New Research Says Chrome Browser "Most Secured" Against Attacks

Discussion in 'other security issues & news' started by lotuseclat79, Dec 9, 2011.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  2. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    Looks like a "must read".

    The research has been commented on here and this quote is for those (Secunia fans?) who believe that the more the bugs/loopholes on record, the worse the software:
    The study was commissioned by Google, FWIW.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I think oages 18 and 19 have some really interesting information.

    Also odd that they found so little difference between the blacklists.
     
  4. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    Yikes! You've already digested pages 1 through 17 ?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Not really, skimmed through the first 20 pages. No time to read it atm.
    EDIT: Their results for the URL blacklisting are... interesting. Chrome and IE block virtually the same amount and neither block a very significant amount (10% per analysis about.) There are stipulations to the test, neither has access to their file blacklist for example. This may be where IE pulls ahead since application reputation may be a lot harder to fake whereas domain reputation has long been easily circumvented. Or perhaps the test is absolute BS.

     
    Last edited: Dec 10, 2011
  6. woomera

    woomera Registered Member

    Joined:
    May 21, 2004
    Posts:
    212
    Browser security ranking, firefox third and chrome first

    PCMag

    Sigh, i think i have to switch to chrome at some point then. firefox just cant seem able to keep up these days.i just wish opera had better addon support.
     
  7. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
  8. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    Source of funding already mentioned here.
     
  9. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    103,254
    Location:
    U.S.A.
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    The way I see it you should look at the points made as fact - they're simply true, Firefox doesn't have X feature Chrome has X feature etc. Those are undeniable.

    Whether you consider X important or not is what's different. The conclusions based on the facts will vary user to user.

    Of course, as is pointed out in the article NSS Labs used to take money from Microsoft.

    This was heavily covered in the Accuvant study and I really disagree here.

    I also have to disagree here, they used public malware domains.

    I found the Accuvant paper to be a very interesting read with in-depth explanations. One of the better papers I've read and it has nothing to do with whichever browser one - I would have been happy to see IE beat Chrome and I was surprised at the results.

    Accuvant not only provided data but an excellent explanation of the methodology behind each and every test. Their explanations on why patch response is no longer a great way to view security and other typical methods was great. Their results and conclusions on URL blacklisting was also very interesting.

     
  11. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    I'm not buying this, the whole thing is FUD by Google. You'd have to be a complete wazzock not to believe that it isn't.

    From FavBrowser ~ After such claims, Mozilla has decided to respond with the following statement:

    “Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform level features like address space randomization to internal systems like our layout frame poisoning system. Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet. We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We’re proud of our reputation on security, and it remains a central priority for Firefox.”

    So here you have it folks. Despite continuous IE bashing in various communities, it still managed to beat Firefox in a non-biased study.

    What do you think? ~ FavBrowser

    What do I think? I think that this is a load of Google FUD. To deny that it is just FUD is seriously living in denial (mega-denial syndrome?), or maybe a parallel universe of denial. ;)
     
  12. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Interesting report (to a certain extend), I can agree on the questions put forward regarding the number and severity of vulnerabilities/patches.
    The fact that Chrome is (ootb) called 'the most secured' by Ryan Smith, chief scientist of the Accuvant testing group is something most folks can agree with I guess, the sandboxing of processes within Chrome is still unmatched. That's where Chrome wins.
    The data on URL blacklisting is a bit odd though when Chrome makes an incredible jump during the testing period where Firefox suddenly falls flat as pointed out by Phatak and Moy of NSS Labs.

    The most funny aspect of the report though, is about extensions for the browsers.
    "Firefox has a few (sic!) ways to customize or extend the functionality of the browser."
    ..."Firefox extensions are able to run arbitrary JavaScript code, but do not include native code.
    From a security perspective, in the worst case, it is like enabling a cross-site scripting vulnerability on every page you visit. That is, the attacker could change arbitrary HTML, read cookies, see form data, etc."

    Which is followed, of course, by a pic of Noscript. Danger, danger Will Robinson!

    A whole report on which browser offers most secure browsing and then combining a worst case scenario with the most lauded browser security extension ever. An extension that offers protection unmatched by any other browser. That's where I start smelling something rotten.
    Peculiar combination of useful info and hard boiled propaganda, this report.
    Google should be proud of the way Chrome works and try to outcode FF and the whole FF ecosystem.
    They shouldn't try to out BS the competition.
     
    Last edited: Dec 14, 2011
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    Did you read it? It's very simple yes or no type things.

    Does Firefox support X? Does IE support X? Does Chrome support X?

    In most of those cases, Chrome and IE support it and Firefox does not. What conclusions you draw from that are your own but there is absolutely no denying when a program does or does not support something. It's fact. You can't simply say "Oh Firefox supports JIT Hardening measures - Google is lying!" when it doesn't.

    Capture.PNG

    These are facts.

    It's a shame you can't just read the article and take it for what it is. Whether the conclusions are bias or not doesn't detract from the information within it. Outside of the smartscreen tests there can be no bias or filter, the program either blocks or allows something; either passes or fails.

    The consensus on /r/netsec is that it's entirely legitimate and they don't believe it's FUD. Not that they're somehow super credible but I think it's worth noting that there are people out there (lots of researchers on /netsec, I know a few though I rarely post) who are taking this test seriously.
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    I agree! I think that this may be due to the built in phishing heuristics that Chrome has implemented though I'm not sure. There is clearly something outside of the safebrowsing API at work or Google is intentionally holding back from Mozilla.

    I had a bit of a laugh at that as well.

    It would have been really interesting if they'd extended the scope of their paper to include specific extensions but I think that would get far too complex.
     
  15. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    I probably wouldn't understand much of it as I'm not a software engineer. Although I have talked to some Mozilla fans, who are far more knowledgeable than me, who are not particularly impressed with the report & its bias. To simplify what they told me, this isn't much more than sophistry about running an infected plug-in & stating "we have a sandbox & Firefox doesn't".

    If you can't see the disingenuousness & the real motivations behind this report, I can't explain it to you. I really can't.

    Maybe in a parallel universe. It kinda reminds me about your interpretation of statistics. Nearly ten years ago I remember reading a statistic that if you take into account the number of Elvis impersonators that are increasing globally every year, you could extrapolate that by about 2010, nearly half of the world's population will actually be Elvis impersonators. I'd like to point out that no one in the street in the small village that I live in, as far as I know, actually are Elvis impersonators.

    If you can't see this report for what it really is, I think that you have a warped sense of perspective.

    After all, it's just business to Google. Of course they are going to try & rubbish the opposition. What better way than a sophistical disingenuous report on security & cyber-safety? Of course it's bloody FUD!

    You're obviously a clever chap with computers Hungry, but you need to stand back & see the bigger picture. This really just is business to Google. It's not personal.

    In fact, it's quite clever in a devious kind of way.
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    It is quite a lot more than that. They go in depth into what specifically one can do within the plugin and browser sandboxes and what each of those things means. There is a really really large area for each specific sandbox explaining the specifics. Definitely a lot more than "We have one, they don't."

    You should try giving it a skim through, they do a good job of explaining things.

    I can see possible motivations, Chrome is competing with Firefox and Google could absolutely have timed this report to coincide with some bad press.

    I wouldn't put it past them, not at all.

    But that doesn't detract from the research done. There are blatant facts in there.

    Absolutely, and I think that the motivations and conclusions need to be questioned or even outright thrown away. Taking someone else's conclusions for fact is silly.

    But you can look at the facts in it and the research and draw your own conclusions. Even if you skim through the pdf you can see that the research is sound.

    The conclusions are bias but the actual content is a great read.

    I think that taking this article at its word is silly. There is more to security than a sandbox and mitigation techniques such as ASLR but if you read the article it provides some great info. For example, I did not know that Chrome first randomizes information itself before further randomizing it using the OS randomization techniques. Whether that is significant or not is up to the user to decide but it's still a fact and it's one of many snippets of information that the article brings to light.

    They also, and in my opinion quite fairly, point out that while IE does not further randomize they make great use of Guard Pages (a really cool technique IMO), which are very effective at preventing BO attacks and therefor IE does not need that further randomization - 64bit IE is beyond the scope of this article but it would also take advantage of significantly more random addresses.

    This is just one point that the article brings up. Whether its motivations and conclusions are disingenuous is absolutely up for debate and I would not put it past any company to plan something like this. But the pdf itself provides wayyyy too much information to be dismissed.
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    I do think you should give it a read btw. Even if you don't know what ASLR is or DEP is they preface each portion with an explanation as to how these things work and what their significance is. It's for that reason that I think this report has real merit whether you take its conclusions seriously or not.
     
  18. guest

    guest Guest

    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    LOL @malware domains.

    They should have tested the filters against malware samples as well.

    Anyways, the study is overall good. It could, however, be more complete and take into account more aspects. In short, the methodology could be better.
     
  19. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    I'm sure there is more LOL. Unfortunately, for me, it starts to read like white noise sounds after a bit. I'm an arts graduate ... after all.

    Ermm ... I may give it another skim, but I was planning on reading some Dostoyevsky later. I think that the Russian bloke's going to win on this one. ;)

    I'm sure the facts are all quite blatant. The motivation is still FUD though.


    I'm sure it's all great stuff, & probably quite useful & important. It doesn't matter how true any of it is either, it doesn't rule it out as a FUD exercise on behalf of Google. Google aren't stupid, if they are going to do a hatchet job they are going to make a good convincing job of it. That's what fear, uncertainty & doubt scenarios are. If they weren't plausible they wouldn't be effective.

    At the end of the day, with my limited knowledge of computing, I ask myself "how does this affect me running SeaMonkey with NoScript, ABP, WOT & RequestPolicy as security features?"

    My conclusion is; not a lot. :cool:
     
    Last edited: Dec 14, 2011
  20. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    I'm going to view the dust bunnies under my bed in a whole new light. Maybe they're agents of Google?
     
  21. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Re: Google funded report says Chrome is most secure browser; Firefox least secure

    You should just be glad you have dust bunnies.
     
  22. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    I'm one of the very few people who don't use and don't like the "most lauded browser security extension". Another bunch of people who don't like it can be found over at the most popular Firefox browser extension's forum.
     
    Last edited: Dec 14, 2011
  23. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Propaganda! That's the word I was looking for. ;)
     
  24. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    IMO, IE should be left out of comparisons of browsers since it's virtually a part of the Windows OS.

    Also, barebones, ootb, Chrome is more secure than Firefox. Saying that "Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet" comes across poorly.

    Despite all that, I take my chances, keeping Fx (without the most lauded security extension = silver bullet(?)) as primary and Chrome as secondary.
     
  25. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    That's a moot point, but I think that it is a useful 'control' sample, as scientists would put it. Although that's probably a poor analogy.

    I don't think that anyone is actually disputing that though.

    It sounds better than "we gave up on electrolysis recently" & are concentrating on other things.

    Hmmm ... what about RequestPolicy?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.