New Research Says Chrome Browser "Most Secured" Against Attacks

New Research Says Chrome Browser "Most Secured" Against Attacks.

Download Report PDF link: Browser Security Comparison: A Quantitative Approach: Research Paper (3.4 MB).

-- Tom

 

Looks like a "must read".

The research has been commented on here and this quote is for those (Secunia fans?) who believe that the more the bugs/loopholes on record, the worse the software:

The study was commissioned by Google, FWIW.

 

I think oages 18 and 19 have some really interesting information.

Also odd that they found so little difference between the blacklists.

 

Yikes! You've already digested pages 1 through 17 ?

 

Not really, skimmed through the first 20 pages. No time to read it atm.
EDIT: Their results for the URL blacklisting are... interesting. Chrome and IE block virtually the same amount and neither block a very significant amount (10% per analysis about.) There are stipulations to the test, neither has access to their file blacklist for example. This may be where IE pulls ahead since application reputation may be a lot harder to fake whereas domain reputation has long been easily circumvented. Or perhaps the test is absolute BS.

 

Browser security ranking, firefox third and chrome first

PCMag

Sigh, i think i have to switch to chrome at some point then. firefox just cant seem able to keep up these days.i just wish opera had better addon support.

 

Google funded report says Chrome is most secure browser; Firefox least secure

Google funded report says Chrome is most secure browser; Firefox least secure

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

Source of funding already mentioned here.

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

The way I see it you should look at the points made as fact - they're simply true, Firefox doesn't have X feature Chrome has X feature etc. Those are undeniable.

Whether you consider X important or not is what's different. The conclusions based on the facts will vary user to user.

Of course, as is pointed out in the article NSS Labs used to take money from Microsoft.

This was heavily covered in the Accuvant study and I really disagree here.

I also have to disagree here, they used public malware domains.

I found the Accuvant paper to be a very interesting read with in-depth explanations. One of the better papers I've read and it has nothing to do with whichever browser one - I would have been happy to see IE beat Chrome and I was surprised at the results.

Accuvant not only provided data but an excellent explanation of the methodology behind each and every test. Their explanations on why patch response is no longer a great way to view security and other typical methods was great. Their results and conclusions on URL blacklisting was also very interesting.

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

I'm not buying this, the whole thing is FUD by Google. You'd have to be a complete wazzock not to believe that it isn't.

From FavBrowser ~ After such claims, Mozilla has decided to respond with the following statement:

“Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform level features like address space randomization to internal systems like our layout frame poisoning system. Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet. We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We’re proud of our reputation on security, and it remains a central priority for Firefox.”

So here you have it folks. Despite continuous IE bashing in various communities, it still managed to beat Firefox in a non-biased study.

What do you think? ~ FavBrowser

What do I think? I think that this is a load of Google FUD. To deny that it is just FUD is seriously living in denial (mega-denial syndrome?), or maybe a parallel universe of denial.

 

Interesting report (to a certain extend), I can agree on the questions put forward regarding the number and severity of vulnerabilities/patches.
The fact that Chrome is (ootb) called 'the most secured' by Ryan Smith, chief scientist of the Accuvant testing group is something most folks can agree with I guess, the sandboxing of processes within Chrome is still unmatched. That's where Chrome wins.
The data on URL blacklisting is a bit odd though when Chrome makes an incredible jump during the testing period where Firefox suddenly falls flat as pointed out by Phatak and Moy of NSS Labs.

The most funny aspect of the report though, is about extensions for the browsers.
"Firefox has a few (sic!) ways to customize or extend the functionality of the browser."
..."Firefox extensions are able to run arbitrary JavaScript code, but do not include native code.
From a security perspective, in the worst case, it is like enabling a cross-site scripting vulnerability on every page you visit. That is, the attacker could change arbitrary HTML, read cookies, see form data, etc."
Which is followed, of course, by a pic of Noscript. Danger, danger Will Robinson!

A whole report on which browser offers most secure browsing and then combining a worst case scenario with the most lauded browser security extension ever. An extension that offers protection unmatched by any other browser. That's where I start smelling something rotten.
Peculiar combination of useful info and hard boiled propaganda, this report.
Google should be proud of the way Chrome works and try to outcode FF and the whole FF ecosystem.
They shouldn't try to out BS the competition.

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

Did you read it? It's very simple yes or no type things.

Does Firefox support X? Does IE support X? Does Chrome support X?

In most of those cases, Chrome and IE support it and Firefox does not. What conclusions you draw from that are your own but there is absolutely no denying when a program does or does not support something. It's fact. You can't simply say "Oh Firefox supports JIT Hardening measures - Google is lying!" when it doesn't.



These are facts.

It's a shame you can't just read the article and take it for what it is. Whether the conclusions are bias or not doesn't detract from the information within it. Outside of the smartscreen tests there can be no bias or filter, the program either blocks or allows something; either passes or fails.

The consensus on /r/netsec is that it's entirely legitimate and they don't believe it's FUD. Not that they're somehow super credible but I think it's worth noting that there are people out there (lots of researchers on /netsec, I know a few though I rarely post) who are taking this test seriously.

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

I agree! I think that this may be due to the built in phishing heuristics that Chrome has implemented though I'm not sure. There is clearly something outside of the safebrowsing API at work or Google is intentionally holding back from Mozilla.

I had a bit of a laugh at that as well.

It would have been really interesting if they'd extended the scope of their paper to include specific extensions but I think that would get far too complex.

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

I probably wouldn't understand much of it as I'm not a software engineer. Although I have talked to some Mozilla fans, who are far more knowledgeable than me, who are not particularly impressed with the report & its bias. To simplify what they told me, this isn't much more than sophistry about running an infected plug-in & stating "we have a sandbox & Firefox doesn't".

If you can't see the disingenuousness & the real motivations behind this report, I can't explain it to you. I really can't.

Maybe in a parallel universe. It kinda reminds me about your interpretation of statistics. Nearly ten years ago I remember reading a statistic that if you take into account the number of Elvis impersonators that are increasing globally every year, you could extrapolate that by about 2010, nearly half of the world's population will actually be Elvis impersonators. I'd like to point out that no one in the street in the small village that I live in, as far as I know, actually are Elvis impersonators.

If you can't see this report for what it really is, I think that you have a warped sense of perspective.

After all, it's just business to Google. Of course they are going to try & rubbish the opposition. What better way than a sophistical disingenuous report on security & cyber-safety? Of course it's bloody FUD!

You're obviously a clever chap with computers Hungry, but you need to stand back & see the bigger picture. This really just is business to Google. It's not personal.

In fact, it's quite clever in a devious kind of way.

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

It is quite a lot more than that. They go in depth into what specifically one can do within the plugin and browser sandboxes and what each of those things means. There is a really really large area for each specific sandbox explaining the specifics. Definitely a lot more than "We have one, they don't."

You should try giving it a skim through, they do a good job of explaining things.

I can see possible motivations, Chrome is competing with Firefox and Google could absolutely have timed this report to coincide with some bad press.

I wouldn't put it past them, not at all.

But that doesn't detract from the research done. There are blatant facts in there.

Absolutely, and I think that the motivations and conclusions need to be questioned or even outright thrown away. Taking someone else's conclusions for fact is silly.

But you can look at the facts in it and the research and draw your own conclusions. Even if you skim through the pdf you can see that the research is sound.

The conclusions are bias but the actual content is a great read.

I think that taking this article at its word is silly. There is more to security than a sandbox and mitigation techniques such as ASLR but if you read the article it provides some great info. For example, I did not know that Chrome first randomizes information itself before further randomizing it using the OS randomization techniques. Whether that is significant or not is up to the user to decide but it's still a fact and it's one of many snippets of information that the article brings to light.

They also, and in my opinion quite fairly, point out that while IE does not further randomize they make great use of Guard Pages (a really cool technique IMO), which are very effective at preventing BO attacks and therefor IE does not need that further randomization - 64bit IE is beyond the scope of this article but it would also take advantage of significantly more random addresses.

This is just one point that the article brings up. Whether its motivations and conclusions are disingenuous is absolutely up for debate and I would not put it past any company to plan something like this. But the pdf itself provides wayyyy too much information to be dismissed.

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

I do think you should give it a read btw. Even if you don't know what ASLR is or DEP is they preface each portion with an explanation as to how these things work and what their significance is. It's for that reason that I think this report has real merit whether you take its conclusions seriously or not.

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

LOL @malware domains.

They should have tested the filters against malware samples as well.

Anyways, the study is overall good. It could, however, be more complete and take into account more aspects. In short, the methodology could be better.

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

I'm sure there is more LOL. Unfortunately, for me, it starts to read like white noise sounds after a bit. I'm an arts graduate ... after all.

Ermm ... I may give it another skim, but I was planning on reading some Dostoyevsky later. I think that the Russian bloke's going to win on this one.

I'm sure the facts are all quite blatant. The motivation is still FUD though.

I'm sure it's all great stuff, & probably quite useful & important. It doesn't matter how true any of it is either, it doesn't rule it out as a FUD exercise on behalf of Google. Google aren't stupid, if they are going to do a hatchet job they are going to make a good convincing job of it. That's what fear, uncertainty & doubt scenarios are. If they weren't plausible they wouldn't be effective.

At the end of the day, with my limited knowledge of computing, I ask myself "how does this affect me running SeaMonkey with NoScript, ABP, WOT & RequestPolicy as security features?"

My conclusion is; not a lot.

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

I'm going to view the dust bunnies under my bed in a whole new light. Maybe they're agents of Google?

 

Re: Google funded report says Chrome is most secure browser; Firefox least secure

You should just be glad you have dust bunnies.

 

I'm one of the very few people who don't use and don't like the "most lauded browser security extension". Another bunch of people who don't like it can be found over at the most popular Firefox browser extension's forum.

 

Propaganda! That's the word I was looking for.

 

IMO, IE should be left out of comparisons of browsers since it's virtually a part of the Windows OS.

Also, barebones, ootb, Chrome is more secure than Firefox. Saying that "Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet" comes across poorly.

Despite all that, I take my chances, keeping Fx (without the most lauded security extension = silver bullet(?)) as primary and Chrome as secondary.

 

That's a moot point, but I think that it is a useful 'control' sample, as scientists would put it. Although that's probably a poor analogy.

I don't think that anyone is actually disputing that though.

It sounds better than "we gave up on electrolysis recently" & are concentrating on other things.

Hmmm ... what about RequestPolicy?