 

The reason I emphasize the perimeter is that for the average home user, most of the exploits seen in the Exploit Kits they are likely to encounter can be blocked at this point.

I didn't neglect other situations, for I followed this with some other preventative techniques, suggesting that people can add to this.

What is a secure browser, anyway? The question has many answers, as has been seen in this thread. There doesn't seem to be a consensus as to what should be considered. Some want to include privacy. This makes it difficult to define what the Browser should do. People usually choose security measures that make them feel comfortable that they have good protective measures in place based on their own risk assessment. This will vary from person to person. On any day, just take a look at the thread, "What is your security setup these days?"

Doesn't this apply to people's approach to security in their lives? Recently I took a survey in a 2 square block area of my neighborhood. Of 59 houses I found 2 that had bars installed on the windows. Evidently the other 57 didn't consider the threat of break in through a window to be very high risk. Or perhaps they had intrusion monitoring protection in place. The 2 might worry a bit if they knew that there were several instances in our city where thieves used a torch to cut through bars on a window.

So, when one considers a browser from a security standpoint, do you want one with "bars on the windows?" Do you want one with a Sandbox? Do you want it to protect against ______? (fill in the blank). How can one know what each browser can protect against without doing extensive reading on browser vulnerabilities, attacks, etc? Is it worth it to attempt to cover all bases? How should one determine what else to add to help with securing the Browser? Is is useful to consider what the likelihood is that a particular attack could occur in your browsing experiences?

Many things to think about.

It's not only novice users! Years ago B.M.A (Before Mac Attacks) knowlegeable Macintosh users in other forums used to argue that they were immune to attacks, such as those against Windows users. Well, guess what. A few came along and an early one was rather humorous for me. It involved a DNS changer trojan coded to work on a Mac system, and it used trickery to get installed. In his analysis at isc.sans.edu, Bojan wrote:

DNS changer Trojan for Mac (!) in the wild
2007-11-01
https://isc.sans.edu/diary/DNS changer Trojan for Mac (!) in the wild/3595

Well, the rest is history, as hackers began to turn their sights towards Mac systems.

Another comment about novice users: it is not uncommon, during a discussion of security measures, to have someone write, "Yes, but the average user won't...." To me this is irrelevant. Preventative measures exist, whether or not people put them into practice.

On the other hand, I've often suggested that Wilders members help someone in their sphere of influence; most recently here, with a comment by Pete:

https://www.wilderssecurity.com/thre...executable-options.371603/page-2#post-2442084

[regarding pencils]

Very amusing are the discussions as to which pencil is better: mechanical or regular.

regards,

-rich

 

Don't get me wrong, of course I agree that the more security the better. But I've surfed the web for almost 20 years now, and I don't think I have ever been affected by XSS or click-jacking attacks. So I don't believe that I'm at great risk by using Opera 12. Plus I also use a script-blocker, but I'm not sure if it will offer protection against most of these attacks.

 

If it was only that easy. I spent quite a few years cleaning, tuning, and securing PCs for a lot of people. Tried to match the security package to what I perceived as the ability and willingness of the user to learn and understand it. In all that time, I managed to get through to one individual who has remained clean. The rest were just repeating customers with the same problems over and over. It's been frustrating enough that I've stopped servicing PCs for most people. Using a different browser would have made no difference with most of them.

 

It will. HTML can just present and format type, place images, and create links and forms. To do more than that requires scripting. By blocking scripting in a browser, any browser, most web threats are neutered, as are a lot of annoyances.

Opera Presto is pretty safe. It can be made safer by changing a few options of which it has more than any browser I know of. The only one that comes close is Seamonkey.

I'm cleaning up an infected system at the moment. It had more than 7gbs of data in "Temporary Internet Files" and a lot of malware was in that folder. I have presto set up so all caching is in memory and an exploit that got through would more than likely just crash Opera which would wipe anything that was cached.

 

To clarify, I'm only blocking third party scripts, so I'm not sure if that would mitigate risks from XSS and click-jacking. I did notice that NoScript offers dedicated protection against this kinda stuff.

I also wonder why security tools have never been focused on blocking these kind of attacks, the only one I could find is Comitari Web Protector, but the project seems to be pretty dead. It probably also makes more sense to let the browser itself take care of this.

http://www.comitari.com/
http://www.comitari.com/White_Paperse977.html?cp=558&artPage=1&art=3&da=True&dt=False

 

Tell me about it! I know it is not easy...

You deserve a medal! One more person not part of a botnet.


----
rich

 

Hello MisterB,

By "pretty safe" I assume you feel it is not "completely safe." In what way?

Will you please elaborate?

How do you do this?

Thanks!

-rich

 

Many tools don't address click-jacking by name but do address the mechanism that makes it possible. Click-jacking relies heavily on frames and layers. These are often used in conjunction with javascript to place the cursor inside of that visible or invisible frame or layer. Tools that control how these frames and layers are presented can prevent click-jacking. The default filters for Proxomitron for example include some that convert frames, iframes, ilayers to links. The javascript filters can remove the script that places the cursor in that frame. Any tool that changes how frames, iframes, and ilayers work can address the click-jacking issue.

 

Pretty safe in the sense that nothing is completely safe and a lot depends on how it is used and what for. I wouldn't use it for banking or any kind of financial transactions but I didn't do that when it was supported either. I use Opera for forums and casual research. If I ever got exploited, it would more than likely just crash Opera and not go any further. That is due to the way my systems are set up as much to Opera. I have a layered security approach and if the script blocked Opera presto layer is breached, there are more layers of OS security that would have to be overcome for an exploit to get anywhere. For someone who was careless and used Opera to surf questionable sites with no java script blocking protection and logged on with an administrator account, it would be less safe but probably no worse than any other browser used that way.

 

That is in the advanced options under history. You can completely disable disk caching if you like and specify how much memory is devoted to caching. It is the only browser I know of that gives you that option. Disabling disk caching increases performance and insures that nothing from the browsing session is left on the disk after the browser is closed.

 

Noscript can block frames and Iframes. It is not the default option and has to be manually set. So can the Scriptkeeper extension for Opera Presto. Its default is to only allow "inherited" frames but frames can be disabled completely.

 

The Sidki filterset for Proxomitron has fairly extensive options for frames and iFrames.

 

Do you know of any reported instances where a person using Opera was compromised while banking online, and what the actual exploit was? I would be interested in checking it out.

Thanks,

-rich

 

Ok, thanks, I was thinking of something else.

In the past when I compared, I couldn't see any difference. What specifically do you notice?

I assumed checking "Empty on Exit" took care of that. Not so?

Thanks,

-rich

 

I don't know of any instances of anyone being compromised by Opera in anyway. I'm dealing with a system that was definitely compromised by Internet Explorer right now. 7+ gbs of cached data with lots of malicious scripts and urls.

It takes a lot more time to access a disk than memory. Opera presto has to take some time to delete its cache when it closes and this won't happen if there is a crash. Even at the modest bandwidth I have, there is no real need to have much of a disk cache. I definitely noticed a speed up when I switched caching to memory but I often have multiple windows with multiple tabs open which results in a large amount of cached data.