Which is the Most Secure Web Browser?

Discussion in 'other security issues & news' started by Rafales, Jan 11, 2015.

  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Thanks for the explanations.

    Good success to you in cleaning up that compromised system!


    ----
    rich
     
  2. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    @MisterB
    Good luck with that. Got too many memories of messes like you describe. After just so long, they wear you down, especially the repeat customers. Eventually, you get tired of the fight.
     
  3. 142395

    142395 Guest

    For common people who don't have time to read many articles or just don't have much interest in security, I always says "Just keep up-to-date and use reputable security suite. Then learn at least some common sense, such as being extremely careful when you install software (especially freeware), download reputable software from reputable source and make search before you download, check SSL before you enter online account, etc. and pay least attention to IT news". This eliminates nearly all malware and exploit. I know many people here don't trust AV/IS much, but the fact is they can protect you from more than 90% ITW malware even in vulnerable system. And if you keep up-to-date, nearly all ITW exploit dies. Also so called common sense security is good enough to eliminate most social engineering techniques, especially when combined with latest news. So, yes, actually what browser they use is not important, much less important than those. All those discussions about what browser is the best in security, what security suite, what security approach etc. are more of a hobby or preference (of course provided you're not professional who have to seriously consider those things. I guess you're one of professional, and those browser vendor also professional, but I think many of us not.), though hobby don't means it's useless.
    I meant security novice. I know IT savvy is not necessarily security savvy, yeah, my girlfriend is that!
    Nobody should assume "I'm safe as my OS is ****". It's not a matter of IT knowledge, but matter of a kind of common sense. If one believe I'm safe as I live in auto-locked condominium, he should think again.
    I only help and have helped those who have real relation to me, or anyone who asked me in any of online forum or SNS as I'm not any kind of IT professional. Usually I only setup auto-update + good IS + bit of config which won't affect his/her daily use. I don't do more unless specifically asked. So far I haven't heard of any re-infection, but number of people I helped was at most 5 or so.
    I vote for mechanical, but not inclined to participate in the discurrion.:D
     
  4. 142395

    142395 Guest

    I think you're mainly focus on Opera, but I 'm speaking more generally. I have never affected XSS or click-jacking, but same goes for malware or RCE. Only one infection I got in 6 year my PC history (sorry for being too short as reference!) was PUP came from Softpedia's installer, which gave great education for me and I've never repeated the same mistake. I always have kept up-to-date from the beginning of PC use (much before I started to learn security).
    So my point is, when fighting against RCE is pretty easy, it will be more reasonable to spent effort to other unprotected area rather than RCE. Not a few people here employ almost overkill protection against RCE, but if they leave holes in other area which can be protected, isn't it a false sense of security?
     
  5. 142395

    142395 Guest

    XSS can be blocked by any of script blocker unless the site is whitelisted (mistakenly or when trusted site is compromised), and also mitigates some other threats I mentioned, but not perfectly. CSRF can be done even when script is disabled. Yes, it is stronger when it can use script as it makes full-automated attack possible, but disabling script enforces just one obstacle which requires one click by user. Often, simple social engineering is enough to make that click, so Noscript employ ABE but by default it only protects your LAN. Same goes for clickjacking, as long as iFlame and CSS is allowed, it it possible. And script blocker has nothing to do with SSL threats such as compromised cert, this is where cert-pinning or addon like Perspectives shines.
     
  6. 142395

    142395 Guest

    Avast block XSS by script heuristics, Norton block Like jacking in IPS, and some URL blacklist such as Netcraft block known XSS sites. CSFire which I use is the first attempt to heuristic CSRF prevention with subscription whitelist, but it causes much more trouble than Requestpolicy. I had to make many whiteliste manually to make some websites work and to make my other addons properly work. And As I said ealrier, major browser already implemented XSS filter.

    One of the problem is they are website's bug but not the bug in client software. But as you suggested, if some security software start to fight against those it's good start.

    [EDIT: added mention about Norton]
     
    Last edited by a moderator: Jan 19, 2015
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Very nice summary, Yuki.

    thanks.


    ----
    rich
     
  8. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,501
    Location:
    .
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not sure that's possible. People either have some common sense to start with or they don't. I don't think it can be learned. IMO common sense is like any other ability or skill, use it or lose it. Any more, I think the majority of people are losing what little sense they started with. Unfortunately I think our modern world, especially the internet, are destroying what little sense there is left in this world.
     
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    Common sense indeed. In any security setup, the first thing that needs to be looked at is the level of risk/danger and that determines the amount of security needed. That is no different in the real world. A private home doesn't get treated the same as a bank. If what you are doing with a computer is important, you should pay more attention to the details of its security. The browser is just one of those details. The most important thing in any security setup is the user. An ignorant or careless user is easily compromised no matter how good the technology used.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @moderator: If it's ok with Rafales, IMHO this thread would be better to have in forum "other security issues & news."
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK thanks, didn't know about that.
     
  13. 142395

    142395 Guest

    I don't have many experience of helping people like you so I admit my outlook will be quite limited, but I believe some kind of learning is needed to secure yourself. And "learning" is not limited to reading articles or so, it should be wider concept and includes experience or tacit knowledge (so actual example or precise how-to is always good).
    I myself have been getting security practice in this way, reading understandable articles and transfer it to practice.
    If a person just read an article and completed in it, that doesn't make much sense though better than nothing. He have to practice this until it became his custom.
    The biggest enemy is IMO arrogance or thinking "I'm okay", in this regard I don't fully agree to MisterB's last comment. These thing is never limited to novices. I believe everyone shouldn't assume "I'm very careful so I'm okay", "I'm not that fool", "I can tell good from bad", "I never got infected so won't be infected too", etc. That thinking will be the weakest point in that person regardless his technical/security knowledge, so one of my motto is "Assume you are noob!".
    Another enemy will be indifference, and if one don't have any interest nobody will can help him. Maybe he won't awake until he get serious damage.
     
  14. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    Security is always evolving because the threats it deals with are always evolving but there are certain things that really don't change. One is the human element. I just dealt with malware that got in the owners computer by appealing to shoppers looking for a better deal. It consisted of a suite of applets with names like "pennywise". I noticed them when I checked what software was installed on the system and AVG deleted all of them when I installed it.

    Browserwise it looks like it came from Internet Explorer but I can't really be sure because Chrome and Firefox were also installed. What was obvious was that the bait that hooked the owner into clicking the bad link was getting some referral to a better price on something they wanted. Social engineering indeed. Technology changes but not human nature.
     
  15. Rafales

    Rafales Registered Member

    Joined:
    Feb 20, 2013
    Posts:
    62
    Location:
    Earth
    As said by 'MrBrian', Requesting Mods to move this thread to "other security issues & news"
     
  16. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,413
    Location:
    U.S.A.
    As Requested by OP, Thread Has Been Moved.
     
  17. 142395

    142395 Guest

    One important point is that you can avoid most of those non-malware threats even w/out 3rd party programs/addons if you know them well and get into best practices.
    This means those who develop products or technologies have to keep it always in mind. What IT and security professional have to seriously think about is not protecting savvy people, but those click-happy people.

    Unfortunately, it seems that not many developer follow this. At the same time sometimes when dev follow this a bit, then it causes complaints from savvy user. I think a point of compromise is hide every advanced settings and make it hard to change so that newbie can't easily do that, also savvy should be more patient.
     
  18. roark37

    roark37 Registered Member

    Joined:
    May 23, 2006
    Posts:
    193
    I know I am replying to an older thread but I only saw this now but in the early posts of this thread there was a lot of discussion of merits/security/privacy of chrome versus other browsers with add/ons. My question is do the comments and recommendations for chrome remain the same whether chrome is used in windows or with a chromebook? Or are those very different things? I would have thought security likely even better using chrome on chrome os but privacy, particularly from Google itself, likely worse but I really don't know. Thanks.
     
  19. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    I can update a bit on the computer I was working on. It had a severe malware/adware infestation. There were both installed applets and corresponding browser extensions in both Chrome and Firefox. I just uninstalled them in Firefox and installed Adblock Plus. In Chrome they wouldn't uninstall and prevented Adblock Plus from working. I ended up having to completely uninstall Chrome and manually delete all of its user folder files. Then I had to do a clean install to be able to install Adblock Plus. I added the MVPS hosts file for extra ad blocking. Just got positive feedback from the computers owner last week.

    So the conclusion is that Chrome might be more secure but if it does get infected, it was the hardest to clean up.
     
  20. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    Chrome is way more secure on Linux and even more secure on Chrome OS see: < http://www.insanitybit.com/2013/04/29/explaining-chromes-linux-sandbox/ >
     
  21. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    But Chrome was not infected through it self it was infected from a user downloading a file and executing it and it downloading third party software and adding it to Chrome.
     
  22. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    I'm not sure how it was infected, just that it was difficult to clean up. The malware might have automatically added the browser plugins once it got into the system. One thing it did was create a monstrous folder in IE's temporary internet files folder that was both big--around 7gb--and had numerous individual file--enough to stress the file system. This made any scan hang up for hours on that folder. Even deleting it took quite some time because there were so many individual files to delete. Once that was done, scanning and removal of the malware proceeded smoothly. IE didn't have any of the plugins but it was IE8 so they just might not have been compatible.
     
  23. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    Yes, I have dealt with malware like this which most people would call PUP's but I consider it Malware it does more damage then any rootkit or anything I ever seen and it automatically added it to Chrome and you can go to Chrome's settings and scroll down and go to reset Chrome and it should remove things like that.:):thumb:
     
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    It was malware. To qualify as PUPs, it would have to had let me uninstall it with the Windows uninstaller. It took a lot more than that to get rid of it. AVG classified it as Malware too and took care of the installed programs but not the browser extensions.
     
  25. 142395

    142395 Guest

    One great disappointment in Chrome is its extension often sold to others and become adware.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.