Most Secure Internet Browser

Post

Hey guys,

I know this is discussed a bit in the Security thread but I thought maybe I could make another thread for it which internet browser do you use? Why?


More specifically I am looking for the most secure internet browser. I currently use Mozilla Firefox.


Opinions?

SmokeStacks

I use Opera, because it's fast, stable, and doesn't eat RAM the way Firefox does. It also has an integrated adblocking ability, is extremely customizable, and it has speed dial (which is awesome if you're too lazy to actually type in a URL that you visit frequently).

I haven't had a single issue with the security of my computer with Opera.

The best way to safeguard your computer is to pay attention to where you're browsing though.

Doc

I use firefox because I don't care about memory usage, and I love a bunch of the add-ons.

lynx is probably up there with "the most secure."

GrimReaper

Well, I use Firefox because it is the best overall browser. However, the most secure browser is Googles Chrome. To my knowledge that hasn't yet been felled in pwn2own so far.

Scrublet

I use Chrome due to its security and its much lighter footprint versus firefox.

rndmhero

Gizmodo had a couple of interesting pieces on browser security following this year's Pwn2Own annual hacker competition. This quick summary showed how Firefox, IE8, and Safari all went down without too much trouble. This piece makes for an interesting read, pointing out that individual browsers and OS's become less important as more and more exploits come through software like Flash. For what it's worth, the several-time winner of these hacking contests, when interviewing with an IT security firm, states that the most secure browser right now is "Chrome or IE8 on Windows 7 with no Flash installed," and from my limited experience, I'd be inclined to agree with him.

The single most important thing you can do, rather than worry about this browser vs. that browser, is to make sure every single program is up to date, even the ones you normally wouldn't think are associated with your web browsing.

Visti

Well, according to that guy that won all those prices cracking browsers, Chrome with no flash is the hardest to run code and stuff on because it functions in its own little sandbox. I guess he would know. I still use Firefox, though.


edit: I skipped the post right above mine. Carry on!

Bionic Monkey

SmokeStacks wrote: »

I use Opera, because it's fast, stable, and doesn't eat RAM the way Firefox does. It also has an integrated adblocking ability, is extremely customizable, and it has speed dial (which is awesome if you're too lazy to actually type in a URL that you visit frequently).

I haven't had a single issue with the security of my computer with Opera.

The best way to safeguard your computer is to pay attention to where you're browsing though.

Pretty much this for me. I've been using Opera for about 10 years now, and the only virus issues I've ever had to deal with were not from normal browsing. And 10.5 seems to be working much, much better with Win7 now.

TychoCelchuuu

Opera is the perfect combination of absolutely stellar security, fantastic patch speed, and incredibly small userbase, which means naughty stuff can't get you, if it can it can't for long, and none of it exists anyways.

Blake T

The thing about security as well is that most exploits are designed to exploit what everyone has.

I would suspect that IE is actually a very secure browser. But because everyone uses everyone also targets it because you can reach a larger footprint of users it means that most exploits are built around IE.

Dhalphir

its the Mac theory.

Not many people use Macs (compared to PCs) so viruses don't get designed for them very often, so Mac users often tout their machines as being more secure, when in fact at least part of their virus-free reputation comes from security through obscurity.

Aren't a significant percentage of browser exploits based around Flash anyway, thus rendering which browser you use irrelevant?

Regardless, I use Firefox for its addons, primarily the Internet Usage addon, which is really very useful.

Apothe0sis

Doc wrote: »

I use firefox because I don't care about memory usage, and I love a bunch of the add-ons.

lynx is probably up there with "the most secure."

Clearly telnet is the more secure browser.

General_Win

Apothe0sis wrote: »

Doc wrote: »

I use firefox because I don't care about memory usage, and I love a bunch of the add-ons.

lynx is probably up there with "the most secure."

Clearly telnet is the more secure browser.

Telnet on a linux or sun system.

Dedian

General_Win wrote: »

Apothe0sis wrote: »

Doc wrote: »

I use firefox because I don't care about memory usage, and I love a bunch of the add-ons.

lynx is probably up there with "the most secure."

Clearly telnet is the more secure browser.

Telnet on a linux or sun system.

I'm in your interwebs, listening to your cleartexts

Stormwatcher

Probably Gopher or Mosaic 1 on Win 3.11. They're probably actually pretty awful at security, but so old and feature-less that no one knows who to fuck with them anymore.

But seriously, your own browsing habits are possibly more important than browser or OS.

GrimReaper

Blaket wrote: »

The thing about security as well is that most exploits are designed to exploit what everyone has.

I would suspect that IE is actually a very secure browser. But because everyone uses everyone also targets it because you can reach a larger footprint of users it means that most exploits are built around IE.

IE 8 on Vista/win7 is pretty secure but it's let down by a couple of things. Firstly after more than 3 tabs it goes back to a shared memory model for the tabs whereas Chrome it's a process for every single tab.

The second problem and this is the big one, the time between an exploit being found and being patched is still ridiculously long. MS seem to have their fingers in their ears on this one, it takes MS so long to release fixes to exploits that all the security they've built into IE8 is essentially nullified.

Mozilla and Google supposedly have the fastest turnaround of fixed within a week iirc.

Apple apparently is also pretty bad for releasing fixes too.

birru

GrimReaper wrote: »

The second problem and this is the big one, the time between an exploit being found and being patched is still ridiculously long. MS seem to have their fingers in their ears on this one, it takes MS so long to release fixes to exploits that all the security they've built into IE8 is essentially nullified.

Mozilla and Google supposedly have the fastest turnaround of fixed within a week iirc.

Apple apparently is also pretty bad for releasing fixes too.

Apple would do well to take a more proactive approach regarding security and patches. From a practical, real-world standpoint Mac OS computers don't get exploited, but that can't possibly last forever. It would be horrible for public perception if Apple waited until significant numbers of systems were compromised in the wild before taking a strong security stance.

Dark Shroud

GrimReaper wrote: »

Blaket wrote: »

The thing about security as well is that most exploits are designed to exploit what everyone has.

I would suspect that IE is actually a very secure browser. But because everyone uses everyone also targets it because you can reach a larger footprint of users it means that most exploits are built around IE.

IE 8 on Vista/win7 is pretty secure but it's let down by a couple of things. Firstly after more than 3 tabs it goes back to a shared memory model for the tabs whereas Chrome it's a process for every single tab.

The second problem and this is the big one, the time between an exploit being found and being patched is still ridiculously long. MS seem to have their fingers in their ears on this one, it takes MS so long to release fixes to exploits that all the security they've built into IE8 is essentially nullified.

Mozilla and Google supposedly have the fastest turnaround of fixed within a week iirc.

Apple apparently is also pretty bad for releasing fixes too.

Opera is usually very fast at fixing flaws. Chrome is pretty quick too. Firefox is iffy, on critical things they seems to do a good job at the same times they've let other things go the normal length MS usually does.

If it's critical MS will issue out of cycle patches for items. Otherwise the monthly update works well enough. We'd all be better off if more companies update on schedule as MS does.

Apple is the slowest to the point that it's inexcusable. Most of the time they spend a week or two denying security issues let alone the time it takes to get things patched. Apple is the worst at Security, they'll only be able to piggy back off Unix for so long.

Jasconius

The most secure internet browser is the one that is not used by a moron.

Alternatively, Chrome is probably the most secure right now thanks to fancy pants sandboxing.

Dark Shroud

Jasconius wrote: »

Alternatively, Chrome is probably the most secure right now thanks to fancy pants sandboxing.

IE had sand boxing first with IE7.

There are two differences, the fist is that Chrome blocks read only access while IE does not. The second difference is a technical trade from the first, IE is able to sandbox add-ons like Flash while Chrome does not.

Cyvros

Dark Shroud wrote: »

Jasconius wrote: »

Alternatively, Chrome is probably the most secure right now thanks to fancy pants sandboxing.

IE had sand boxing first with IE7.

There are two differences, the fist is that Chrome blocks read only access while IE does not. The second difference is a technical trade from the first, IE is able to sandbox add-ons like Flash while Chrome does not.

But soon will, if I understand things correctly. Google's working with Adobe on bundling Flash with Chrome. In the dev channel now, Flash is being isolated as a process, I presume so that it might be sandboxed in the future. Another reason for the bundling is so that users have the latest version of Flash (security updates and whatnot).

Impersonator

Uh, Flash was always a separate process under Chrome.

Cyvros

As I understand it, one thing they're doing is, if Flash goes down, the tab doesn't go down. Just the Flash bit. Flash as a separate process like a tab as a separate process.

Azio

Scrublet wrote: »

I use Chrome due to its security and its much lighter footprint versus firefox.

Chrome isn't really lighter than firefox in terms of resource usage. If you have a lot of RAM it will gleefully devour as much as it cares to.

It just uses those resources much more effectively than firefox.

GrimReaper

Dark Shroud wrote: »

GrimReaper wrote: »

Blaket wrote: »

The thing about security as well is that most exploits are designed to exploit what everyone has.

I would suspect that IE is actually a very secure browser. But because everyone uses everyone also targets it because you can reach a larger footprint of users it means that most exploits are built around IE.

IE 8 on Vista/win7 is pretty secure but it's let down by a couple of things. Firstly after more than 3 tabs it goes back to a shared memory model for the tabs whereas Chrome it's a process for every single tab.

The second problem and this is the big one, the time between an exploit being found and being patched is still ridiculously long. MS seem to have their fingers in their ears on this one, it takes MS so long to release fixes to exploits that all the security they've built into IE8 is essentially nullified.

Mozilla and Google supposedly have the fastest turnaround of fixed within a week iirc.

Apple apparently is also pretty bad for releasing fixes too.

Opera is usually very fast at fixing flaws. Chrome is pretty quick too. Firefox is iffy, on critical things they seems to do a good job at the same times they've let other things go the normal length MS usually does.

If it's critical MS will issue out of cycle patches for items. Otherwise the monthly update works well enough. We'd all be better off if more companies update on schedule as MS does.

Apple is the slowest to the point that it's inexcusable. Most of the time they spend a week or two denying security issues let alone the time it takes to get things patched. Apple is the worst at Security, they'll only be able to piggy back off Unix for so long.

Right now, a break down of unpatched security holes in browsers:

Firefox 3.6 - 0
IE 8 - 4
Opera 10.x - 0
Chrome 4.x - 0
Safari 4.x - 1

Just a note on the MS Tuesday update, the only good thing about that is that it's good for sysadmins (like myself) who can then plan out performing the update to all machines and also doing tests to make sure it doesn't affect anything.

However, for security it's the worst possible thing to do. The reason is because all the blackhats wait until patch tuesday and release their exploits immediately after so they can maximise the time the exploit is in the wild.

End

You can actually run plugins under the sandbox in Chrome, but it's not the default, and has to be enabled using a command line switch.

(Of course, plugins might or might not work properly, due to their expectations about what they can access.)

pdxaaron

On the mobile front, I would strongly warn against using Opera mini if you want any kind of Security. They are breaking SSL certs and proxying all traffic through their servers for some bizarre reason.

Personally, I think Chrome has the best security setup as the browser is completely sandboxed. I think IE8 is the other browser that is sandboxed, but I have less faith in Microsoft doing it right.

EliteLamer

Orca Orca Orca Orca No one loves Orca

Scrublet

pdxaaron wrote: »

On the mobile front, I would strongly warn against using Opera mini if you want any kind of Security. They are breaking SSL certs and proxying all traffic through their servers for some bizarre reason.

Personally, I think Chrome has the best security setup as the browser is completely sandboxed. I think IE8 is the other browser that is sandboxed, but I have less faith in Microsoft doing it right.

This is completely anecdotal, but IE8 crashing began to get out of control on my recently formatted Win 7 system and I finally said fuck off and installed Chrome.

GrimReaper

pdxaaron wrote: »

On the mobile front, I would strongly warn against using Opera mini if you want any kind of Security. They are breaking SSL certs and proxying all traffic through their servers for some bizarre reason.

Personally, I think Chrome has the best security setup as the browser is completely sandboxed. I think IE8 is the other browser that is sandboxed, but I have less faith in Microsoft doing it right.

Opera Mini isn't a browser as such as you know it. What happens is that the page rendering is actually done on a server at opera, which then sends it to opera mini as a pre-processed simple text/page. Essentially think of opera mini as a thin client, all its really doing is rendering the image that it has been sent from opera.

It's how Opera has gotten around the rules of the app store.

EDIT: It has its advantages, like low resource usage (hence speed).. however because it all goes through opera any real pretence of personal privacy is a bit of a joke and quite often the search results on google etc are totally shit.

Google typically detects what region you are in (from your ip address) and delivers what it believes are the most relevant results, however.. because it sees the opera ip (for europe this is a german range i believe) it delivers content more tailored to germany. So, if I search on Google for "BBC" the first result is the least relevant for me. (It delivers some german site even though i'm in the UK)

EDIT2:

SmokeStacks

Standard Opera does the same thing with Opera Turbo.

It's nice if you're in an area with an iffy connection, but the security is a complete joke.

TetraNitroCubane

Any browser is going to be as secure as you make it. Opera with Javascript globally enabled is going to be less secure than Firefox with Adblock and NoScript. But Opera with a whitelist approach to Javascript and plugins is arguably as secure (if not more) than a decked-out Firefox.

There's no right answer 'out of the box', because just about every browser is vulnerable 'out of the box'. Why? Because the browser isn't so much the main vector anymore. A completely patched browser with no 'in the wild' security holes is still extremely vulnerable if you're letting Flash and Javascript run unchecked. And if you're letting PDFs open automatically and/or using an in-browser plugin for them? You may as well be inviting the bad guys inside.

So in the end, your choice of browser isn't nearly so critical as the way you configure it and harden it.

Except IE. Because, seriously, nuts to IE.

Scrublet

You know what I really don't get, is that Microsoft believe it or not does not hire only stupid people. The inability to turn IE into anything other than a running internet joke is beyond me.

Bionic Monkey

I would presume it's laziness caused by market complacency. Even with their lowered market share, IE still holds what? 80% of the browser market? As long as IE remains the "default" browser for everybody, MS doesn't have to do a whole lot of work to make it better than the other options, just good enough to keep most people from actively seeking out an alternative.

Michael H

Here's the market share from March 2010, 62% for the lump sum of the various versions of IE floating around:

http://arstechnica.com/microsoft/news/2010/03/firefox-may-never-hit-25-percent-market-share.ars

TetraNitroCubane

Bionic Monkey wrote: »

I would presume it's laziness caused by market complacency. Even with their lowered market share, IE still holds what? 80% of the browser market? As long as IE remains the "default" browser for everybody, MS doesn't have to do a whole lot of work to make it better than the other options, just good enough to keep most people from actively seeking out an alternative.

The weird thing is that they are trying to make IE better. The lousy reputation that IE has damages the Microsoft brand, and because of that IE 8 is a big step forward compared to previous versions. The built-in sandboxing mode and security features are actually pretty nice... on paper.

In practice, somehow, IE 8 has been consistently showing it's swiss cheese nature. Security flaws that cut to the heart beyond all other measures have cropped up repeatedly. Despite the attempts on Microsoft's part to make a better browser, they haven't really tightened things up.

Scrublet

Really my feeling is that they need to stop competing with Firefox for a moment and imitate Chrome. Forget about all this plugin bullshit that's contributing to Firefox's ever-increasing footprint. Chrome is extremely barebones...they should rip IE apart and try to do that. Once they get that without being as bad as they are now, they can think about adding in extra stuff.

GrimReaper

Scrublet wrote: »

Really my feeling is that they need to stop competing with Firefox for a moment and imitate Chrome. Forget about all this plugin bullshit that's contributing to Firefox's ever-increasing footprint. Chrome is extremely barebones...they should rip IE apart and try to do that. Once they get that without being as bad as they are now, they can think about adding in extra stuff.

Honestly, MS needs to restart from scratch if they want to match Chrome. There is loads of legacy cruft in IE. (as well as in windows itself)

A prime example from a while back was the windows metafile exploit which dated back all the way to the windows 3.x days.

Essentially with a simple wmf file you could execute anything you liked as system privilege simply by using a wmf image, great eh?

For example, have a website with a WMF image on it, get a person using IE to visit it.. bam, owned.

DigDug2000

GrimReaper wrote: »

Scrublet wrote: »

Really my feeling is that they need to stop competing with Firefox for a moment and imitate Chrome. Forget about all this plugin bullshit that's contributing to Firefox's ever-increasing footprint. Chrome is extremely barebones...they should rip IE apart and try to do that. Once they get that without being as bad as they are now, they can think about adding in extra stuff.

Honestly, MS needs to restart from scratch if they want to match Chrome. There is loads of legacy cruft in IE. (as well as in windows itself)

A prime example from a while back was the windows metafile exploit which dated back all the way to the windows 3.x days.

Essentially with a simple wmf file you could execute anything you liked as system privilege simply by using a wmf image, great eh?

For example, have a website with a WMF image on it, get a person using IE to visit it.. bam, owned.

Strange. I looked this up on Wikipedia just for fun. They claim it basically doesn't affect any systems below WinXP (Vista didn't exist). Then they go on and talk about how the older systems weren't patched, as they weren't supported anyway. To be honest, its crazy that a flaw like that, basically a flaw in the WMF spec, could exist for so long (15 years) without someone thinking to use it for this.

I'd say, from a completely anecdotal point of view, that MS has come a long LONG LONG way with IE8, and IE9 looks even better. Rewriting would probably be the dumbest thing they could ever do. Heck, even the Chrome and Webkit teams weren't dumb enough to start from scratch. And they'd get ripped 1000 new assholes from every developer on the planet if they release yet another version of IE that's more fixing shit and still doesn't implement canvas tags or more CSS3 proposals.

GrimReaper

DigDug2000 wrote: »

GrimReaper wrote: »

Scrublet wrote: »

Really my feeling is that they need to stop competing with Firefox for a moment and imitate Chrome. Forget about all this plugin bullshit that's contributing to Firefox's ever-increasing footprint. Chrome is extremely barebones...they should rip IE apart and try to do that. Once they get that without being as bad as they are now, they can think about adding in extra stuff.

Honestly, MS needs to restart from scratch if they want to match Chrome. There is loads of legacy cruft in IE. (as well as in windows itself)

A prime example from a while back was the windows metafile exploit which dated back all the way to the windows 3.x days.

Essentially with a simple wmf file you could execute anything you liked as system privilege simply by using a wmf image, great eh?

For example, have a website with a WMF image on it, get a person using IE to visit it.. bam, owned.

Strange. I looked this up on Wikipedia just for fun. They claim it basically doesn't affect any systems below WinXP (Vista didn't exist). Then they go on and talk about how the older systems weren't patched, as they weren't supported anyway. To be honest, its crazy that a flaw like that, basically a flaw in the WMF spec, could exist for so long (15 years) without someone thinking to use it for this.

I'd say, from a completely anecdotal point of view, that MS has come a long LONG LONG way with IE8, and IE9 looks even better. Rewriting would probably be the dumbest thing they could ever do. Heck, even the Chrome and Webkit teams weren't dumb enough to start from scratch. And they'd get ripped 1000 new assholes from every developer on the planet if they release yet another version of IE that's more fixing shit and still doesn't implement canvas tags or more CSS3 proposals.

Rewriting IE from scratch would be the best possible thing MS could do, making it independent of the OS would actually be beneficial too instead of being hooked into the OS all over the place.

MS when doing updates/patches to IE have to do a shit load of testing to make sure it doesn't break anything in the OS and with a multitude of IE legacy specific stuff. It's one of the reasons why it takes MS so long to patch flaws.

The reason why Chrome and Safari weren't totally built from scratch is because Google and Apple don't have a "not invented here" syndrome that MS does. They saw a relatively clean code base in KHTML and developed it into webkit from which Safari arose and from webkit Chrome also arose.

There have been many valid arguments made that MS should dump the IE code base and actually base a brand new IE on webkit. However, it'll never happen because of the institutional NIH at MS.

Apothe0sis

Knowing when to scrap a codebase and start anew is one of the signs of a well managed project.

See how that works out?