Versions
I didn't spot any mention of browser versions in the article and I don't want to read 20Mb of data. Can anyone more motivated help out?
Google Chrome offers more protection against online attacks than any other mainstream browser, according to an evaluation that compares exploit mitigations, malicious link detection, and other safety features offered in Chrome, Internet Explorer, and Firefox. The 102-page report, prepared by researchers from security firm …
Chrome 12 (12.0.724.122)
Chrome 13 (13.0.782.218)
Internet Explorer 9 (9.0.8112.16421).
Firefox 5 (5.0.1)
Also interesting to note:
"As of July, 2011 a combination of Google Chrome, Microsoft Internet Explorer and Mozilla Firefox represent 93.4% of all users accessing the Internet [W3_Schools_Market_Penetration]. While other browsers would have been interesting to compare, in the interest of time they were excluded from this study."
So, test two versions of Chrome, but skip Safari and Opera, because they would take too long.
Opera may only have a tiny sliver of users, but leaving it out proves to me that this study wasn't really meant to test which browser is more secure, just which browsers make Chrome look better. Only mentioning FF and IE, and leaving out Safari and Opera, is just not a good study for "best". Even if those browsers didn't do as well, I'd still like to see the results...
Then again, in my recent study involving myself, my son, and two college guys, I've determined I'm the oldest man in the world!
If I was a security researcher I'd be very happy getting to 93.4% coverage.
Any rational study has to do cost benefit analysis. Two versions of chrome may seem excessive, but they seem to be taking the perfectly rational approach of getting the largest shares in first. This produces the most cost effective measurement of the market.
Why bother with around 1% of the UK market (go see Opera's market share) when there's nothing wrong with the rest? From a business perspective it's simply not worth it.
Hummmm..... comparing mainstream browsers with more secure browsers might mean people use more secure browsers, which in turn would mean the more secure browsers become mainstream because they are more secure.
Simply comparing a top 3 popular browsers doesn't really do much for benchmarking in a report comparing security of browsers. It would be a sensible include browsers with claimed security credentials along with the usual top browsers to give balance of what is possible.
They left out Opera, which has historically had the best security track record of them all... Seems like an intentionally knobbled set of results.
How can they claim that when Google sponsored it, and they excluded a browser that sits of the tree for security, that it's impartial. Here are some results based on the real world...
Google Chrome 159 - http://secunia.com/factsheets/Chrome-2011Q2.pdf
FireFox 72 - http://secunia.com/factsheets/Firefox-2011Q3.pdf
Internet Explorer 25 - http://secunia.com/factsheets/IE-2011Q3.pdf
Opera 36 - http://secunia.com/factsheets/Opera-2011Q3.pdf
I hope they've managed to program the sandbox to a higher quality than the browser itself which has over twice as many known security holes as Firefox, six times as many as IE, and four times as many as Opera.
Maybe Safari's not there in this sponsored test because if the other mainstream WebKit-based browser has fewer holes then questions start to be asked.
If a sandbox for Firebox or Opera is that important, it can be run with user privileges instead of admin privileges (which is what I do incidentally).
Can we avoid the inevitable "You didn't mention Opera!" "Only losers use Opera" flame war and stick to actually figuring out if there's any merit to this study? I mean they didn't test the browsers' Linux versions either (believe it or not there are people who actually run IE on Wine. No, I can't figure it out either unless you're a developer and then a VM would probably be easier) but hey, let's deal with what we have, OK?
The one disappointment for me was that Safari was not on the list. I believe the point was to show the most commonly used browsers. Safari IS on that list. I agree that if the point of the study was to showcase security then it would not of hurt the researchers if they added Opera. There are some pretty rabid Opera fans out there who insist that it is the most secure. Which is fine and great but it is one of those things where if no one tests it how can it be proven. To bad Opera didn't join in the party and have their browser tested.
Round 2...Fight?
My opinion of Chrome would have increased if MS had sponsored this survey and Chrome was shown to be clearly superior to IE and Firefox.
As Google sponsored the survey and the survey showed Google's Chrome was the best, I'll stick to treating this as there might possibly be security issues with other browsers but I will wait for an independent source to verify them before changing to Chrome.
I read that process creation was allowed by IE and Firefox. So, why don't we see loads of DOS attacks based on maliciously launching a command prompt with FORMAT C:?
There is presumably more to that comparison table than meets the eye, so presumably Chrome's long list of green ticks isn't quite as impressive as it looks.
So you invest the 10 minutes or so it takes to figure out how to script it, and then send it to all your friends running XP. XP still has an appreciable fraction of the market, so it would still work.
Moreover, if *today's* browsers are still open to this attack, presumably in the years before Win7 turned up, you could have used the same attack on just about all Windows users. (Vista's market share has always been insignificant.)
History suggests that this didn't happen, so presumably Firefox and IE aren't as open to attack as this report suggests.
I use Chromium for my grad school email since the university has been assimilated by Google anyway-- and it's nice and fast though I dislike the UI-- but until I have NoScript/AdBlock/BetterPrivacy/RequestPolicy on Chromium... they can have my Firefox when they pry my cold, dead, fingers away from it.
Tried out chrome when FF was having some issues with sites, ended up removing and reinstalling. What I liked about FF was when I quit the program it did not stay in memory just in case I wanted to use it.
Chrome's adblock and other mods are all seperate processes that are memory resident
No surprise that google won a google sponsored comparison that missed out opera and safari
Why is that relevant? I'll bet a lot less than 10% of FF users have that setup. Most browser users have the default install and only geeky little nerds have anything else.
But the point is that this is a test on the default install. You can make any browser more secure without installing externsions or plugins, just by changing your settings.
...plus Sandboxie. Then you'd be getting somewhere. Remember that one of your trusted sites can become compromised, and there goes your NoScript protection. Statistically, more than half the malicious websites out there are legit sites that got compromised.
FireFox's lack of sandboxing or Low-integrity operation is hard to excuse.