One Browser to Rule them All?
A reader emailed in with the question, in short, which is currently the most secure browser and how to stay up to date on the different browsers. In the interest of Chrome having an update today it seems fitting to post the answer as a Diary.
Before the browser war ignites, let me be the first to say in my opinion "It Depends." Chrome [1] is regarded as a very safe and secure browser but when you get to the number of lines of code in any browser architecture it is hard to say [3]. There has been some great research on lines of code in different systems [4] and when you get to that level of complexity errors are bound to occur. There are several different thoughts and many books on this subject but what I am getting at here is complexity and trust. At some point you have to trust the development team that wrote the code for the browser, what operating system you are running and how you have deployed your browser.
Second, the browser, or the technology is only part of the matter. You still have Phishing and the human factor. Even on the most secure platform the user can be tricked. [4]
Another commonly accepted deployment strategy is Firefox with add on components of No-Script and Adblock. Research into your specific deployment scenario and resources is the key to identifying what works in your environment. Infoworld had a great article on securing different browser types [5], it is a little old but still relevant.
The pwn2Own contests held at some of the CanSec conferences can lead to some good reading on this subject. [2]
In the end, a huge browser war will ignite over which is the most secure but as organic as feature and code has become it is arguable that the best way to secure your environment is layers of defense but finally check out the SANS reading room for papers on the subject. Specifically refer to a paper written by one of SANS GIAC Students [6].
And to our Reader who wrote in, stand by for the heavy opinions on the subject. To our readers, please comment on your experiences or how you stay current.
[1] http://www.google.com/chrome/
[2] http://en.wikipedia.org/wiki/Pwn2Own
[3] http://www.ohloh.net/p/chrome/analyses/latest
[4] http://www.securingthehuman.org/
[5] http://www.infoworld.com/d/security-central/test-center-how-secure-firefox-282
[6] http://www.sans.org/reading_room/whitepapers/bestprac/preventing-incidents-hardened-web-browser_33244
Richard Porter
--- ISC Handler on Duty
Twitter: Packetalien
Email richard at isc dot sans dot edu
Comments
Matt W
Jun 9th 2011
1 decade ago
jwhitlow
Jun 9th 2011
1 decade ago
Josh More
Jun 9th 2011
1 decade ago
Moriah
Jun 10th 2011
1 decade ago
Unfortunately, I don't have any great answers, but I would like to throw a couple more questions into the mix.
1. Which browswer offers the best balance of functionality, manageability and security for an enterprise environment?
2. How much of a difference is there between the desktop/laptop version and the smartphone version of the same browser, both in design and usage?
We turn off some browswer functions, such as java script, on our corporate smart phones, which are enabled in the browsers on our PC clients. Of course we are hearing more and more user complaints about this, and are currently reviewing our configuration policy. Some of our stakeholders are pushing for equivalent configurations in mobile and desktop browsers, while others see a higher risk profile and lower business need on the smartphones, and therefore are advocating keeping java script and some other functionality turned off.
Any thoughts on these questions from the ISC community?
John
Jun 10th 2011
1 decade ago
Run on the Chrome O/S for maximum self pwnage. It's like, all clouds and rainbows man, my data's in the sky with diamonds.
How much do you trust Google? They'd sell their own mother's geolocation to a hitman for the right price.
Steve
Jun 10th 2011
1 decade ago
fsck100
Jun 10th 2011
1 decade ago
Note this is a home setup, and probably wouldn't scale well in a business environment, without a lot of modification.
I run a Win7 x64 VM in non-persistent mode. Inside this VM I typically run Firefox with NoScript, and if I install Java I disable the plugin. I also run MS Security Essentials in there, but overall I try to keep things light.
When I have to update anything, I turn off persistence, update, then turn it back on. Yes, it's a bit of work, but I use the same basic setup for my lab environments anyway, so it doesn't seem like much of a hassle anymore.
There are a couple problems:
1. Setup time: it takes a bit to install the OS and get all my programs that I want on there. Updating as well.
2. Non-persistent mode is actually depreciated. It still works with the latest VMWare Player if you modify the file manually, but at some point it will stop working.
Snapshots would work just as well. Snapshots would be a better idea, but VMWare Player doesn't have that feature.
3. It requires another OS liscence puchase (legally).
It works for me!
Also, on the general browser note, IHMO Chrome is the "most" secure, as we have seen so far from the pwn2Own contests. However, I find Firefox with NoScript to be my preferred setup (I'm going to enjoy using my browser).
gaten
Jun 10th 2011
1 decade ago
Note: The Chrome plugin "notscript" is garbage and has not been updated since 2010.. I would not use it..
konstructa
Jun 12th 2011
1 decade ago