Security: Firefox vs Chrome

When compared does Chrome have more security measure in place to make it more secure than Firefox? My primary concern is JS I use NoScript for Firefox and scriptno for chrome. The reason for my post is that scroptno dev has ceased development of the plugin and I do not have the sense of security I've enjoyed through that plugin. I know that noscript is updated much more frequently, however I do love the sanxboxing that comes from chrome.

So which is more secure?

 

I would not rely on ScriptNo. I can write more comparing the two browsers security later.

 

One cannot make a blanket statement that one is more secure than the other. It all depends on how the individual user implements it. Using Sandboxie, Firefox can be sandboxed just as Chrome can be. Using about:config tweaks, and the right add-ons, you can make FF a near fortress along with Sandboxie. But if you don't implement these measures, I'd say "out of the box" Chrome is more secure, specifically on Win7.

The answer depends on so many different scenarios. But with granular control of JS being such a big criteria for you, I don't think there's a better option than FF w/NoScript.

 

Same here. I can't help but wonder which offers best security: Chrome at default with its renderer processes sandboxed or Firefox with the addition of the thus far inimitable NoScript plugin? Firefox also wins with Adblock+ as far as plugins go. chrome is still at beta with the + version of AdBlock.

I tend to lean toward this opinion as well.

 

Thanks for the reply, my current setup is win7/x64 and I've used sandboxie before but from what I understand it does not work as well as the x86 variant of the software. If there is few tips on how I can make FF solid through sandboxie that would be appreciated.

Thanks, Yu

 

Security when it comes to browsers is really complicated. It's not just about system compromise it's also about XSS, CSRF, etc. There are a lot of factors and a lot of different ways to protect here.

In terms of protecting against actual system compromise via exploitation I think Chrome is a clear winner. The sandbox prevents remote and local exploitation as well as mitigating the damage of a remove exploit.

In terms of protecting against XSS both are pretty equal but NoScript pretty much stops everything - bypassing NoScript's XSS is not easy and I've only seen a paper on it once and it requires a very specific type of XSS.

NoScript also provides a fine grained tool for allowing access to webpages unlike anything on Chrome. You can whitelist Javascript on Chrome but first and third party javascript is allowed on the entire whitelisted page.

It depends on what you prioritize and consider a serious threat.

I do not think Sandboxie provides the same level of security as Chrome's sandbox - Chrome sandboxes the renderer, tabs, etc and isolates them from each other well. Without changing the Firefox architecture you can't do this, Sandboxie or not. Chrome also uses stuff built into the kernel - likely heavily vetted code.

 

This was exactly my assumption, the irritating part is that scriptno does not give me the same sense of security as NoScript does. since I only go to limited amount of sites (I'd say five to ten unique domain) I will keep using chrome as my browser for those sites. And since scriptno is no longer being actively developed I will count more on the sandboxing feature of chrome and the "limited" protection through scriptno and use Firefox with NoScript for my school websites.

Thank you for your five cents Hungry Man, your post has helped me clear a few things that were brewing in my head.

Thanks
-Flow


Update 1: Hungry Man do you reccomend Javascript whitelist by TLD?

 

Agreed. And this is why if/when I switch to Win7, as much as I love Firefox, I have to give Chrome a good look.

 

Disregarding plugins for bolstered security, the mention of SandBoxie to augment Firefox means adding a 3rd party security application to bring it up to par with Chrome's built-in sandboxed renderers. The problem here is two applications are required to achieve the job that one on its own can already do. I'd prefer the one that can do it on its own. I'm convinced Chrome with a NoScript equivalent would be the clear winner. Too bad ScriptNo seems to have been neglected by its developer.

 

I do. Most malicious websites are hosted by .ru or .cn or directly linked by IP. You can avoid problems by whitelisting to just TLDs you commonly go to.

Same goes for plugin - set it to Click To Play.

As I said protecting against system compromise is Chrome's area. Separating everything into its own sandbox means that one compromised renderer process can't effect any other processes. It's very secure and that's why I use Chrome.

But in terms of protecting against something like XSS Chrome falls short of NoScript - though I don't think the differences are all too significant especially considering how often NoScripts XSS filter can get set off when there is no attack present.

 

I agree with HungryMan, Chrome is miles ahead of Firefox in security. Besides NoScript Firefox doesn't shape up security wise.

 

how would isolating each tab from another tab provide more security than a sandboxed browser isolated from the entire operating system?

one more thing, are you saying a default chrome is generally more secure than a firefox running in sandboxie?

 

If all tabs shared one process/sandbox and one tab became compromise every tab with all information would be compromised.

I have www.evil.com and www.bank.com open in two tabs.

On Chrome evil.com is isolated from bank.com. A compromise of the evil.com tab won't lead to a compromise of the information I've put into bank.com.

On Firefox a compromise of evil.com is a compromise of the entire browser. My bank.com is compromised as well.

Yes. Even if I considered Sandboxie to be on the same level as MIAC you only get a 'whole browser' sandbox. Not trying to knock sandboxie, it certainly can prevent a system from being compromised. It's more of a Firefox architecture problem.

 

thanks for clarifying, i see what you are saying now. you mean the above with regards to the compromisability and protection of the browser itself and not the computer via the browser in which case i agree with you and the main reason i dont use sandboxie.

however sandboxie on firefox is much more secure than a default chrome install with regards to protection of the computer itself (browser as the infection vector) as there are many links where the chrome sandbox has been bypassed and virtually none for sandboxie.

so to clarify;
chrome is better than a sandboxie firefox when it comes to preventing (or lessening) private user data reaching the bad guys.
a sandboxie firefox is better than a naked chrome when it comes preventing an infection on the computer eg, exploits which run exe's on the users real system

am i right in the above conclusion?

 

I would disagree with that conclusion. While there have been bypasses of the Chrome sandbox that doesn't make the sandbox insecure.

Programs like Chrome and Sandboxie are complex. Chrome's sandbox has millions of lines of code and it pulls in even more code through libraries. Combined with its constant change it is very fair to say that there will always be an inextinguishable number of vulnerabilities for Chrome.

The same applies to Sandboxie.

I'm not too sure how much I want to go into a Chrome vs Sandboxie type thing - whereas I'm fine with a Chrome v Firefox it's more due to a lack of features, when it comes to Sandboxie I don't want to sound as if I'm attacking a project that I actually think is great. What I'll say is that I think Chrome's sandbox is more secure for these reasons:

The Chrome devs have worked specifically to get the sandbox working with their program - it's built for it.

The sandbox is built on the capabilities of the Windows Kernel. That's highly security vetted code and vulnerabilities in the kernel are generally patched very quickly because of how critical they are. There is likely a team set by Microsoft purely with the task of keeping the code secure. That isn't to say that vulnerabilities aren't there, just that people are looking for them and patch turnover is quick.

Being built into the kernel is generally better when it comes to security features - a lower level makes things harder to bypass.

 

always nice to see a different point of view HM

 

Apples and oranges here gentlemen.

Sandboxie uses a driver to control things. Its basic nature is to allow applications access anywhere, but keep modifications out of the real system. Secondary is the ability to restrict access of sandboxed processes.

Running a browser in a sandbox does not keep the system from accessing the sandbox, and does not keep the sandbox from accessing the system. It only keeps the sandboxed processes from modifying the system.

With some tweaking, the sandbox can be configured to restrict access of sandboxed processes from areas of the real system. When a lot of this is done, then Sandboxie can start to achieve a better level of security. But the real security of Sandboxie is that it protects the system from change, not the processes that are sandboxed from exploit.

Chrome is a different beast. It utilizes two primary mechanisms -separation of internal processes (tabs) so that as HungryMan shows, one process does not exploit another, and it uses rights. Whether Chrome is the browser for any person is thier choise, but it is a browser that limits itself on what it is able to do to both the system and itself. That is what sets it different from the rest IMO.

Going further on the apples to oranges, any browser an be fortified against many threats. If we take JS as an example, it is possible to use browser settings to help, by creating a white/black list effect of who is allowed to run JS. It is hard to compare what is best when any and all are capable, but user preference is the swing vote. NoScript and company influence the swing vote, but don't define the election.

I think choosing the right security comes down to the individual. Some things are universal - limited rights being an example. Others are case by case. If you only browse the web for news and watch you tube, does XSS really scare you? Will you choose one browser over the other for security if you use the web like this?

Only you can say. Understanding what you do, and what threats you are open to is not an easy task, but can greatly influence just how "hog wild" you want to go with security in general.

Sul.

 

Wouldnt the use of sandboxie eliminate this A vs B discussion?
If i run chrome and firefox within sandboxie then whats the difference?
They are both isolated from the system and its contents removed upon closing.

I think this should be turned into a web browsing poll rather than saying chrome is better than firefox etc.
Why just those 2 browsers.add internet explorer into the mix also.
Its a debate that can go on for evermore and no real conclusion can come out of it.

ive used firefox for years and never had any problems with it.
I think computer users in general are just letting their own insecurity and paranoia ruin the whole computing experience.
Best Wishes.

 

Besides what Hungry Man mentioned, there are two key differences:

* Users don't have to understand Chrome's sandbox, and also don't have to do a thing to be enabled. Sandboxie is a different kind of sandbox - the user must define him/herself what he/she wants to have sandboxed.

* Chrome's sandbox will never be incompatible with Chrome. Sandboxie has a pretty good chance to have compatibility issues with web browsers and other programs. Just check Sandboxie's forum and you'll see plenty of them over the course. It's just how things are.

Compatibility issues are what made me stop using Sandboxie to sandbox some programs; now, I just use it to install/run software I want to briefly test. I got tired of having to deal with issues - I simply want to enjoy my system. In a perfect world, Sandboxie wouldn't have these compatibility issues... but, that won't happen (like it won't happen with any other application).

 

Thank you!

 

Hi Beethoven1770,

Thank you for the reply I wasn't trying to start any needless debate over which browser is better. IMHO both browsers are great in their own way and I use both of them constantly (tough I am using chrome more often than FF). It was more of a burning question that I have wanted to ask to the ever knowledgeable wilderssecurity forums.

Thanks for all the reply you guys I love this forum!
-Flow

 

You should never worry about asking a question. There are plenty of users happy to answer any of them.

Glad you got something out of the topic.

 

Well said Hungry Man. Hats off to ya. I always recommend Chrome to all my clients and customers. I have my entire family using it. But where the problem lies is getting people to change from IE. Most people only know IE.

 

I would have to actually agree with you here, i use sandboxie which removes the possiblity of browser being an infection vector.

 

Has anyone every notice how well Chrome blocks malware? Either by blocking the page or download warnings. Heck when I tried AVG Free 2013 I found Chrome blocking and detecting more malware then AVG.