Is Firefox still the safest web browser?

HSTS isn't an official spec by any means. IE9 didn't implement WebSockets because at the time it was an unstable and unofficial spec, yet now that's changed and IE10 implements it, the same will probably happen with HSTS if it becomes official.

I also wouldn't class HSTS as "securing your browser". It just reinforces SSL/TLS connections, but it's not going to stop you from the next exploit or malware attack.

 

Pretty impressive Although these measures wouldn't help against the mentioned XSS and ClearClicking issues (providing that they still exist in IE).

 

No, but Content Security Policy (CSP) does that. Lastpass, e.g. is using that.

 

Thanks tlu! From an IE 8 SCM Toolkit document:

From IE8 it loooks as though there is at least some level of protection against XSS & clickjacking. Of course I have no idea how effetcive it is but it sems to be there and I know I've enabled in in the GP editor.

My appologies for taking this thread OT

 

If it sounds like a fanboy statement, it is one. Regardless, I'm not going to bicker. I never once said Smartscreen is "useless"...here we have another case of someone not reading again. All I said was that I believed Chrome to be the more secure option due to what I considered a "true sandbox". I also stated that comparing Smartscreen to sandboxing was ridiculous, and I still mean that. Smartscreen is nothing more than a scanner at heart, that's it. It relies on a list, and lists do very little in today's world.

@Cjs Dad: Yes I meant Sandboxie with another browser. There aren't any conflicts between Sandboxie and Chrome that I am aware of at the moment.

 

@ dw426 Thanks

@ moontan thanks, but now I have another question. Can you please further explain why you feel there is no need to run Chrome along with Sandboxie? Thanks.

Amazing how this thread has turned out in helping me learn more about the functions of browsers, good job people, keep it coming

 

Here's the thing about clickjacking/ malicious js/ whatever. How does it effect me as a Chrome user?

I haven't seen a single drive-by exploit** for Chrome. So... who cares what I click?


**Exploit that initiates the download and executes the file without user interaction.

Some things I'm worried about and some things I'm not. I still recognize them as valid dangers - clickjacking is an issue - but I don't worry about it nearly as much as a flash exploit, which I can do much less to control.

 

IME, I decided to test it by myself so I decided to install FF and GC on the same machine... truth be told... extensions (in case of GC) and add-ons (in case of FF) make me feel both can achieve a great level of security... enough for me.

 

A couple of interesting clickjacking-related links, the second one in particular is of interest because it applies to 3rd party browsers as well.

-http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx

-http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

 

because Chrome is sandboxed already.

Chrome's sandbox might be as good as SBie or not, i'm no expert.
but for me it is quite sufficient.
and the less of these bloody security apps i have to install and babysit the better.

i am not overly concerned about social engineering, only exploits.
and Chrome is very well protected against exploits.

 

Okay, but that means that a website must use the X-FRAME-HEADER to have the browser use that security feature. I don't know how many sites do that (and with which tokens). The Clickjacking protection in Noscript works without that, though - regardless if a website uses that http header or not.

 

I personally would not run Chrome in Sandboxie. It offers no further protection (except for Java) and increases the browsers attack surface.

Chrome has no need for sandboxie. IT already has protection from exploits and it's got a great track record - a single undisclosed exploit on the flash player after three years.

You can get the same level of security simply sandboxing your downloads folder. In fact I'd say you can get even better security having a downloads-folder-specific sandbox because you won't have to give it access to places you'd give Chrome access to and definitely no internet access.

 

Exactly. The same with Chrome.
From the Google Browser Security Handbook;
'So far, the only freely available product that offers a reasonable degree of protection against the possibility is NoScript (with the recently introduced ClearClick extension). To a much lesser extent, on opt-in defense is available Microsoft Internet Explorer 8, Safari 4, and Chrome 2, through a X-Frame-Options header (reference), enabling pages to refuse being rendered in any frames at all (DENY), or in non-same-origin ones only (SAMEORIGIN).' link

Noscript offers this functionality without having to rely on the goodwill/expedience of every single webmaster/website dept. on earth.
Whatever opinions some folks seem to have about Georgio Maone as a dev or the functionalities of lesser imitations as ScriptNot, Noscript indeed offers browser protection against ClickJacking (and more) like no other add-on.
As f.i. listed in a previous post, about MS stating that IE8/IE9 offers protection against ClickJacking, if only every single website on earth will adapt, seems somewhat laughable in comparison.

 

Would it be worth it to run NoScript and Sandboxie together w/ Firefox?

 

If you can handle white-listing websites, then yes it would. Sandboxie will do a LOT of the protection work for you, but NoScript will speed up page loading and handle extras like cross-script attacks and such.

 

Much thanks dw426

 

Might even beat Chrome lol, very little run on there.

 

Lynx is secure in that you cant access 99% of a webpage.

Its insecure in that it does nothing to stop teh 1% from hurting a user.

 

What is the 1%? Other than downloads.

 

Exploits in the browser still exist. It's a reasonably complex program, which means we can be fairly certain that an exploit exists.

It does have security through obscurity though but I personally don't consider that security.

 

Lynx is a text only browser. Fine for those who want to surf uneventfully in the stone age.

 

Provided the figures are correct and correctly interpreted.

 

I suppose it all depends on if those figures are from Microsoft or from an independent source. Sometimes figures can be massaged somewhat. Sometimes there are pork pies.

 

Second that when you run Windows7. Just read this thread (were I showed that FF was making up ground) https://www.wilderssecurity.com/showthread.php?t=272374

IMO FF had an advantage up to IE6 and possibly on IE7 because the FF community took real proud in fixing bugs way earlier than Microsoft.

The launch of Chrome was considered a knife in the back (Google sponsors Mozilla development substantially).
http://www.zdnet.com/blog/btl/mozil...-on-google-for-revenue-can-it-diversify/27670

Because Chrome outpaced development of any browser with 6 weeks releases, the FF developers community is now entangled in a release-to-market race. This focus on new functionality has dropped bug fixing considerably and way to many bugs are open for to long.

Big names in the FF community are disappointed in the release-race and the bug-legacy. Some of them decided to stop with FF/Mozilla. http://news.slashdot.org/story/11/0...mmunity-contributor-departs-over-bug-handling

Just my 2 cents

 

2 cents, exactly.