Which is the Most Secure Web Browser?

Obviously, I have misunderstood you.
Please, do correct me by responding on that other thread where I asked you this, however when you said null SID is more severe I understood it as more restrictive than SBIE's anonymous user/untrusted integrity level.

 

I was asked, "So, what advantage do you get from adding in Sandboxie?"

Sandboxie takes care of those "user problems," that's an advantage of sandboxing Chrome. Some here paint Sandboxie as weak when the reality is that is the opposite. Same with Firefox, some here want us all to use Chrome. Last week, I even read some guy tell us that we have to like tab on top. I dont have to like tabs on top.

This same guys keep spreading the word that Chrome is the only safe browser around. Almighty Chrome. But in reality (as you said), "no browser is secure without other preventative measures in place". Thats where Sandboxie comes in. Plugin exploits? They might affectt Chrome users but not Chrome users who run their browser sandboxed, etc. Rmus, I am finish with this thread.

Bo

 

I admit there will be non consensus about def of the most secure. I personally prefer distinguish privacy from security, though there is no clear boundary btwn 2. It makes the discussion simpler, though as noone_particular suggested privacy is more hard to achieve. But I don't disagree taking other elements into account, such as addons or SBIE as long as those discussion keep along with the main title. Actually if Noscript or alternatives were not available in Fx, it could be reason to use other browser. Those addon/extension environment are nearly unique to each browser. Also compatibility with security products can be matter, just like Mayahana stated about Norton. Splitting those factor will make the discussion simpler, but at the same time also make it a bit meaningless as most people here won't use bareborn browser with no addon in an environment which has no other security software.

IMO what important is, make clear definition about what you think is the security, and state your thought. It can be referenced even people who don't share the def, while minimizes the risk of confusion and unneeded debate. Nobody should deny others def or view.

For me, security includes robustness in exploit, malware and scam protection, TLS implementation, web attack mitigation.
Chrome has the best RCE protection (thanks to its sandbox as well as strong JIT hardening) and good malware & phishing protection. When it comes to TLS, its controversial. While HSTS with cert pinning or those advanced attempts are interesting, I still believe removal of OCSP request is not good...their alternative seemed to have logical flaw at least in that time...but in some other aspects Google have been keeping a leader or pioneer, though not all improvements are about security (they focus more on performance). Chrome's XSS filter is said to be more accurate than others. And for me, the best is uMatrix.

But when it comes to configurability, Chrome is far behind the firefox, this renders Chrome behind Firefox in privacy aspect for me, even after as much configuration tweaked as well as privacy extensions, this is why I switch to SBIEd Firefox when privacy matters.

 

Sorry, but you have to explain what are short words like JIT, TLS and RCE, OCSP, HSTS?

 

Just google a bit.

 

I'm also sure that you fully agree with Safeguy's posts about Google Chrome and its sandbox as well.

 

Anyone concerned with security & privacy would most likely not run a bare-bones
browser and choose to remedy that by changing the default settings and installing additional
third-party software depending on which browser is used.

The OP linked article says how to secure your browser by updating the browser, but also
includes using anti-virus & anti-spyware. Also incorporating one or more of the browser add-ons listed.
This would be considered third-party software and add-ons you would need to install.
If were talking just about the browsers themselves and nothing else then what does this have
to do with the most secure browser?

My point being were not just talking about what is the most secure stand-alone browser.
If the intent of OP was to exclusively compare the most secure out-of-the-box browser
then any additional software/add-ons would IMO need to be excluded.

 

After rechecking the article I came to conclusion that Chrome could be considered as the most secure. It has fastest update release time and low percentage of unpatched users.
It did have a lot of disclosed vulnerabilities but AFAIK they were not used in the wild. We also can't tell how many vulnerabilities were patched in IE since it's not open source and Microsoft doesn't have to release all info.
When it comes to privacy - most things described in article can be achieved in Chrome by configuring settings and modifying some flags.
Adding to all this other security mechanisms it is IMHO most secure browser at the moment.

 

The safest browser is Opera 12. Because of it's market share of 4%, it's the least attacked browser. You can make it even more secure with ScriptKeeper, to block third party scripts. And as everyone already knows, for sandboxing you could use Sandboxie. No need for crappy Chrome.

 

Hello Yuki,

Years ago I experimented by running a Laptop for a few months with no security other than a Firewall (this was a real firewall in the original sense in those days, not one as part of a suite as we see today). The Browser was Opera, and I had Scripts and Plug-ins whitelisted. All I did with that computer was surf the internet. I ran a scanner each night, and never found anything amiss.

The reason I felt confident was that I had investigated the in-the-wild browser exploits, so-called, and discovered that they were not really exploits against the browser, rather, against plug-ins (PDF, JAVA, Flash). So, these are exploits that come through the browser, *if* they are granted permission *by the user.*

Here are a couple of examples I tested with my desktop computer at that time. The URLs were taken from Malware Domain Lists, and from sans.isc Diaries.

1) PDF

A typical attack was started by javascript



With Javascript disabled in Firefox, nothing happens when navigating to a booby-trapped site:



I enabled Javascript and unchecked the option to load PDF files into the browser window. When the exploit code ran, Firefox popped up an alert:



An "alert" user will realize that something is amiss, since she/he isn't looking for a PDF file on the web.

I re-visited the site with Plug-ins enabled, the PDF file opened in the background and my Firewall gave an alert:



Here is evidence that the exploit makes use of Adobe Acrobat to download the malware, as the Firewall reports the Acrobat Reader attempting to connect out. So, the attack exploits the Plug-in code, and not the Browser code. It is not the Browser's fault that the PDF file is permitted to run.

Note that no extra security programs protected me. Just proper configuration of the browser, and my firewall. In my view, the PDF exploits were some of the most sensationalized, unnecessarily successful, exploits ever to come along.

2) JAVA

With Java, most of the time some script is involved as with the PDF. Letting the code run, the firewall alert shows that the Java executable, not Firefox is attempting to connect to the internet:



Again, the exploit is easily prevented without any extra security programs.

The fact that there are people who do not configure their browser, or have a firewall to monitor outbound connections to prevent these attacks is irrelevant: the preventative measures are available.

Of course, I do not suggest that people not have additional security. There are other things to protect against.

I just want to point out that a distinction should be made between attacks against the browser itself, and those against some add-on feature. Both Browsers and Plug-in vendors have their own lists of vulnerabilities.

Regards,


----
rich

 

Nice post, Rich. Keeping unneeded plugins off the computer is something that I do. I have flash in XP and no plugins in W7. Doing that and using NoScript keeps me from seeing any prompts like the ones in your post.

Bo

 

That reminds me of programs opening browsers outside of SBIE, all the holes I had to make for convenience/compatibility, etc. Overall, I don't see the point of all that trouble for a virtually non-existent threat.

As for user problems, I don't see how double-sandboxing helps. Just teach them how to sandbox suspicious downloads (or all of them if they're naive), not use insecure plugins, and I'd bet there won't be a difference.

I'm still positive that using something like SBIE on something like Chrome only helps in cases of control, privacy, testing, and total lockdown. All valid reasons, but not applicable to myself.

 

Accuvant report (comprehensive, but over 3 years old):
https://www.wilderssecurity.com/thr...-browser-most-secured-against-attacks.313875/

NSS Labs reports:
https://www.nsslabs.com/reports/categories/test-reports/browser-security

Bromium Labs exploitation trends report:
https://www.wilderssecurity.com/threads/h1-2014-endpoint-exploitation-trends.366405/

Browserscope security tests:
http://browserscope2.org/?category=security&

Warning: Your Browser Extensions Are Spying On You (article)
Many Chrome browser extensions do sneaky things

 

Support by various browsers for various HTTP security headers
Support by various browsers for HTTP Strict Transport Security (HSTS)
Support by various browsers for Perfect Forward Secrecy

 

Rich, you keep reminding me of how many "outbound firewalls are useless" posts I've seen in these forums

BTW, I feel Chromium is the most secure browser.

 

Hi MrBrian,

Thanks for these! I've seen some NSSLabs stuff in past years; their testing seems to be thorough.

Here is what stood out to me in one of their papers:

Browser Security Comparative Analysis
Socially Engineered Malware Blocking [SEM]
https://www.nsslabs.com/sites/default/files/public-report/files/Browser Security Comparative Analysis - Socially Engineered Malware.pdf

For all of the concern for the remote code execution exploits (booby-trapped web sites, etc), the social engineering trickery is still the most dangerous, IMO.

I have this from a Prevx blog six years ago:

The goal of anti-malware products
http://www.prevx.com/blog/109/The-goal-of-antimalware-products.html
December 16th, 2008
Posted by: Marco Giuliani

The recent fileless malware exploit discussed last month used as its principal attack vector a booby-trapped Microsoft Document in an email attachment -- a social engineering trick.

The "reputation" technologies (give the OK to a file based on its presumed established reputation) discussed in the NSSLabs papers sound impressive. It is a rather convincing attempt to let the browser make the decision whether or not you download a file. But I'm not sure I would be completely comfortable with it as my primary means of checking.

Would it have prevented the fileless attack above?

Could a reputation be established for every MS Document created by businesses? Documents created and sent immediately to another company could not have a reputation established in so short a time.

The old tried and true methods of "establishing a reputation" are still rather effective:

• asking yourself, Am I really expecting this document?

• checking the source of email attachments before opening (Did you just send me...?)

Things to consider...

regards,

-rich

 

+1

I can not support your opinion about it anymore as Opera 12 was abandoned. It might not be attacked for RCE, but abandoned means it will never keep up with latest trends, that includes new attack vector introduced/will be introduced by HTML5, new web attack mitigation (I mean e.g. XSS, CSRF, clickjacking, HTTP header injection, etc.), latest improvements in TLS, and even mitigation against RCE which may block even plugin exploit that can be independent from browser.
Most addon devs were moved to Chromium extension development, so their addons are also abandoned, this can mean some addon would have security (or other) problems left.

 

Thanks for valuable experiment and your insightful input. I agree to your opinion about sensationalized, I'm somewhat tired of hearing exaggeration or overemphasis of those threats from security vendor. Nearly all exploit we come across ITW will be blocked by patching. Most of the rest of threats will be blocked by good practice. The problem is that most people don't follow those 2, but not that they don't use HIPS or anti-exploit or best security suite or so.

I didn't imply distinction shouldn't be made. That distinction can co-exist in my point of view, however, what I want to say is only talking about bare-born browser w/out addon in context that ignore other software will just make discussion rather meaningless for most people. Someone might say strawberry is the best for your health among other fruits as it contains more vitamin C than orange ,apple, or banana, but it can only be true to those who don't take much vitamin C and what if you have allergy to strawberry? And in some counrty, strawberry might not be available in cheap price. So actual contribution to health shouldn't be determined by solely on high content of vitamin C, but shuold be determined with actual context of your life.

For me, protection against RCE is just one part of browser security, but each browser seems to have different strategy to plugin vuln. Firefox have plugin update checker. Chrome recently sandbox all plugins, by default it prompts you when any plugin try to access your PC w/out sandboxed , but you can enforce plugin sandbox via GUI setting. Addon security is another thing, it is well-known that many popular extensions are bought and started to show dubious behavior.

I think as long as a poster clearly state his def of security and explain his reason to include addons or 3rd party program in the discussion, that won't be much matter unless the discussion gets to just a war btwn fanboy and offender.

 

Thanks for good links as always. But that browserscope's table seems to have some problems. As gorhill said in one of your link Chrome actually supports CSP, and while it marks Firefox 26 in sandbox category I don't want to count their plugin separation on sandbox in same meaning with others.

Most file rep system only apply to executables, so they don't calculate rep of documents. Of course web rep or mail rep might help though.

 

OK, but I still maintain that to describe a PDF or JAVA exploit as an attack against the Browser can be misleading. If you control your Plug-ins, it really doesn't matter which Browser you use -- a BIG IF, I know!

Are you aware of attacks in the wild specifically against a Browser vulnerability? If you were an attacker, would you create an attack against a Browser? Which one? Which version? XX.10, XX.11,etc?

If you are an attacker, where is the money? Currently, ransomeware, banking trojans, etc.. What is the easiest way to compromise the greatest number of people? I don't think it would be leveraging an attack against a vulnerability in Browser code. Don't you think JAVA and Flash vulnerabilities are better attack vectors? -- since experience shows many users just don't update their Plug-ins, and they are global, attached to all Browsers.

Oh well, lots to think about here.

-rich

 

This becomes a problem when the document is the executable.

Executables can be embedded, as with this RTF document exploit, where the malicious code was contained in a .scr file, launched by a trusted application, packager.exe.

The code attempts to Copy (Write) the .scr executable file to the user's Temp Directory.

The .scr executable, not being white listed, was easily prevented from Copying (Writing) to disk, and Windows pops up an error message that the file can not be found:



Since the reputation of Documents would be difficult to calculate, if this came through the Browser's Web Mail, or if the user is asked to download this from a web site and the user is tricked, do you blame the Browser? The Browser needs help in case of user error.

In this situation, it's valid as you said, to "explain his reason to include addons or 3rd party program in the discussion."

More things to think about.

-rich

 

Of course you're free to maintain your viewpoint, but saying "it doesn't matter which browser you use" is bit too much. What if you enforced plugin sandbox in Chrome? Also IIRC Firefox automatically disable outdated plugins.

I think when you say in the wild, it doesn't include targeted attack, right? If I can include targeted attack I can add more cases though it also requires more time, but so far:
http://blog.trendmicro.com/trendlabs-security-intelligence/whats-new-in-exploit-kits-in-2014/
This shows many exploit kit attack IE vuln.

http://www.scmagazine.com/infinity-...efox-opera-to-deliver-malware/article/347590/
This can attack IE, FX, Opera.

http://www.webroot.com/blog/2012/05...weet-orange-new-web-malware-exploitation-kit/
This also attacks Firefox.

I think most of them can work on other browser, but anyway those exploit kit have ability to attack browser itself.

The most cost-effective will be always social engineering, but given that constructed black market, if all attack are purely social engineering exploit writer loose job. Of course no worry (or should worry?) about that. Plugin is anyway good target as recently not a few people will change Windows Update setting, but it doesn't harm to combine browser exploit into exploit kit as you know most exploit kit can attack many known vuln and choose actual attack from info gathered by script or other. But as Trend's article suggests, popularity of java exploit seems to be decreasing, they correlates it with click-to-play but I think recently java loosing more and more popularity either common user or developer, except for Android dev.

Yup, there're not many thing browser can to prevent that vector, this is why some people want to wrap browsers by SBIE.
Surely, many things to think about, but I don't think such discussion is counter-productive.

 

Security through obscurity...I am wise to have stuck with an old version of Opera.

 

Thanks for this link . It corroborates what the Bromium report (post #89) states.

Also, I believe that for 2014 Internet Explorer was the only browser with known in-the-wild zero-day exploits.