Recently Accuvant published a study on browser safety. As the study’s sponsor, Google won! This is in contrast to another browser comparison from NSS Labs from July 2011 whose results had IE 9.0 as the most secure browser.
What should consumers and IT professionals believe? Who has the manliest browser? Which browser is the girly-man, little-baby loser that landed in their own baby poo?
Browsers are very much like cars only in earlier stage of their life cycle. In the beginning, the competition was on who has the best basic features (e.g., driving from point A to point B or showing web content). After the basic functionality was achieved, Maslow’s law of hierarchal needs sets in. Namely, users focus moves to functionality and efficiency (e.g., fuel consumption or speed of rendering).
However, when comparing security features, some of the logical conundrums that plague cars similarly plague browsers:
- If one car has ABS system and the other one has air bags – who is safer?
- If one browser runs flash in sandbox and the other has anti-XSS filter – who is the safer?
The answer: depends on the criteria. Of course, any judgment depends on several factors such as driving/browsing habits and skills. The problem when evaluating browsers is this: what are your crash test criteria and how do you weigh the scoring?
Let’s look at the NSS results. They summarize:
Socially Engineered Malware remains the most common security threat facing Internet users today. Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.
European users have found themselves particular targets of malware authors over the last 12 months. In 2010, threat researchers discovered new ZBOT variants specifically targeting banking systems in four European countries.
According to the EU’s statistics office, Eurostat, almost one third of internet users in the European Union were victims of malware infections in 2010 despite the majority having security software installed. Of the 27 EU countries surveyed (totaling over 200,000 users), those with the highest malware infections include Bulgaria (58%), Slovakia (47%), Hungary (46%), Italy (45%) and Estonia (43%.)
The NSS study focused solely on malware blocking. The conclusions:
- Very good results for IE – a clear leader with Chrome and others far behind.
- Reputation services are crucial for mitigating attacks – This is critical since all of the browsers are using URL reputation services. But even when everyone is using reputation services there are two main differences:
- Quality of data – obviously IE is using a more comprehensive and rapidly updating sources.
- Integrating several different sources of reputation service – IE9 demonstrates the combination of URL reputation services AND application reputation lead to 100% (!!!) detection rate:
The Accuvant study, by contrast, added and focused on other criteria. URL reputation and application reputation are barely considered. In fact, the category “URL Blacklisting” doesn't get a lot of attention:
What is the bottom line of all this?
- If you’re a geek, go for security through obscurity: The best way to minimize accidents' consequences to is to avoid it altogether. The way to avoid cyber accident is by using a platform which is less targeted by hackers due to its small market share. Such an example would have been Firefox with Linux when Windows and IE dominated the web. At the time, Firefox wasn't less vulnerable than IE but it was less exploited due to its marginal market share. This method is of course limited to tech geeks willing to invest in installing learning and dealing with exotic platforms in rapid manner. But this won’t work for the masses who may not have the time nor expertise to learn a new browser.
- For consumers, use newer browsers: We do know that while safer cars (up until now) did not dramatically reduce the number of accidents they do reduce dramatically the number of casualties. So, if randomly accessing an infected page is like having an accident you’d better be driving 2011 made browser (IE9, updated chrome, etc.) and not an AMC Pacer (IE6). The problem is that when we drive the road we assume that everyone else is trying to avoid accidents rather than plan for them to happen. This is clearly not the case with navigating cyberspace where someone is constantly plotting on getting us into accidents.