Browser Security

Hey guys, Im working on a Radio Broadcast show for my business that deals with browser security (among other things) and Im looking for information regarding what the best browser is from a security standpoint, but also has a good amount of features. Maybe I am coming at this the wrong way, but my idea is to report to the general public about what the best browser and plug-in combinations there are to protect people that don't have a clue from mal-ware and click-jacking. Any help would be appreciated and will be listing this website and anyone that responds to this thread in the list of credits. for the digital file archive of the broadcast itself. Im almost done and should be broadcasting it live in the next couple of weeks.

For reference my website is http://www.scottlarsonconsulting.com

 

Opera is secure, but it lacks plugins. Chrome is very secure from a security stand point in the fact it has not been very acceptable to malware in the past year, and it has a decent amount of plugins. The only thing about Chrome is trusting that Google is not going to invade your privacy by collecting user data, and sharing it with a third party. FireFox is secure, and has tons of plugins. Firefox can be made very secure by using Noscript, Addblock plus, Wot, and other security plugins. I use Firefox because of the # of plugins available that i can't use with other browsers. If you really want to be secure then you can use Sandboxie to run any of the above browsers.

I don't use Chrome that often so some of the other users on this forum could tell you much more about Chrome than I. Here is an interesting article that might be of interest to you. http://www.linux-magazine.com/Online/News/Insecure-Candidates-Chrome-Wins-Hacking-Contest

 

See:

http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/compare?T1=tab2

 

I'm no expert on the matter, but I'd guess Chrome.
Out of the box it's good and you can make it better by changing a couple settings.
The extensions are a bit generic sounding to the FF guys out there, but you can find what you need.
And wasn't Chrome the only browser left standing the past couple years at (I believe) Pwn2Own?

 

Enough literature has been published on what Chrome collects and sends that perhaps the only viable reason left for someone to wonder about it would be deliberate ignorance on their part by refusing to read. Don't trust Google's documentation and third-party findings? Feel free to inspect the source code yourself - it's quite well-documented - or run a packet sniffer and inspect Chrome's traffic.

That said, I suspect the OP is wasting his time by trying to answer the question of "most secure browser". Security breaches caused by the browser vulnerabilities themselves are pretty much negligible when compared to breaches caused by user error and out-of-date software. Use a bit of common sense and update your software, and any one of them will serve you well from a security standpoint.

 

Out of the box with default settings, Google Chrome is actually vulnerable to any security vulnerabilities in it's bundled Adobe Flash plugin since plugins are *not* sandboxed by default right now. You have to add the --safe-plugins flag to the Google Chrome start up path to force plugins into sandboxes.

Running Google Chrome without the --safe-plugins flag is, IMHO, only mildly better than running Firefox from a security point of view. With it on, I rate Google Chrome as currently the best browser for the security-minded due to the sandboxing.

 

This comparison is nonsense. By just looking through the comparison I already found two false statements: even my current Firefox 3.6.10 has already the option to re-open accidentally closed tabs, and Firefox 4 beta does provide click-jacking protection. Also of course, any feature that other browsers do have but IE9 beta not, isn't shown in the comparison. Plus, the first rule is, a comparison must always come from a unbiased party not involved.

 

I think you should focus more on how to use a browser rather than which one is the "mostest and bestest safest" one.

Any browser has the capability to be secure if you want to stop being a noobian and take the time to find out how to use one. It is true it is not as "easy as 1 2 3" to do. Mom and pop could not just "click and go". But the internet is way way way past "click and go" anyway. It is a playground for those looking to take advantage of others. If one spends time locking thier doors of thier house, perhaps they should also lock the door to thier computer if they have something to lose.

I would educate your users on per site allowances to scripting and flash for starters. Change how they look at the landscape. Your philosophy of "use this browser, it is the most secure" is a flawed outlook. Any browser can be compromised. What noobians need is some education. The problem is that they don't want to and usually it isn't as "easy as 1 2 3".

I guess the Geek Squad will stay in business though. That must mean the recession is over

Sul.

 

Sorry, should have been more clear my goal is to educate people how to secure the browser they already use with the best plug-ins and software, instead of telling them what browser is the most secure. And also what to look out for when browsing the net. I leaned along time ago that people dont like being told to have to change something that already use.

 

That is very true, sadly. But it really is beyond that now. The majority of the people I support are either using a LUA approach or Sandboxie. I told them if you don't learn something, you can pay someone to fix your stuff rather than me doing it for free. I am not going to fix a problem, spend 15 minutes educating them, then turn around a month or two later and repeat the process. Even those that pay me, I am done with doing that.

The internet is not as scary as AV and Firewall companies would have you believe. But it is "dirty" enough that you cannot go out without knowing what you might be up against. Noobians may not like that, but that is how it is.

That hard part is how to teach them. If they don't express an interest like those who come here do, your approach is limited. IMO either they want to learn or they don't. I think the tide is slowly turning, but it sure is a slow process.

Sul.

 

Very true.
And, they don't even want to bother to do simple things to keep them safer. I'm familiar with that.

A safer web browser always depends, also, on the user, but also on the O.S. For example, in Windows Vista and Windows 7, both Internet Explorer and Chrome run in what is called Low Integrity Level. You may be familiar with Internet Explorer Protected Mode. That means it runs in a Low Integrity Level. Unfortunately, it is enforced by UAC, and some people dislike it.

According to user Sully, a bug exists in Chrome which, at some point, Chrome may actually be running with a Medium Integrity Level.

Not sure if you're familiar with Integrity Levels, but basically a Low one cannot create/modify to higher integrity level areas and objects.

So, in case of an infection through any of these browsers, the damage would be quite contained. A Low IL object cannot write/modify pretty much anything.

But, there are things that people can use to make their browsers safer, without changing browser.

I always install AVG Linkscanner along side whatever browser they make use of. It's an extra security measure. Internet Explorer 8/9 has SmartScreen which also is a great source of protection.

There's also SpywareBlaster, which they can protected against malicious websites, activex, and tracking cookies. Spybot - Search & Destroy immunizations are also a great addition. (These two, specially if they're using Windows XP.)

If they're running Windows XP, they may run the browser with lower rights, by making use of DropMyRights.

There are simple things that is easy of handling with.

Nowadays there are also plenty third-party DNS services that provide extra protection like ClearCloud DNS, Norton DNS, Open DNS, Dyn DNS.

I've actually found a simply solution. For most of time, they browser with Internet Explorer, protected by means mentioned above. To access Youtube, I have a special Chromium profile, only allowing access to Youtube domain. I'll be doing the same for Facebook. It will decrease a lot infecting vectors.

The solutions are out there. It's just a matter of finding the right ones to each person. Each person is a different individual, and we cannot think of them as being all the same.

At least, in my opinion.

 

It was talking about Automatic recovery of crashed tabs, not the option to reopen closed tabs.
Clickjacking protection is not present in Firefox 4 Beta3, which was the latest Firefox beta by the time IE9 Beta 1 was released.

The comparison is reasonable, it could be more complete, but nonetheless it is still better than most others I saw, which are even more biased in another ways.

 

Great points. I have been using Web of Trust as an alternative to that, wondering what people think of that as opposed to a commercial solution. I tend to like community driven projects like this. My goal is to work with what people have allready without requiring them to change their OS, Browser setup unless they have a computer that is dated 5+ years and then I would recommend and upgrade. XP is still a good operating system but it just needs a few things to tighten up the security. I like Vista and 7 as well.

I was going to suggest this and I was thinking about hostsman as well, I have had some slight problems with hostsman getting in the way of legitimate sites (by fault of there own). it seems like the Immunizations of Spybot Search and Destroy is less intrusive.

I'm looking at SuRun as a possibility by dropmyrights looks like a great idea, I'm reading about it now. Thank you for the recommendation.

The third-party DNS approach is a great idea, didn't even think about that. Ill look into it.

 

Lately, I've been comparing the ratings between AVG Linkscanner, PC Tools Browser Defender, Norton SafeWeb Lite and WOT. By the way, Norton Safe Web Lite and Browser Defender ratings are exactly the same, with one difference, and that is that Browser Defender will prevent access to web sites hosting exploits, while Symantec's tool (the Lite version) will only rate a link.

WOT seems to be practically always on top of it. Quite surprising for a database alike service. Wouldn't hurt WOT with Linkscanner. A service like www.urlvoid.com would also give a better idea whether or not a website may be safe to visit. But, recently, I've found that www.urlvoid.com would mention that WOT, Browser Defender or Norton SafeWeb would rate with green, but going at their official sites (www.browserdefender.com and safeweb.norton.com), they would rate red. I'm not sure how accurate www.urlvoid.com ratings are.

AVG Linkscanner works as follows https://www.wilderssecurity.com/showpost.php?p=1758646&postcount=9

Hostsman won't block sites by itself. It only adds entries to the HOSTS file, and only from sources users pick or choose to add. Most likely, some web site could be add at a given moment because it was hosting malware, etc, and at one other no longer, but HOSTS file are not updated so often. Some are, though.

It would be a great idea, for example, to have, say two shortcuts for each program, if it necessary. Windows XP updates via Internet Explorer, and Internet Explorer needs Administrator rights to update the system. So, is a great idea to have one shortcut to reduce rights, and then a normal IE shorcut to only update Windows. Same, for example, an e-mail client program. One to reduce rights when sending and receiving e-mail, and a normal shorcut to update the e-mail client, if the client has an option to update it within itself.

I think the same approach for media player would be welcome. But, I guess only one shorcut to reduce the rights would be OK.

Obviously, I was talking about DropMyRights.

I know SuRun, and I was once going to install it to a family member, and is a great idea, because it will allow to use a limited user account, and elevate rights when needed. Not sure if it would be something most people would be confortable working with. I never actually tested it that much. I'm sure other people will give you their opinions, and perhaps tricks for a smoother experience with it.

If picking, say, Norton DNS, then there would be no need either for Norton SafeWeb or Browser Defender, as Norton DNS would already block access to malicious websites.

If the intent is to block malicious websites, then I think the best ones would be either Norton DNS or ClearCloud DNS, by Sunbelt. If a user wishes to also block content, then either Open DNS or Dyn DNS would be a great choice. I believe they also offer malware protection to some extent.

 

Re-opening of closed tabs is also in the comparison: "Reopen accidentally closed tabs."
Plus, it seems Click-jacking protection was even already introduced in 3.6.9:
http://hackademix.net/2010/08/31/x-frame-options-finally-on-vanilla-firefox/

 

The more I read about dropmyrights, the more I think its not going to work simply because it doesnt work with SSL specific sites correctly yet, but it could be an option in the future... I wonder if it would be better to run in a limited user account with surun instead. I'm going to do some testing and see how it works later on next week and see what i come up with. Part of my focus is trying to find any relatively easy way to secure someone from making mistakes from accidentally visiting a malicious site or click on a malicious link. Right now I'm reading Sullys work on Securing your PC and Data.

 

http://www.thechromesource.com/chrome-the-only-major-browser-not-hacked-at-pwn2own/

 

Sorry, I was looking only at the security part. But as for the re-opening of closed tabs in Firefox 4 Beta 3, there was a bug with the display of the feature in Firefox 4 Beta 3. Look:

http://support.mozilla.com/oc/questions/747906?s=tabs&as=s

Microsoft, when testing, probably came to the conclusion that the feature was removed, as it was not acessible. This bug was fixed only in the Firefox 4 Beta versions that came after the tested Beta 3.

As for the other point:

- Firefox 3.6.9 was released on September, 8;
- Firefox 4 Beta 4 was released on September, 7;
- Firefox 4 Beta 3 was released on August, 11;
- The Microsoft comparative was probably made sometime in the beggining of September or even in August, as IE 9 Beta 1 was announced a month before the date it was released to public testing: September, 15 "Beauty of the Web event".

So, it's not for the "bias" that that they used Firefox 4 Beta 3 in the comparative, which, like Firefox previous versions, still didn't have clickjacking protection. It's just a question of dates.

I'm sure the comparative will be updated again when IE 9 Beta 2 comes out. Until then, it's still a good source of information regarding the browser versions tested.

+ I read somewhere that the IE9 release is contributing to make Mozilla rush its development cycle. Hope they don't release a (very) buggy final Firefox 4. We know that Opera, for example, rushed Opera 10.0 and Opera 10.0 proved to be a very buggy release.

 

Do you have a source for that?

thanks,

rich

 

I don't have any official source. What I have is evidence shared by pretty much any long time Opera beta tester, evidence that you can see by doing a good research on the Opera Desktop Team blog.

The 10.0 Opera release reached the final stage earlier than most of us expected (and wanted), all because of the marketing strategy behind making Opera 10.0 the first final version of a desktop browser to get 100/100 and pixel-perfect on the Acid3 test.

 

Looking at this new immunizer system called blade, they have a youtube video up describing how it works but no download as of yet.
http://www.blade-defender.org/

 

I'm no expert, but out of the box I would go for SRWare Iron as the safest browser.

Secunia

 

What are your Firefox security extensions? I've since added the VTzilla extension.

What is needed to run your browser in Protected Mode?

Study of effectiveness of malware reputation services used by 6 web browsers

 

IE8 with:

https://www.wilderssecurity.com/showthread.php?t=262475
https://www.wilderssecurity.com/showthread.php?t=280008
http://antivirus.about.com/od/securitytips/ht/ieiframe.htm
https://www.wilderssecurity.com/showthread.php?t=213988 (Some configuration here)
http://www.softpedia.com/get/Security/Security-Related/Norton-Safe-Web-Plug-in.shtml (if you prefer)
www.clearclouddns.com (To Block Malicious Sites)

Running virtualized by the UAC, EMET-2 and protected mode!

For me it's SAFER!

 

Just because Secunia hasn't documented all the exploits in Iron doesn't mean they don't exist. Anything Chrome has it has.