Google-Funded Study Knocks Firefox Security

Sparrowvsrevolution writes "Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top. More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards. Though the study seems to have been performed objectively, it won't help Google's fraying partnership with Mozilla." The full research document is available here (PDF), and it goes into much greater detail than the Forbes article. Accuvant also published the tools and data they used in the study, which should help to evaluate their objectivity.

Chrome and IE are the most secure browsers

[InsightIn140Bytes]

More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards.

How is this surprising? Apart from some ignorant cases on Slashdot who believe Microsoft is the devil and should die, it's not a new fact that IE has been a really secure browser for a long time. Both IE and Chrome offer sandboxing, JIT hardening and ways to make vulnerable plug-ins less easy to exploit and gain access to system. Firefox offers none of these.

Currently, it's not even often that you find a vulnerability directly in the browser. Most of the attacks target either plug-ins like Flash or PDF reader, and if someone does find an exploit in the browser, the extra security layer makes it much harder to exploit. Yes, you can use something like NoScript in Firefox (and other browsers), but majority of people don't. In fact even I don't because frankly, it's pain in the ass to use. This is the reason why extra security layers provide so much better overall security.

Anyone who still says that IE is insecure browser just doesn't know what he is talking about. On top of that, this study doesn't really bring anything new to table (but it is really well done with comprehensive disassemblies and exploit testing), it just confirms what has been known for a long time now - both Chrome and IE are really secure browsers, followed by Opera. The one that is lagging behind is Firefox. I don't know what happened to them, but they seem to copy the aspects of Chrome that no one actually cares about (UI and version number scheme) while completely forgetting what Chrome and IE do underneath and what actually counts - sandboxing, JIT hardening, auto-updating browser and plug-ins and separating different tabs to different processes.

Re:Chrome and IE are the most secure browsers

[bunratty]

I think the folks at SecurityFocus disagree. Although IE 9 is more secure than previous releases, IE still has plenty of vulnerabilities

Re:Chrome and IE are the most secure browsers

[calibre-not-output]

Anyone who still says that IE is insecure browser just doesn't know what he is talking about..

I beg to differ. IE comes tied-in with Windows and is the most widely used web browser in the world. That also means that it is the most targeted web browser by people bent on exploiting its vulnerabilities in order to gain unlawful access to someone else's computer. Even though it might have less security flaws than Opera or Firefox, you can bet your gonads that the proportion of security flaws that actually get exploited on IE is a lot bigger than in either of these two browsers. It comes with the turf. Of course, this doesn't mean that IE is inherently less secure than Firefox. You're right to say it isn't. Still, if I had to choose between IE and FF based only on security, I"d go for FF simply because it's probably a lot less targeted. I have no data to back up my claim, though, and could be completely wrong. Does anyone have any numbers on this?

Re:Chrome and IE are the most secure browsers

[hey!]

Well, let's wait and see.

Software products are products of corporate cultures. That's not just how people in a corporation tend to think, it's what they tend to value. There is no doubt that Microsoft is capable of producing a secure browser when faced with public criticism and strong competition. The question is whether they will continue to do so if public attention flags or the competition declines, or whether security will be sacrificed to some other business goal.

Of course you can ask that of *any* browser produced by *any* organization, but the point is that it is a bad idea to accord any one browser product a privileged position. Developers should develop to standards then test against multiple products, and users should not be shy about changing browsers. The problem is that IE inherently has a privileged position, and Microsoft has a history of using interlocking, non-proprietary product stacks to drive sales across product categories. That means Microsoft has unusual temptations when it comes to security, because of IE.

Re:Chrome and IE are the most secure browsers

[InsightIn140Bytes]

You would only gain additional security if the exploits actually targeted the browsers. They don't - most of them target plug-ins and work in every browser. Now, both Chrome and IE sandbox them and have extra security layers for plug-ins just so that even if plug-in is vulnerable, you can't actually gain access to system. Since Firefox doesn't offer any of these options, you gain access directly after compromising the plug-in.

Re:Chrome and IE are the most secure browsers

[InsightIn140Bytes]

If you browse the same site for Chrome, you'd notice that the list is about same length for the latest version. And the total vulnerability count is huge for Firefox compared to Chrome and IE.

Re:Chrome and IE are the most secure browsers

[hedwards]

The study itself appears to be bunk. They assume that the browser is going to be exploited which doesn't give any credit to how difficult that might be. It is valid to look at that, but it's incredibly misleading for them to suggest that all browsers are equally likely to be broken. Ultimately, by the time those technologies come into play you're more or less screwed. They can somewhat limit the damage, but if somebody's broken into the browser they probably know where one of the exploits is to get out of the browser.

It also doesn't take into account common security extensions that people are likely to have or the types of people that use the browsers. Ultimately, it doesn't matter how secure your browser is if you just go around clicking random links and downloading questionable software.

Re:Chrome and IE are the most secure browsers

[calibre-not-output]

I see. But doesn't that mean that if I don't use any of these plug-ins, the differences in browser security become irrelevant? I'd lose the ability to view flash videos or read PDF files in-browser, but Youtube already has an HTML-5 mode anyway, and I usually download my PDFs and read them locally later.

Re:Chrome and IE are the most secure browsers

[bunratty]

Here are the lists for: Chrome which shows zero vulnerabilities, and Firefox, which shows two. Ah, good old cognitive dissonance -- making people ignore evidence that doesn't match their conclusions since the dawn of man.

Re:Chrome and IE are the most secure browsers

[InsightIn140Bytes]

Yes. But 99% of people are going to keep their Flash and PDF readers. But if you download PDFs and read them locally later, you can still be exploited if you use vulnerable reader. All of them have had exploits too, but Adobe's is the most targeted one.

And yes, these exploits work for Linux too, if someone just remakes their payload to target them. In many cases you don't even need root access to most malware, so Linux security doesn't really offer much. However, in that case it actually needs the malware author to create separate payload for Linux.

Re:Chrome and IE are the most secure browsers

[InsightIn140Bytes]

The links you showed lists new vulnerabilities for:

Chrome 15.0.874.121 (really minor version number)
Firefox 8.0 (FF 11.0 is in the works already!)
IE 9.0 (now we suddenly have a major version number)

Both Chrome and Firefox use insane version number schemes which really doesn't make that comparison valid. Because of that you have to compare the vulnerabilities within some time frame, for example one year or two years. But I suspect you knew that.

Re:Chrome and IE are the most secure browsers

[dln385]

Yes, you can use something like NoScript in Firefox (and other browsers), but majority of people don't. In fact even I don't because frankly, it's pain in the ass to use.

Install NoScript and enable scripts globally in its options. I do this and it's like it's not even there, but once in a while when I'm on a shady website, it'll pop up and say that it blocked a suspected malicious script or XSS attack. Better than nothing.

Re:Chrome and IE are the most secure browsers

[Ucklak]

Don't care how secure IE is now, it renders differently between versions 7, 8, and 9 and is incredibly slow.

Re:Chrome and IE are the most secure browsers

[Billly+Gates]

Keeping flash and Java up to date helps. WIth Java these days it is best to disable it in your browsers if you have to use it for things like eclipse on the desktop. Thats what I do as Java 7 is a pile of dung even if it is much more secure. I haven't used a Java applet since 2002 seriously. SO I can still use Java 6 and not worry about being hacked when I browse.

With WIndows Vista and Windows 7 it is very difficult as hell to target a browser with the exception of Firefox because it does not support sandboxing. The reason why is because ASLR is a ram address randomization technique so if you overflow a buffer you can't say "use server.exe by its ram address and inject your dll into it". DEP is something XP only partially supports that Vista and 7 do fully where you can't plant data execution code in regular data like a picture file. In XP with IE 6 you simple render the pic on the page and you have instant data execution as the CPU/Kernel are too dumb to know which is data and which is executable. That is another common broswer exploit.

But today these are rare and hard to do so a plugin is a great way to do it. IE 9 even has a special compiler option which the engineers even control exception handling so the program will never go into an area out of bounds.

Flash and Adobe Air are teh way to go. Keep them updated or use adblock if you can. The first thing I always do when I get a new computer is uninstall PDF reader and flash and then go to file hippo and download only the latest.

Re:Chrome and IE are the most secure browsers

Flash and Adobe Air are teh way to go.

Go mad with rage because Flash is a pile of fucking shit?

Re:Chrome and IE are the most secure browsers

You don't even need to read them, if you happen to ever have had adobe's reader installed, the shell extension remains lingering around, which means merely hovering over the file icon will open you to exploits.

Re:Chrome and IE are the most secure browsers

[Zamphatta]

But a flaw in IE can root your system, since IE is tied in so deep. So, even if the insecurity is in Java or Flash or some other plugin, it can have much nastier effects than the same problem via Chrome since Chrome isn't tied into the system. (assuming we're talking about Windows comp's and not Chrome OS or Linux/WINE). In this way, IE is still a bigger insecurity than any other Windows browser even when the insecurity isn't specifically an IE flaw, because IE's "tied in" design is flawed.

Re:Chrome and IE are the most secure browsers

[Runaway1956]

Off on a slight tangent here - but if you don't install Adobe flash, you can still watch flash movies in your browser. And, it does happen to be Adobe's version of flash that has grown infamous for vulnerabilities. Likewise, Adobe's PDF reader is the vector for PDF vulnerabilities. So, if I install some other PDF reader, and some other version of flash, I might (probably will) be secure from most vulnerabilities. Right?

Microsoft has lost their standing as the most common attack vector, giving way to Adobe, the last I read.

Re:Chrome and IE are the most secure browsers

[Vellmont]

They don't - most of them target plug-ins and work in every browser. Now, both Chrome and IE sandbox them and have extra security layers for plug-ins just so that even if plug-in is vulnerable, you can't actually gain access to system.

I'd be far more interested in actual results, from actual attacks (by white or blackhats) rather than undemonstrated theories on how to protect the plugin from the OS. How many times has one party made a "super great security layer that's unbreakable", only to be thwarted very quickly by something they never thought of?

Re:Chrome and IE are the most secure browsers

I don't think you understand how debate works. You don't have to provide support of your own if your goal isn't to prove a given side. All you have to do is prove that your opponent's support is invalid, as he does. Try making valid, sustainable points, and maybe you'll get some credit.

Re:Chrome and IE are the most secure browsers

Not this shit again.

Re:Chrome and IE are the most secure browsers

[Noughmad]

Off on a slight tangent here - but if you don't install Adobe flash, you can still watch flash movies in your browser.

Which do you recommend? I tried both gnash and lightspark, albeit some time ago, and most flash sites wouldn't play, or wouldn't play correctly. Also, neither improved the power consumption, which is my main complaint about flash.

Re:Chrome and IE are the most secure browsers

[Vellmont]

Anyone who still says that IE is insecure browser just doesn't know what he is talking about.

Care to point to any actual data on breakins, rather than theoretical security models to demonstrate this point?

You might want to look at the pwn2Own contest results from this year:
http://en.wikipedia.org/wiki/Pwn2Own

Teaser:
The second and last browser to fall for the day was a 32-bit Internet Explorer 8 installed on 64-bit Windows 7 Service Pack 1.[23] Security researcher Stephen Fewer of Harmony Security was successful in exploiting IE. Just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk.

Day 3
No teams showed up for day three. Chrome and Firefox were not hacked.

Only IE8 was in the competition since IE9 wasn't even released until shortly afterward. We'll see how the new batch of browsers does next year.

So I have to ask: Why does "anyone who thinks IE is an insecure browser doesn't know what he is talking about"?

Re:Chrome and IE are the most secure browsers

[Vellmont]

Ultimately, it doesn't matter how secure your browser is if you just go around clicking random links

WTF? This is the entire experience of the World Wide Web! Are you really suggesting that we're all supposed to "just know" which are the "good" links to click on, and which ones are the "bad" ones? Do you really think an attacker isn't clever enough to trick you into clicking on his malicious site? And no, I'm not talking about the "punch the monkey", or "take this IQ test" crap.

Re:Chrome and IE are the most secure browsers

[Runaway1956]

I've had pretty good luck with gnash, myself. To be perfectly honest, though, I most often right click the video, and save it to disk, then view it locally, in VLC.

Lightspark, I just looked at, and never did try it. Maybe I'll test it out soon.

Re:Chrome and IE are the most secure browsers

[LordThyGod]

Windows is also Operating System for Dummies, Desktop for Dummies and Internet for Dummies all in one convenient package. Malware authors know they have a much better chance of such people not updating their software and doing other dummy kinds of things. Its a natural fit.

Re:Chrome and IE are the most secure browsers

[iserlohn]

Way to go, lose an argument and use an alt to reply.

Re:Chrome and IE are the most secure browsers

[metacell]

I assume the TFS meant it was surprising considering who funded the research...

Re:Chrome and IE are the most secure browsers

[tycoex]

My browser tells me which looks are 'good' links and which are 'bad.'

http://www.mywot.com/

Re:Chrome and IE are the most secure browsers

[cryptoluddite]

Both IE and Chrome offer sandboxing, JIT hardening and ways to make vulnerable plug-ins less easy to exploit and gain access to system. Firefox offers none of these.

On the other hand only Firefox is checked with static analysis tools before released, meaning that there are very, very few actual flaws in the browser (IE might be, Chrome certainly isn't). For instance when Chrome added a very basic memory checker to their test servers they caught dozens of bugs -- and that's just from the most basic of runtime checks. When people have run their commercial static analyzers on Chrome they've found several hundreds of potential flaws.

What does this mean in practice? The inner sandboxed code in Chrome is wide open to attack. They aren't even using serious methods to try to protect that code and are instead relying completely on the sandbox. This is the reason why you'll get random crashes in Chrome, and why they purposely try to keep you from using too many tabs (if a process is rendering more than one tab then when it crashes more of your tabs have to reload). On the flip side, this is the reason why in a years of running Firefox nightly it has never crashed once. Yes, there are errors in Firefox, but they are complex ones not the simple mistakes that crash Chrome left and right.

Personally I've never had a malware in dozens of years, so browser stability matters a whole lot more to me than security. A sandbox would be nice, but one that is relied on and causes random page crashes is worse than not having one but having far fewer crashes.

Re:Chrome and IE are the most secure browsers

Yes, you can use something like NoScript in Firefox (and other browsers), but majority of people don't. In fact even I don't because frankly, it's pain in the ass to use.

I really don't understand what people find so very difficult about NoScript. It takes literally two clicks to use and will proactively protect you from a lot of trouble.

auto-updating browser and plug-ins

If you think Firefox doesn't, you're not very informed. Thanks for the pro M$ fud though.

Re:Chrome and IE are the most secure browsers

[InsightIn140Bytes]

Yes, because that AC obviously was me.

He made the initial argument that IE has somehow had way more vulnerabilities than Chrome and Firefox, and then backed that argument with invalid data. I just pointed out that.

Re:Chrome and IE are the most secure browsers

[RobbieThe1st]

I've found the same thing. FF seems to be extremely stable, does what I want, and is configurable enough that I can make it look /how/ I want(unlike Chrome and, I suspect, IE), which is something like the UI of FF3.
Also, aside from a couple of glitches I've seen in nightly versions(locking up if reloading over 30 tabs at once being a problem I saw for a year), It's been pretty fast and stable.

Re:Chrome and IE are the most secure browsers

I think Microsoft is the Devil, and should die. However, I'm not the one who's ignorant. I happen to be both old enough to have seen what they are made of, and I also happen have the capability to learn from history. A trait far too rare these days. Or maybe you're not really that ignorant, but rather just astroturfing? Let's not forget it's a traditional thing for Microsoft to do.

Re:Chrome and IE are the most secure browsers

[InsightIn140Bytes]

No one said it's difficult. It's just pain in the ass because it breaks lots of sites by default and you have to activate those scripts if you want functional sites. The worst thing is that if some site uses JavaScript as part of some form. At best the form doesn't function after filling all the details, in worst case scenario you write some large text and lose the whole reply.

Re:Chrome and IE are the most secure browsers

[Nihilomnis]

WOT may filter out most malware sites, but unfortunately top users use mass rating tools and sometimes rate sites as poor or unsafe just because someone had a differing viewpoint. Sometimes even down-rating sites affilated with mal-rated sites.

Re:Chrome and IE are the most secure browsers

No one said it's difficult. It's just pain in the ass because it breaks lots of sites by default and you have to activate those scripts if you want functional sites.

Stupid places need to stop putting so much goddamn external javascript on their fucking sites. Simply amazing how many fucking places some sites pull javascript in from.

Re:Chrome and IE are the most secure browsers

[hedwards]

All sites aren't equal in terms of their risk factors. Yes every once in a while a major site will get hit, but in general there's a substantial difference between frequenting a random warez site and a random hobby related forum.

Re:Chrome and IE are the most secure browsers

[Billly+Gates]

Refernce?

IE 9 is the fastest browser around as it is the only one that supports 100% GPU html rendering. True some Google optimized javascript benchmarks show Chrome ahead but multimedia heavy sites work better in IE 9.

IE 9 renders standards just like every other browser and IE 8 does most of the time. Seriously you are living in 2001 with IE 6 just like those who say IE is insecure. MS got its game back starting with IE 8.

I saw a link recently which had a Javascript acid test and IE 10 is the only browser that had a perfect score! FF had 33 errors and Chrome had over 420!

IE 9 still has issues like the lack of adblock which is why I use Chrome occasionally but it is a usable browser for work that is modern

Re:Chrome and IE are the most secure browsers

[Billly+Gates]

You do not have to do that anymore. All major browsers have XSS protection including even old IE 8. If you are are really paranoid or work in a large office which can't leave older versions of IE go install OpenDNS which actively removes malware domains. Sweet idea and can eliminate any nasty scripts or exploits for things like PDF files, unless they have a hard coded IP Address.

THis will solve the same issue with XSS in another layer of proction

Re:Chrome and IE are the most secure browsers

[bonch]

He didn't blindly dismiss your evidence. He directly refuted it by pointing out there are in fact vulnerabilities for Chrome, contrary to your claim that there are zero, and that you have to compare vulnerabilities within the same timeframe, which is entirely logical or else you could cite vulnerabilities from years ago in comparison to browsers today.

Re:Chrome and IE are the most secure browsers

As a web programmer I know that CSS renders differently in IE9 than in Chrome or FF, and has a different box model in some cases. It also does play well with jquery yet, which is a "standard" library, even if not standards compliant.

Re:Chrome and IE are the most secure browsers

Not according to the national vulnerability database. Here is the score for the last three months:

• Internet Explorer: 15 security holes
• Chrome: 76 security holes
• Firefox: 31 security holes

We can argue that it makes more sense to look at holes over the last year instead of over the last three months, but the evidence indicates that Chrome is the least secure and IE is the most secure. (Security holes by version doesn't make sense for Chrome, since it changes its version number so quickly. Ditto with Firefox).

Re:Chrome and IE are the most secure browsers

Kudos to Google and MS for trying to counteract attacks that are actually used in the wild by real attackers. Boo on Firefox for ignoring it. Evolve or die.

Re:Chrome and IE are the most secure browsers

[jo_ham]

Yawn.

"Any opinion that is contrary to mine is a paid shill".

Re:Chrome and IE are the most secure browsers

[smash]

Pretty much agree with this. Whilst in theory maybe firefox code is more reviewed or whatever (i'm willing to play devils advocate on that one) the simple fact is that the industry has moved on from attempting to write secure code and ensure that all code in the browser is written securely, to sandboxing. Sandboxing makes the assumption that all this code is insecure - which with 20/20 hindsight is probably the way browsers (or anything connected to a network) should have been written in the first place.

Firefox needs to catch up. If some badly written patch or plug-in can be exploited within the browser to own your machine, thats a problem. Yes, it will still happen if the sandbox can be exploited, but thats a far smaller subset of code to review. If you can get a secure sandbox environment, then an overlooked problem in the rest of the code has far less impact.

IE has been reasonably secure for years if you bother to go to the effort to lock it down sufficiently with security zones (why should my corp browser be running unknown active-x or plugins from the internet??), but no home user bothers.

Re:Chrome and IE are the most secure browsers

[shutdown+-p+now]

As the other guy who replied to you have noted, you're comparing apples and oranges (or rather cherries and watermelons) here - you're picking a specific release of Chrome (a browser that updates version number several times month), a specific version of Firefox (a browser that updates version number several times per year), and a specific version of IE (a browser that updates version number once in two years). To make a meaningful comparison, you need to compare similar time periods, no matter how many versions were released in that period for the browser.

So, IE9 was released in March 2011 - let's look at the time period from that point until today. Looking at release history in Wikipedia, this means Chrome from 10.0.648 to 17.0.963, and at Firefox from 4.0 to 8.0 (note that IE9 also had numerous updates in that time frame, it just doesn't count them as releases).

Now I won't even bother counting, because even just looking at the earliest versions of both Chrome and Firefox as listed above both produce two pages worth of vulnerabilities, versus one pages for IE. It's obviously a very rough metric because this doesn't account for severity of those vulnerabilities, but it already goes to show that your original numbers (zero and two) are bullshit. I hope someone who's more patient than me will go through those lists and make a nice summary.

Also, specifically with respect to Chrome, a good half of vulnerabilities are ones from Flash. This is technically correct, because Chrome ships bundled with Flash. However, in practice, vast majority of browser users on the desktop have Flash installed in any browser that they're using; so, to get a meaningful security comparison for a typical desktop, you need to either subtract those Flash vulnerability numbers from Chrome, or add them to other browsers. This would make Chrome the most secure by far, and Firefox the least - exactly as TFA says.

It's also basic common sense. You're comparing two browsers who have sandboxed-process-per-tab with a browser that does everything in a single process with no security boundary. Of course the latter is going to be more vulnerable!

Re:Chrome and IE are the most secure browsers

[shutdown+-p+now]

Keep in mind that Chrome holes include Flash holes, because Chrome ships with Flash. IE and Firefox stats don't count Flash, because it's technically a separate product. But, in practice, 99% of desktop PCs have it installed, so you might as well count it against all three browsers.

Re:Chrome and IE are the most secure browsers

[smash]

The study itself appears to be bunk. They assume that the browser is going to be exploited which doesn't give any credit to how difficult that might be

Hate to break it to you, but it doesn't matter how difficult it was to exploit when there are scripts available for free to do it. If an exploit is feasible, it will be exploited eventually. Running an application that runs any sort of un-trusted code from the internet without a sandbox in 2011 is playing with fire. Eventually you'll get burned.

You don't run your daemons on your servers without TCP wrappers, and/or Jails now do you?

Re:Chrome and IE are the most secure browsers

[shutdown+-p+now]

As a web programmer I know that CSS renders differently in IE9 than in Chrome or FF, and has a different box model in some cases. It also does play well with jquery yet, which is a "standard" library, even if not standards compliant.

IE only has a different box model in quirks mode. If you use a proper DOCTYPE, you get the standard one - and this has been the case for a long time.

With respect to "CSS renders differently", can you give an example? I'm sure there are some, but IE8+ declares support for pretty much all of CSS2. CSS3 is a much wilder area, and IE (even v9) lags behind other browsers in that regard, but then it is still a draft standard.

The part about jQuery is certainly false, at least unless you're talking about IE6. jQuery actually ships in the box with Visual Studio these days, and if you create a .NET web application project in VS, it'll add jQuery to it automatically. Do you think anyone would do that if jQuery didn't work with IE?

Re:Chrome and IE are the most secure browsers

[shutdown+-p+now]

No, a flaw in IE cannot root your system, unless there is a different elevation exploit in the OS itself (in which case it would apply also to any other browser). IE is not "deep in the system" - it's just a bunch of DLLs that contain the rendering and scripting engines, and an executable that provides chrome for it. It's precisely why people have been able to make unofficial "mods" of Windows with IE stripped out.

Re:Chrome and IE are the most secure browsers

[Raenex]

"Ah, good old cognitive dissonance -- making people ignore evidence that doesn't match their conclusions since the dawn of man."

+1 for cognitive dissonance and hypocrisy

Re:Chrome and IE are the most secure browsers

[hairyfeet]

While I agree IE has gotten loads better thanks to MSFT fragmenting the living fuck out of IE trying to upsell Windows frankly i wouldn't take it on a bet. There is currently three and soon to be four Windows versions out there. Quick tell me this: which version of IE can XP run? How about Vista? 7? MSFT has made it a damned mess by not backporting shit which makes IE a nightmare to support. that is why i remove it, toss the links, as far as my systems i sell is concerned IE don't exist. I give them Comodo dragon and then if they manage to somehow bork that they can use the FF I have on there as a backup but NO IE. BTW you ought to see how few patches you need for Windows 7 if IE isn't on the machine, I'd say probably a good 70% of the win 7 patches are IE patches.

But I would take Dragon, QTWeb, Safari, Opera, Chrome, hell even FF over IE as long as I have ABP installed. trying to keep up with which version is for which OS and what features are for which version is too much of a PITA. My customers are certainly not gonna go out and buy new machines or a shitload of Windows CALs just because MSFT won't backport their own software. Funny how Google and all those browsers based on chromium like Dragon have NO problem supporting XP and Vista?

Re:Chrome and IE are the most secure browsers

Firefox is checked with static analysis tools before released, meaning that there are very, very few actual flaws in the browser

lulz.

reminds me of the poster earlier who claimed that DEP prevents non-code data from injecting payloads. static analysis techniques do not provide total code/exploit coverage.

Re:Chrome and IE are the most secure browsers

[hairyfeet]

I don't see how you can call this "super great security layer" when most of what both Chromium (as in Chromium, Chrome, Comodo Dragon, and others) and IE does is as old as Unix, since they are using low rights mode which is simply a level of permissions below that of even users which severely limits what the browser (and thus code inside it) can and can't do. combine that with sandboxing, ASLR, and DEP and you make a pretty damned hard nut to crack.

I think the problems with Firefox, the lousy memory usage, CPU spiking, bad security, it all comes down to Gecko. gecko simply wasn't built for today or for multithreading or isolation and trying to bolt more and more onto gecko is making it shittier. I just hope it'll turn out that Mozilla has been secretly having a rewrite of the underlying engine done and they'll spring it on us because while i really miss Firefox it is just too easy to pwn.

Hell if you have friends or clients that use yahoo Mail and FF I'm sure you've seen the spam from their accounts, that's an iFrame bug that will load a hidden iFrame and log into their Yahoo account while they are looking at free porn videos and then spam their address books. After seeing a couple of customers complaining about spamming even though all scans showed a clean machine I checked their history and tried it myself with a box I planned on wiping and with a Yahoo account I use as a spam dump and yep, Chromium and IE didn't get bit, FF did. sorry I didn't write down the exact address but since it seemed to be a hit and miss thing i think its malware hidden in some of the ads. But if you want to try it yourself just go to some of the sites like Redtube and youporn and start clicking on random links, but you'll have to have a fake Yahoo account with the pword saved in FF and a couple of addresses for it to send spam to.

But after that i moved all my customers away from FF, its just too risky. Not a single other browser i tried did that, not any of the chromiums or IE, not opera or Safari or QTWeb, ONLY FF got bit by that bug, again because gecko i think is too long in the tooth and needs to be replaced.

Re:Chrome and IE are the most secure browsers

I'm not stupid enough to try doing this. But I would dare you to try. First disable all third-party IE9 plugins (Adobe Flash primarily) because that's historically the largest vector for IE vulnerabilities.

Re:Chrome and IE are the most secure browsers

Only one of the holes -- CVE-2011-2444 -- is a hole in Flash. All of the other holes are things like use-after-free and what not in Chrome's code base.

Re:Chrome and IE are the most secure browsers

Hmmm, in over a decade of browsing the Web, I've never, even once, got infected by any virus or malware, even when I used to use MS Windows (up-to 2006 IIRC). Now I don't consider myself a particularly smart cookie; I'm not even an IT or CS person. I just don't download and run any random software of the Net. I use only well-reviewed programs downloaded from the author's own site. I also keep systems updated, and most importantly, the continuous use of NoScript + Adblock ensures no JavaScript/Flash cruft is executed. These are pretty simple, elementary steps to take. I don't understand why so many millions of computer users don't realise this much. It's not as if anyone told me a list of 'best practices, ' or guided me. It's all been completely self-taught, and it's trivially easy too. You just need a little bit of simple curiosity about how your machine works and browse around on sites like Wikipedia or the USENET, and you'll pretty soon get to know of most the issues and how to deal with them.

Re:Chrome and IE are the most secure browsers

>they seem to copy the aspects of Chrome that no one actually cares about (UI and version number scheme) while >completely forgetting what Chrome and IE do underneath and what actually counts - sandboxing, JIT hardening, >auto-updating browser and plug-ins and separating different tabs to different processes

Auto updating browser is available for Windows IMO, in linux that doesn't make sense when it is on default install location but works if it is running from a user location (like ~/bin/ or so).

Also, FYI, addons auto update and they also do without restarting the browser which is good IMO.

Also, firefox has a compartment model (per tab) now for security, better OCSP model for certs, better protection from WebGL related vuln and so on.

I would like to see how firefox + NoScript fares in that study. NoScript is clearly much more than an ordinary addon, it adds a great deal of security to ffox.

I have used latest IE, even though it may be more secure now, it is heavy as shit, nearly unusable and nearly every software (including Microsoft's many own) tend to add plugins/addons and what not to it to blow its footprint up. It has no protection against that whereas for firefox they have realized it now and are adding measures (or added) for it.

Last but not the least, when people compare browsers like that, they seem to be good at knowing only 1 or 2 (like you), so they tend to forget aspects/details of the others, and their own bias adds to it.

Re:Chrome and IE are the most secure browsers

[GameboyRMH]

Look at the guy's post history smartey man.

Re:Chrome and IE are the most secure browsers

Microsoft is the devil and should die [...] IE has been a really secure browser for a long time.

Should the second part prove true, those 2 statements would still be far from mutually exclusive.

Anyway, one of the things that bug me with sponsored studies, or any other ad campaigns masquerading as scientific data, is the double standard with "out-of-the-box" configuration. It's either used for the competitor's offer or forgone for the sponsor's own, depending on what puts the latter in a better light.

Re:Chrome and IE are the most secure browsers

There is a comment about how to disable that here.

Re:Chrome and IE are the most secure browsers

[BZ]

Firefox offers various security mitigation strategies (in terms of properly dealing with various memory-safety issues, say) that Chrome does not. As far as I can tell, this study just started off with a subset of the list of techniques that Chrome implements and then "studied" which other browsers also implement them, instead of studying what browsers actually do to ensure security and how difficult they are to actually exploit.

Your larger point that modern IE is a fairly secure browser (like any modern browser) is correct, of course.

Re:Chrome and IE are the most secure browsers

[jo_ham]

And?

It's no different to a Linux/Android/GNU/EFF/End Software Patenttttzz! fanboi....

Are they paid shills too? Or is it ok when the shill is spouting something you agree with?

Re:Chrome and IE are the most secure browsers

[GameboyRMH]

Even the biggest fanboy doesn't post with such regularity on what they're a fan of, and rarely gets in a big propaganda piece as a first post which is quickly modded to +5. Or you can stick your head in the sand and assume they're all just very dedicated fanboys with very recent accounts...

Re:Chrome and IE are the most secure browsers

Firefox is already using a plugin-container for Flash, Silverlight, Java, etc. As far as I can tell from their article (http://support.mozilla.com/en-US/kb/What%20is%20plugin-container) it does not actually sandbox the plugin.

Correct me if I'm wrong, but wouldn't it be easy to extend the functionality of this component to include that extra security measure? I don't really care for a multi-process browser, but separating the plugins from the browser does seem like a good idea, and I'm glad Mozilla has already done this, but maybe they should consider taking the plugin-container a bit further.

Re:Chrome and IE are the most secure browsers

I unfortunately have firsthand experience with Firefox's vulnerability. In early October they released a version, I think it was 7.0, that told you it was turning off McAfee to make the browser more stable. I stupidly let it do this and my PC was compromised within two days. It initially showed up as a browser redirect (search for this in the Firefox forums, all of those people are screwed). The MS safety scanner 1.0.3001.0 identified "Exploit: Java/CVE-2010-0842.P" and "TrojanDropper:Win32/Sirefef.B". There is still a root kit installed. If I try to run AdAware I get "access denied". Also my restore points are now corrupted and the backups on my Seagate backup drive has disappeared (although the drive still shows 300 GB used).

So no, Firefox isn't secure, regardless of what their PR flacks tell you about static analysis or magic beans or whatever.

I "fixed" this problem by buying an iMac.

Re:Chrome and IE are the most secure browsers

Except that unlike you hedwards appears to have actually read the study. There's nothing in this study about browser exploits. The entire study is about what you can do with a custom plugin installed at the OS level. If you are downloading and installing programs and plugins from random places this is what you get.

Re:Chrome and IE are the most secure browsers

[renoX]

> On the other hand only Firefox is checked with static analysis tools before released, meaning that there are very, very few actual flaws in the browser

ROFL: given that FF "strength" is extensions your claim is very, very funny.

Here it comes

[masternerdguy]

Nobody is going to RTA. This is going to be a good flamewar though.

Re:Here it comes

[Aerorae]

The problem is that, though I agree whole-heartedly with the results of the study, it was funded by Google. Even if it wasn't we'd have controversy, but since it does, it's gunna be more than a flamewar!

Re:Here it comes

[betterunixthanunix]

IE sucks!

Just playing my part...

Re:Here it comes

[InsightIn140Bytes]

The PDF contains all the things they tested, and goes to very technical details. I also doubt Google would want to make Microsoft look better than Mozilla.

Re:Here it comes

Aye, this study is about exploit mitigation. Basically reducing damages from bugs/exploits that does happen. This is only a subset of security and not a full look at security which includes number of bugs/exploit including ease and severity of them, how often they appear, and patch time. Of course Firefox is last as it focuses on normal more traditional security but does nothing like sand-boxing to reduce exploit damage. Doesn't mean that firefox is more insecure, but is an aspect that should be taken into consideration.

Basically, if exploit takes away 2 points from security, sandboxing like stuff would reduce it to 1 point (reduces severity). This doesn't mean anything if IE gets 100 exploits and firefox gets only 10 (-50 vs -20). Note: This is just an example to explain my reasoning.

Re:Here it comes

[Trepidity]

That's true, and a good instinct to have, but I apply it less in this case than usual, because the study appears to actually include substantial technical detail, and Accuvant is a well-respected security firm. At the very least it looks like a more serious commissioned study than the stuff you get from the usual "independent" shill consultants that write most commissioned tech whitepapers.

Re:Here it comes

The problem I have is this study is absolutely nothing like the browsers I have deployed out in the field.
I don't use any of the browsers in this test.
The browsers I use are always customized.
The study must assume the browser / box is connected directly to the web?!
The study testers don't block frame, iframe, and xframe. (nothing but Ads and Worms come from here - Webmasters please don't use frames!)
The study testers do not maintain their own custom blacklist.
Was this test actually trying to compare popular blacklists and tell me the detection rate google vs URS!?
No Squid? Hosts files? Proxies? Tunnels? All of these change the game

My opinion is this isn't a security strategy, it has facts, it has asm code, statistics, but it's not a security plan in itself.
Security has to be full spectrum, has to be planned, it has to be vigilant, it doesn't just end with the install of a 3 browsers, or choice of 2 blacklists.
The paper is being leveraged as a hit piece to people who don't know this shit, every browser I have has to get patched nearly every week, Secunia goes nuts on them.
They are all vulnerable all the time!

Knowing this, now design your security plan.

Do you use EMET on vulnerable plugin's or addons?
Do you store a local start page example: "c:\start.html", to avoiding having to search (using any search engine) for your URL's?
e.g. Click, DNS lookup and page load

On to JAVA Javascript flash quicktime silverlight.

My current rules here are
JAVA - uninstalled - really didn't need it, when it is needed, I can download it.
Javascript - open game
Quicktime - disable the plugin, unless needed on well loved website
Silverlight - disable the plugin, unless needed on well hated website (yes that was a joke, lighten up)
Flash - open game

But hey if you get your shit smacked while in a "saved VM image state", who gives a fuck?
restart and it's like new. One for Banks, One for Ebay, One for Virus shopping.
In this light all browsers are equal, and no url is evil
Now excuse me while I load rootmeagainandagainandagainandagain.dot.org in my Netscape Gold 3.04g

Popcorn

[Xaemyl]

I haz it. *queue fanboi flamewar*

Re:Popcorn

cue

Re:Popcorn

[pipatron]

cue

"You must be new here".

Opera

[jaak]

The researchers dd not evaluate Opera in their study. I wonder how that would have compared...

Re:Opera

[kangsterizer]

They don't care about opera. It's not a technical study. It's a marketing study.
Opera has no market share. Chrome's easiest target is Firefox.
IE's easiest target is Firefox too, and they made a similar advertising study, where IE is on top of security, way ahead of Chrome - but not too much.
Both put Firefox down.

All of them fail to mention other security features of Firefox. All of them fail to mention noscript and the like.
(and before you ask a list, take a look at Firefox's separated memory management per tab, or frame poisoning protection, etc.)
Also, no mention of CVE count of course, aka the actual discovered vulnerabilities.

That's just making a checklist where you put names of technologies that the opponent doesn't have, but don't put names of the ones you do not have.
Then put a mark in front of them to make you appear better.

In the past they've been (as in all corporations) doing that for ages, Microsoft certainly did a lot of it. The difference here is that they now buy out companies to do it for them.

Re:Opera

[InsightIn140Bytes]

Opera is the most used browser in many CIS countries, having almost 50% market share in some and beating all IE, Chrome and Firefox. Maybe you wanted to say that Opera has no market share in the US.

Re:Opera

Extensions don't count. They aren't default behavior, nor installed by most of the userbase.

If Mozilla were smart, they would hire the NoScript guy and work to improve it even more, particularly making it easier to filter or unfilter.
Even as a power user, I still find it pretty obtuse sometimes.

Of course, Mozilla aren't smart and they continue to bewilder even their most diehard fans with all of the recent nonsense.
How far they have fallen since the early days of Firefox.
Just like Notch of Mojang, they let the fame get to them too much and thought they could get away with anything, and it backfired. Horribly.

Re:Opera

[allo]

> Opera has a market share of 30 000 person worldwide.
troll.
more like 30 million.

Re:Opera

Globally Opera has around 1.8% market share (http://gs.statcounter.com/ other show similar). There are around 2.1 billion internet users WW (http://www.internetworldstats.com/stats.htm). That would peg Opera at close to 38 million. So you are right. But it is still very small. Even Safari has more than 3x the user base. I've tried Opera several times, but never liked it myself. But it do seem to have a very strong and vocal supporter base for its miniscule size.

Re:Opera

[Noughmad]

Just like Notch of Mojang, they let the fame get to them too much and thought they could get away with anything, and it backfired. Horribly.

How exactly did it backfire for him?

Re:Opera

[kangsterizer]

Funny.
You're using the same tactic I pointed out Google is using.

September 2011, median of all worldwide browser usage statistics:
Opera 2.7% = Yay for CIS 10 users! 2.7% woohoo!

Chrome was at 20%, Firefox 25 and IE 38%. See the difference?

That doesn't mean Opera is a bad browser. In fact, Opera mobile is very, very good. But that doesn't mean one should write FUD now should it?

Re:Opera

Opera can fake UA out-of-the-box, and it's *still* necessary to get some sites to work; do the stats counters look for that?

Re:Opera

They don't care about opera. It's not a technical study. It's a marketing study.
Opera has no market share. Chrome's easiest target is Firefox.
IE's easiest target is Firefox too, and they made a similar advertising study, where IE is on top of security, way ahead of Chrome - but not too much.
Both put Firefox down.

All of them fail to mention other security features of Firefox. All of them fail to mention noscript and the like.
(and before you ask a list, take a look at Firefox's separated memory management per tab, or frame poisoning protection, etc.)
Also, no mention of CVE count of course, aka the actual discovered vulnerabilities.

That's just making a checklist where you put names of technologies that the opponent doesn't have, but don't put names of the ones you do not have.
Then put a mark in front of them to make you appear better.

In the past they've been (as in all corporations) doing that for ages, Microsoft certainly did a lot of it. The difference here is that they now buy out companies to do it for them.

Opera, is a far secure browser. It's a European browser popular in Asia especially China. The study is about a U.S. browsers funded by a U.S. company. I know that Chrome, is spyware sponsored by a company run by advertisers. The European U.S. thing is not bad it creates competition U.S. inferiority complex and naive users. If naive users did not exist in such large numbers how would we earn a living.

Secretly Funded?

What of it were secretly funded by Microsoft as well?

Good for Firefox

Firefox needs kicks in the balls like this.

Marketing People have started writing the code at Mozilla.

Marketing People are writing the code for GNOME3 and Unity.

Marketing People are picking and troll- or flaimbait-tuning the stories here at Slashdot.

Looks like even people who switched to Linux are still not smart enough to know what they want without the marketing people.

Ah well... escalation comes before restauration...

Who woulda thunk it.

[RandomAvatar]

Who would have thought that a company that makes a browser, then does a comparison, would end up having their browser come out on top? This is why I never trust studies or comparisons done by a company that has had any funding or is related in any way to the market, company, or product they are doing the study on.

NoScript!

[Kaz+Kylheku]

Did they install NoScript? Evaluating Firefox security without this script blocker is like evaluating a compiler without using its optimization options.

Re:NoScript!

[calibre-not-output]

They tested the vanilla browsers, as they should. Most people don't install NoScript, and many who do get annoyed with it and switch it off.

Re:NoScript!

[Kaz+Kylheku]

So, since most people won't use Firefox, so we shouldn't test it at all.

Re:NoScript!

[calibre-not-output]

Yes, that's exactly what I didn't mean. The test was a test of Firefox (and IE and Chrome), not a test of "Firefox with some add-ons installed". Chrome has optional third-party security plugins too, and they also weren't enabled for the test. NoScript isn't a part of Firefox, doesn't come bundled with the browser, and isn't developed by Mozilla. Why should it be included in the test?

Re:NoScript!

[TheGratefulNet]

NoScript isn't a part of Firefox

every install I build has NS and adblock installed, at the very min.

the value of FF is its plugins. why is that not obvious?

it would be like reviewing an SLR and not using its raw mode. its a slanted test, its not fair, really. or a fast car that is not taken out to a racetrack for a proper test run.

FF by itself is not what people MEAN by firefox. not really. its value is its plugins and to test it 'bare' is ignorant and has a bit of market-speak to it that I find distasteful.

Re:NoScript!

It's not slanted, it's realistic.

Running it with all the best security enabled and all the best practices and extensions, that is taking the fast car to a race track with expensive tires and a professional driver. That analogy fits really well - taking the base model that 90% of users will have and run, adding stuff to make it better that most people won't, and putting it in the hands of someone far more capable than 90% of the users.

I mean, seriously. Look at your post. You're actually arguing that Firefox is better because you can make it do what you want with extensions. Security? We don't need that by default. The user should have to opt in to it. Because.... choice, or something. Freedom to get exploited! Yay!

Re:NoScript!

[calibre-not-output]

it would be like reviewing an SLR and not using its raw mode

No, it'd be like reviewing an SLR without an external flash bulb. Raw mode is built-in to the camera, NoScript is not built-in to Firefox. NoScript, like the external flash bulb, is an optional feature that the browser/camera is made to accept, but also made to work without. Most Firefox users don't use NoScript, even though almost every power user does. Likewise, most people who buy SLRs are overspoiled teens who will never leave the safety of "Auto" mode and probably don't even know that you can swap lens at all - but every serious photographer has a bag full of peripherals for each specific kind of photo they want to make. I've never read a side-by-side comparison of, say, a Nikon and a Canon camera where the reviewer concludes that despite being all-around worse than model B, you should still buy model A because it fits more different kinds of peripherals. It's the same thing with web browsers.

Re:NoScript!

[InsightIn140Bytes]

Most people don't use AdBlock or NoScript. That's what matters. You can disable scripting and plug-ins in other browsers too, and get practically the same results. But it's not a real world scenario, not how 99.9% users use their browsers.

Re:NoScript!

If you take away noscript and adblock, there is no point in using FF. I think it's safe to assume that at least a significant portion of the FF user-base have these installed.

Re:NoScript!

They tested the vanilla browsers, as they should. Most people don't install NoScript, and many who do get annoyed with it and switch it off.

Particularly when they update the browser's major version number for no reason, AND YOU HAVE TO FIND AND INSTALL A NEW VERSION OF EVERY FUCKING PLUGIN.

Re:NoScript!

[Nihilomnis]

http://browserfame.com/38/firefox-addon-usage-stats
85% Firefox users have at least one add-on installed

http://blog.chromium.org/2010/12/year-of-extensions.html
one-third Chrome users use extensions

I can't find any data about IE "add-on/extension" usage nor could I locate a place on their site to look for plugins and as I do not run Windos not IE I do not know if it is in some menu somewhere, though I can get to chrome's and firefox's add ons from any browser. I know some exist and I have found few sites with lists of them, but due to the lack of ease finding them I figure most users wouldn't use them. (not that my guesses are worth much)

It would more accurately represent the browsers if firefox and chrome were tested with popular extensions installed as they could cause more security threats or in the case of noscript or adblock plus lessen them. (though noscript only has around a million users and adblock plus only eleven million.

Yes if it was a test between the vanilla browsers to see those differences then add ons and extension should of course not be included, but as it was a test of security their data is possibly skewed in favor of firefox and/or chrome/chromium/iron.

Re:NoScript!

[bonch]

Are you dense? The study is comparing vanilla browsers in the default configuration that the majority of users will be running. It doesn't matter if every installation you use has NoScript and AdBlock installed. It's your personal opinion that Firefox by itself is not what people mean by Firefox. If you have to install plug-ins to secure your browser, that's a mark against your browser.

Claiming that comparing Firefox without plug-ins is a "slanted study" is like claiming Windows XP was never insecure because you could always install antivirus and antispyware software. Firefox should be secure by default.

Re:NoScript!

[TheGratefulNet]

raw PROCESSING is often overlooked and only 'out of cam jpegs' are used to compare cams. and its just as dumb as comparing a browser who's main bene is that it has a rich plugin arch.

the OOC jpgs on this thing sucks. yeah, well, you buying a $1k cam for jpg use? really?

you 'buy' ff because it supports plugins. shipped or not with them is not at all the issue and you know it.

Re:NoScript!

[TheGratefulNet]

agreed. those are the 2 killer apps for safe browsing.

to talk about safe browsing and then ignore the rich plugins that are, for all practical purposes, very standard - is just intellectually dishonest.

I don't trust google and so I refuse to consider chrome. their goals are not consistent with my goals (google vs me) and I'll never trust things they push. if they are for it, I'm usually against it. so chrome is, by definition, NOT a safe and secure browser for me.

FF is slow and bloated but I've not lost any work in the last 5 years or so; about as long as its been since they added journaling so that you're data is checkpointed and you can resume after a possible crash (for me its usually running out of swap). I might get a FF crash a few times a year. its not that bad and again, it does not ever lose state or data.

finally, no corporation is behind mozilla. that reassures me. google is just too close to some things and I refuse to trust them any farther than I can throw them.

Re:NoScript!

[calibre-not-output]

Shipped or not with them is exactly the issue. It'd be a murky point if NoScript were developed by Mozilla, but not even that - if you want to keep your Raw Processing analogy, you'd have to assume that Raw Processing is only available if you root your camera and install a third-party firmware.

What good is a browser safety test that assumes every user is both very knowledgeable about Internet security and very diligent in protecting his/her own data, when in truth the average user is completely clueless and doesn't even care that much? Yet that's a built-in assumption in a test that pretends that an optional third-party security plugin used by a minority of the overall users of that particular browser is in fact part of the browser itself. Besides, if you want to add NoScript to Firefox when testing, it's only consistent that you also add every other extension that's at least as popular as NoScript, right? But why should you stop at that particular level of popularity? Why not install every single extension you can get your hands on? It'd be a miracle if you could get the browser to launch, and even then it wouldn't beat IE 4 on a security test with all those added vulnerabilities.

Re:NoScript!

every install I build has NS and adblock installed, at the very min.

Ah, the never-ending hubris of nerd-dom. Just how many distinct machines have you installed FF on? And how do you think that your singular experience in any way matters to the group discussion?

Every pancake I make has chocolate chips in it, at the very min. It's unreasonable to compare IHOP's pancakes to Denny's pancakes without preparing them the same way I do.

Idiot...

Re:NoScript!

if they are for it, I'm usually against it.

Google has been "pushing" the Mozilla Foundation for quite a while.

Re:NoScript!

[RandomFactor]

Sadly true, however that's the configuration I would care to see evaluated as well.

If there is a more secure browser configuration than this...while still remaining reasonably usable...I'd like to hear it. (I have played with various Chrome, IE, and Opera versions and configs over time, this one remains my preference to date.)

Re:NoScript!

[Rich0]

Perhaps a significant portion of the FF user-base that browses slashdot does.

After you remove that 0.1% of the Firefox userbase, I imagine the percentage that runs noscript is pretty low. I imagine that the adblock userbase is larger, since it has an effect noticeable to the average user.

Firefox has something like a third of the browser market. If most of those users were running noscript web authors would be doing things a LOT differently.

Re:NoScript!

[calibre-not-output]

From a technical standpoint, the ideal solution would be to include both plain Firefox and Firefox with the most popular security extensions, like NoScript and AdBlock(Plus). But this was a marketing study, so I think they were justified in their approach.

Re:NoScript!

[Kalriath]

IE's extension site is http://www.ieaddons.com/en/

Re:NoScript!

Other browsers do not have a convenient UI to manage a white-list of sites from which scripts are accepted. Turning off scripts globally is a nonstarter.

missing "bug" from web browsers !

[cosmas_c]

Kosmas Karavopoulos i think all browsers are missing an about:cra(ppy) page :-)
(1st posted or flux ed , if you like , on facebook)

Very "common practice"

I read the article. I do not agree with some elements. For example, the first element, the process model, dictates there's a better process model than another. So by splitting processes and allowing a browser to run multiple independent processes instead of using threads or a flat model, they say it's automatically better. ... which isn't necessarily true. In order to make the multiple processes work, you must have a marshall process, and you can literally spam your computer with multiple processes, rendering it inoperable, instead of working with one single sandbox, where the system knows how to manage the complexity.

I do not say it's right or not, I simply say the research was made with a set of security elements that are more relevant to design consideration than actual security problems.

But it's still a very interesting read nonetheless.

Full story: I never directly participated in any browser coding, I use Mac Safari @ home (with Firefox backup for the odd site that doesn't work with Safari, like my bank's password reset page, oddly!), Firefox @ work (with IEx64 for the odd stupid site that only supports IE, yes they still exist!)

Won't hurt either

[hal2814]

It won't hurt Google's fraying partnership with Mozilla. Their "partnership" is Google writes a check and Mozilla cashes it. I'm pretty sure Google can say or do what whatever they want. It's not like Mozilla will stop cashing any checks that Google writes.

Re:Won't hurt either

I wonder if there's talk in Redmond about picking up Mozilla sponsorship so that the default FF home page is bing.

That is a big deal. Google's sponsorship was not charity.

Re:Won't hurt either

[catbutt]

I think the implication is, the more the two trash-talk one another, the sooner Google stops writing the checks.

Re:Won't hurt either

[catbutt]

Microsoft probably knows that would be a waste of money. The people who are likely to put a non-IE browser on their PC's are pretty likely to know how to, and be inclined to, switch the default search engine.

Re:Won't hurt either

I think the implication is, the more the two trash-talk one another, the sooner Google stops writing the checks.

Companies are not 15 year olds. If you think this is "trash-talk", you didn't read the source. If you are new here, you may not know that the summery often says the opposite of TFA.

Browsers are given away for free, so getting more market share doesn't (directly) make any company money. The idea that google wants to hurt mozilla is silly. If Mozilla made a browser better than chrome, I am sure google would be happy to have the chrome engineers do something else.

Re:Won't hurt either

Not necessarily .... a lot of people are still only using firefox because the techie in the family told them it's better than IE.

Switching to Chrome on Linux?

[yuna49]

I've read the first few pages of the report and intend to read the details about the three areas where the authors think Firefox is lacking -- sandboxing, plug-in security, and JIT hardening.

However I will point out the comparison applies only to versions of these browsers running on Windows 7. For Linux users, the comparisons might not be so important, though I'd obviously prefer a browser that employs technologies like sandboxing and enforces security on plug-ins.

If I switched to Chrome, how much privacy would I sacrifice to gain these security enhancements? I already use Google dozens of times a day, sometimes with a Google account. I use Ghostery to block most tracking cookies except for Google Analytics. I have some clients' sites subscribed to Analytics so I figure I should support the service myself. Would switching to Chrome provide Google additional information about me that it doesn't get now?

What about the state of plug-ins for Chrome? Along with Ghostery I use AdBlock Plus, ForecastFox and some download helpers. I won't switch browsers if it means abandoning the functionality available in Ghostery and AdBlock.

I could just use Konqueror or rekonq, but I've never preferred either of KDE's browsers to Firefox.

Re:Switching to Chrome on Linux?

[FoolishOwl]

You could use Chromium instead, as it's the open source basis of Chrome, and pretty much the same in functionality, but without the Google branding, and I don't think it sends usage data to Google by default.

Re:Switching to Chrome on Linux?

[calibre-not-output]

Even better, use SRWare Iron Browser. Also based on Chromium, but with a bunch of privacy- and security-oriented tweaks. AFAIK, it's nothing you couldn't do yourself while compiling chromium, but it's a lot more convenient like this.

Re:Switching to Chrome on Linux?

[Bacon+Bits]

Ghostery looks to be available on all major browsers including Chrome.

There's an extension Adblock which is similar to AdBlock Plus. It isn't identical, but other than issues with video-embedded ads (which I remember having with Adblock Plus occasionally) it works just as well as far as I'm concerned.

As other posters have mentioned Chromium. Here are the major differences. "User metrics" and "crash reporting" are the only two differences with potential privacy issues, AFAIK.

Re:Switching to Chrome on Linux?

Perhaps not: http://chromium.hybridsource.org/the-iron-scam

Re:Switching to Chrome on Linux?

Iron runs an out-of-date build with known vulnerabilities, hasn't posted their source changes in a long time, and is widely accepted to be a scam. By all means make your own decisions on browsers, but I think you're doing more harm than good with Iron. And if all you want to is to run Chrome disconnected entirely from Google, the instructions are here.

Re:Switching to Chrome on Linux?

[calibre-not-output]

That's good to know. Thanks for the link.

Re:Switching to Chrome on Linux?

I prolly watch half of a dozen YouTube videos every day, and I cannot remember ever seeing an ad.

Re:Switching to Chrome on Linux?

It is a security study, not a privacy study. That study in in the works and is being funded by Facebook.

Re:Switching to Chrome on Linux?

[aeoo]

Now there's a web page written by a douchebag full of hot air. Chromium is open source and distributing your version of the same software with a few changes is not a "rip-off", it's part of the freedom that the open source programmers enjoy. And for this exercise of freedom he decided to sic patent trolls on the Iron's dev? I hope that's not for real.

Re:Switching to Chrome on Linux?

[Calos]

He was a douche about it, but that doesn't mean he's wrong about Iron. I don't agree with his actions either, but that doesn't invalidate his point.

Chromium is open source and distributing your version of the same software with a few changes is not a "rip-off", it's part of the freedom that the open source programmers enjoy.

I think you and the guy who wrote that page are talking about fundamentally different things. SRware touts Iron as "the browser of the future," "based on the free Sourcecode 'Chromium' - without any problems at privacy and security." It's pretty clear they're overselling themselves, and being dishonest. Most of the things they claim make them special compared to Chrome, well, most of those things aren't in vanilla Chromium to begin with, but they don't acknowledge that. It's not even clear to me if all of the offenses of Chrome they list are relevant anymore.

But after some consideration, what's lost in all this is that Chromium, as far as I can tell, is not very approachable from the Windows side of things. After some brief searching, I find instructions to build Chromium for Windows - not okay for most users - and a place to download what appear to roughly be nightlies - again, not okay for most users. The Chromium website is totally unhelpful. Googling for Chromium or 'Chromium for Windows' mostly gets you threads about people asking how to install Chromium for Windows because they don't understand the build instructions. Read through enough of them, and you'll find that there are releases posted to sites like Softpedia and Tucows, but these didn't appear in any initial searches. 'download chromium browser for windows' finally brings up something useful. This is terrible work by the Chromium folks. Meanwhile, I put 'iron' into Google, and second link is for the browser, and that page has a big 'Download' button.

There's also the question of age. The link that the AC posted is talking about Chromium 4 and 5. Yes, the version numbers rise quickly with Chromium, but that still dates the link back what, a couple of years? Maybe Iron has extended itself since then. Maybe not, as the AC below claims they've stopped releasing source code, which is a red flag for an open source derivative that claims to be better for security and privacy.

Re:Switching to Chrome on Linux?

Now there's a web page written by a douchebag full of hot air. Chromium is open source and distributing your version of the same software with a few changes is not a "rip-off", it's part of the freedom that the open source programmers enjoy. And for this exercise of freedom he decided to sic patent trolls on the Iron's dev? I hope that's not for real.

The author does come off as an idiot, but there is a valid point buried in his screed: Making Chromium not send data to google is a matter of not enabling three preferences that are off by default, and all iron does is not let a user enable these preferences.

Suppose I forked firefox, and claimed that my version was just like Firefox, but would not report the times you use the bathroom to the CIA. The licence says I am within my rights to do this, but I am implying something false about Firefox, and people have every right to point this out.

Re:Switching to Chrome on Linux?

WTF is this shit? In the article the guy analyzed Iron's code and that shows it does everything the Iron website claims. Yet the author calls Iron a scam because most of the features are options in Chromium?

That guy's a toolbox. If Iron were doing something malicious behind the scenes - yeah call em out. But he did source analysis and proved they do exactly what they claim and then calls them scanners for what? Doing exactly what they promise and turning off downloading of a few things from Google that aren't disableable in Chromium.

The he snickers about "sic"ing a patent troll on them for these horrible crimes. What a fucking douchebag. Free software and open source is about the freedom to make changes to programs and distribute them. The only "problem" he draws out is they only made minor changes that do exactly what the promised and he calls that a scam? Give me a fucking break.

Re:Switching to Chrome on Linux?

[Dr.Dubious+DDQ]

"However I will point out the comparison applies only to versions of these browsers running on Windows 7"

I noticed that - and that some of the "Security Features" they were testing appeared to be specifically whether or not the browser prevented access to a couple of Windows-specific things.

I did skim through the paper and it's actually not too bad - they mention in several places that you can't definitively conflate their analysis with whether or not the browser is really and truly "secure". From skimming, I got the impression (someone who read it in more depth please correct me here) that many of their complaints really amount to Firefox being (arguably) more capable (i.e. you can make it do more things) and their underlying assumption is that "capability=risk".

I would swear that at least some of the security "features" they're talking about actually are already or are in development for Firefox - note that the report is for Firefox 5, which (by the new actually-get-features-out-in-a-timely-fashion development schedule that Mozilla is on) is quite old now, or at least I certainly notice a substantial improvement in responsiveness and stability since then for Firefox on Linux. Firefox 9 is scheduled to switch from "Beta" to "Stable" in the next week or so, I think...

Personally, I'm still sticking with Firefox for now. I keep a copy of Chromium on my system and I use it from time to time, but so far I find myself going back to Firefox for the functionality (not because I hate Chrom(e|ium) or anything). I still suspect they'll drop back down to a "couple of major releases per year" sort of schedule sometime after they've got silent updates working (which I think is scheduled to hit "stable" in January or February of next year if I remember correctly).

To answer your question about Chrome plugins, the one major plugin that I installed was Adblock Plus, which supposedly now can actually prevent downloading of ad "content" rather than merely hiding it after downloading as it used to do. I haven't used it enough to determine if it works as well as Adblock Plus for Firefox, but it seemed to at least be functional.

Re:Switching to Chrome on Linux?

[Kalriath]

Perhaps you should follow the links on his page, specifically this one: http://neugierig.org/software/chromium/notes/2009/12/iron.html

Not so gung-ho on supporting Iron after reading that, huh?

lemme guess...

google not only funded this study that says they rock, but they also advertise on/in forbes...

isn't that right out of microsoft's playbook?

chrome installs in insecure place

[Billly+Gates]

The folder has default write privileges. This is how a standard user can install it. It also means privilege escallations dll injections and other nasties. Worse on XP the default user is a full admin without aslr or dep fully implemented.

Re:chrome installs in insecure place

And no surprise that this isn't even mentioned in the article. Any admin who has dealt with installs knows that FF is a PITA to update, and complaining to Mozilla goes nowhere because they throw this very security issue right back in your face. I wonder if it has to do with Chrome's increase in market share as there are probably a lot of corporate users that are installing it.

Re:chrome installs in insecure place

[shutdown+-p+now]

The folder has default write privileges. This is how a standard user can install it. It also means privilege escallations

What kind of privilege escalation are you planning to get by modifying code of an application that runs under standard user account, anyway?

Re:chrome installs in insecure place

[Billly+Gates]

If write permission is possible you can insert a DLL into another executable with the same permissions. That file can interact with another dll or file at a higher privilege and can execute that way.

Re:chrome installs in insecure place

[shutdown+-p+now]

That file can interact with another dll or file at a higher privilege

This is not any clearer than before. Chrome does not use any permission level higher than user's own account, anywhere. If you can substitute one of its binaries, or inject the DLL, you will still be running code under that user's account. This is completely meaningless, because you might as well just place that same binary anywhere in %HOME% and run it directly, instead of waiting for user to launch Chrome.

Re:chrome installs in insecure place

Are you arguing that a non-admin user in Windows cannot be exploited?

Re:chrome installs in insecure place

[shutdown+-p+now]

Exploited for what? To elevate to admin? No, unless you know of some new zero-day.

Re:chrome installs in insecure place

You have more faith in Windows... than anyone I've ever met.

In fact ...

[Kaz+Kylheku]

The PDF paper trashes NoScript. That is to say, it is mentioned in a paragraph that basically states that Firefox has add-ons, and add-ons are a security threat. Nothing is mentioned about the security benefits that add-ons can provide.

Re:In fact ...

[makomk]

Chrome of course is "secure" because it protects against malicious extensions by restricting them to the point they can't actually do a lot of things people want them to do. Talk about spin...

no queue is quite right

[RotateLeftByte]

After all they will all be 'queueing up' to vent their spleen won't they?

Mozilla needs to stop drinking the Chrome-aid.

This basically the core of Firefox's issues. Up until version 3.6, Firefox was a respectable browser and it was enough to Microsoft to improve from IE6. But ever since version 4.0 and the rapid release "versions" that inflate the number Firefox has been crippled by breaking extensions, disruptive UI changes and over idiocy by the Chrome-aid drinking Firefox developers.

If Firefox is to be a good browser again, it needs to be forked away from Mozilla and taken over by good developers just like Xfree86 had to be forked into X.org.

Firefox still a single-process browser

[Animats]

Many of the security issues mentioned in the paper for Firefox come from the fact that Firefox is, for historical reasons, a single-process browser. It's the last of the single -process browsers.

This is both a performance problem and a security problem. Even add-ons aren't yet running in separate processes. The Mozilla project to make Firefox multiprocess is behind schedule and in trouble.

"Fennec", the Mozilla browser for mobile devices, is already multiprocess. But getting that machinery into the main line of Firefox has run into problems, and, after two years of effort, multiprocess Firefox is now on hold. "Converting an established product, like Firefox, from a single- to multi-process architecture requires the involvement and coordination of many teams. ... Electrolysis requires a large investment of resources and time and has a long timeline for completion. How long? At this point we do not have a definitive answer...."

Re:Firefox still a single-process browser

[TheLink]

You can run firefox using different user accounts, and set up the user account privileges accordingly. You can have one for banking, one for slashdot and one for youtube or whatever. That way the main desktop user and its data doesn't easily get pwned just because the browser does. You can't do the same thing easily for Chrome or IE anymore.

Where multiprocess really helps is with memory use. Right now if some page or plugin or add-on leaks, with firefox you have to close the entire browser - all tabs, all pages everything, in order to return the memory to the operating system.

With chrome, you just close the offending tab, or at most the browser window, and the memory is freed. You don't even lose the session info - you can actually reopen the page again without having to re-login.

So even though firefox may actually use less memory and leak less, in practice because of its architecture the leaks cause more problems.

Re:Firefox still a single-process browser

[makomk]

This is both a performance problem and a security problem. Even add-ons aren't yet running in separate processes.

On the other hand, plugins like Flash are run in a separate process and have been for quite a while. It does wonders for browser stability.

Re:Firefox still a single-process browser

It's the last of the single -process browsers.

This is both a performance problem and a security problem. Even add-ons aren't yet running in separate processes.

Opera is a single process browser as well. A single process architecture is fundamentally faster than a multi-process architecture without a very fast IPC and light process model. Add-ons, or more specifically plugins are running in a separate process in Firefox and even in Thunderbird.

Re:Firefox still a single-process browser

[shutdown+-p+now]

You can't do the same thing easily for Chrome or IE anymore.

How so? Last I checked, Linux still has su, and Windows still has runas.

Re:Firefox still a single-process browser

[TheLink]

The last I checked on Windows some years ago, chrome gets confused, so stuff doesn't work properly.

Maybe they've changed things already. I might try again one day. Meanwhile you can give it a shot if you want and let me know :).

Yes....

...we all know it's more important to fix things that aren't broken (https://bugzilla.mozilla.org/show_bug.cgi?id=435013) instead of really doing something for bloatfox...

Re:Yes....

[lennier1]

At least that one's actually technical, instead of the idiot move to remove the protocol substring from the address bar.

Firefox has a fucked up "architecture".

Of all of the major browsers, Firefox has by far the most fucked up architecture. When you examine it, it's no wonder why Firefox suffers from so many performance problems, excessive memory usage, and various other problems.

The core parts of it are written in C++, which isn't a bad idea, by any means. However, they've decided to use a stuck-in-the-1990s variant of C++ that's extremely handicapped and limited. This might make it portable, but it also encourages the creation of obtuse, low-quality C++ code.

It's the crap they've layered on top of this core that really makes any good software developer ask, "What the fuck ?" XPCOM is braindead. It's a pile of crap beyond belief. It makes MS COM a pleasure to work with, if you can even imagine that.

Then they implement the UI in a horrid mix of JavaScript and XML (they call it XUL). If you've done any serious UI development using real toolkits like Motif, MFC, wxWidgets, Swing, SWT, WinForms, and even Gtk+, you'll immediately see how stupid this JavaScript/XUL approach is. It's everything that's bad about JavaScript (and that's just about everything about it), combined with everything that's bad with XML, combined with everything that's bad about HTML and web development.

The use of JavaScript and XUL to build desktop applications is, to me, a sign of ignorance. When all you know is web development, you'll try to use the same techniques for application development, and it'll be a disaster. See Firefox.

It should be clear to any good software developer why Firefox has such poor performance, and why it uses so much memory. Its architecture is complete rubbish. It's as if every bad idea possible was chosen, from the use of a poor subset of C++ to the extensive use of JavaScript and XML where neither is appropriate for use.

It also becomes clear why it was relatively easy for Chrome to crush Firefox so easily. It's apparently developed by proper C++ developers, who are smart enough to know to not use web development techniques for desktop application development.

Re:Firefox has a fucked up "architecture".

[improfane]

This is probably the first post posting as AC.

Get a real job!

Re:Firefox has a fucked up "architecture".

[iserlohn]

Firefox is built on Javascript, just like the rest of the web. That's the standard architecture now, live with it.

Re:Firefox has a fucked up "architecture".

Uh? XPCOM and XUL are what is good and easy-to-use approaches.
Using a stable C++ subset for a non-experimental application is also a sound engineering decision.

Re:Firefox has a fucked up "architecture".

[bonch]

I just wanted to note that, even though your post is modded +4 Insightful, none of your performance claims have any citations or other evidence proving that XUL is the cause of performance issues, excessive memory usage, and "various other problems."

Re:Firefox has a fucked up "architecture".

[Kjella]

If you've done any serious UI development using real toolkits like Motif, MFC, wxWidgets, Swing, SWT, WinForms, and even Gtk+, you'll immediately see how stupid this JavaScript/XUL approach is.

Sorry, but my stupid-o-meter doesn't have the resolution in the "utterly dumb crappy cluster fuck" range, which is where several of these toolkits are. Never used XUL, but as far as real toolkits go you certainly missed Qt.

Re:Firefox has a fucked up "architecture".

[shutdown+-p+now]

The mention of Motif also kinda raises a flag.

Re:Firefox has a fucked up "architecture".

[smash]

I think he meant "real toolkits" as in examples from the real world, both good and BAD, that demonstrate both some of the brain damage in firefox, and how to not do it. Only having used a good toolkit, you have perhaps not been exposed to the brain damage that firefox has, and seen that it is a horrible idea.

Re:Firefox has a fucked up "architecture".

[Rich0]

That would make sense if you were building a web browser that could run inside a web browser...

What about Opera!

[stanlyb]

Is Opera not considered a web browser? What is the point of missing one of the best, and fastest web browser!

Re:What about Opera!

[calibre-not-output]

This was a market-oriented study and Opera has a negligible market share when compared to IE, Firefox and Chrome. It's a pity. I really like Opera, but from a market standpoint it's irrelevant.

Re:What about Opera!

[Tyrannosaur]

I even did a word search through the document- it's not even mentioned :'( Google just doesn't want to deal with a browser better than chrome ;)

Sounds impressive, doesn't look it though

This study sounds impressive about all these complicated things that are beyond my area of expertise. However, one thing that is not is that they claimed to run this on Windows 7 32-bit; however, the images make it quiet clear they are actually running the 64-bit version (most especially the "Program Files (x86)" directory does not exist in the 32 bit version of Windows 7). If they cannot get a simple fact like that right, how can I trust the rest of the analysis?

Potential shill: First post & instant Score 5?

[improfane]

You may have a valid point but circumstance leads me to presume you are paid for your post. Especially since you are spreading FUD about NoScript.

Please note the first post combined with high ID and instant score 5. Shills do have cooperating accounts. There is a network that infiltrates communities like Slashdot...

Firefox is still more secure.

[Khyber]

See, with ABP and NoScript, nothing touches my computer without explicit permission.

It's that simple. These 'vulnerabilities' are mostly due to third-party shit (Adobe, JS)

Re:Firefox is still more secure.

Unless you are running something like CookieSafe, then tracking cookies are touching your browser. Unless you are running something like BetterPrivacy, then flash cookies are touching your browser.

Re:Firefox is still more secure.

See, with ABP and NoScript, nothing touches my computer without explicit permission.

It's that simple. These 'vulnerabilities' are mostly due to third-party shit (Adobe, JS)

I don't think you understand what is and what isn't third party shit. If you mean JavaScript by JS, then that is not a third party feature. That's like saying HTML is a third party feature.

NoScript is an example of how Firefox is insecure. How can that be? NoScript is "third party shit" as well.
  Firefox does not choose to include the security features implemented in NoScript. IE has implemented many of these features since IE version 8 as the author of NoScript mentions here: http://www.zdnet.com/blog/security/noscript-vs-internet-explorer-8-filters/1421 . At the end of the article, he complains that Firefox does not include these feartures. Chrome also has extensions similar to NoScript that can be used to get similar functionality. So, noScript is something that puts Firefox behind Internet Explorer and on equal footing with Chrome.

Ad Block Plus is also third party shit. There are similar third party extensions for both Chrome and Internet Explorer. https://chrome.google.com/webstore/detail/cfhdojbkjhnklbpkdaibdccddilifddb
http://simple-adblock.com/

   

Re:Firefox is still more secure.

Good God, was this posted by a Google or Microsoft employee? FF and Chrome are are completely 'third party'. Terrible argument you have there.

IE has poorly implemented ONE feature (XSS filter) that NoScript offers, and at the end of the article the author states, "This brings up an interesting question... why is NoScript not just a part of the Firefox browser, not simply a plugin?" IE still doesn't offer the blocking and whitelisting of javascripts.

The Chrome versions of NoScript are poor replicas of the real thing. It is still not clear if they even block javascripts as it may allow the script to launch but then shut it down, giving an opportunity for the script to do its damage.

Chrome is installed in the USER directory, which leaves it vulnerable to dll injections and all that other fun stuff that can't happen with FF, something not even mentioned in the article.

Re:Firefox is still more secure.

These 'vulnerabilities' are mostly due to third-party shit (Adobe, JS)

You know that Brendan Eich, Mr Javascript Inventor, is one of the longest term developers on Firefox, right? He was originally an employee at Netscape and followed the flow into Mozilla and is still around.

JS is "third-party shit" ^ in every browser EXCEPT Firefox.

^ (I agree that JS is a turd, Netscape should have just used Smalltalk instead, just as slow but less than half as ugly).

Competitor-funded "studies"

[EmagGeek]

Competitor-funded "studies" automatically lack credibility. Nobody expects a study by google to come to any other conclusion than "firefox sucks, use Chrome."

No privacy considerations?

Interesting that the full-text of the study does not mention "privacy."

The focus on malware is well and good as far as it goes. But privacy seems not to be a concern of these researchers. Such as, oh for example, Chrome's integration of URL bar with search bar... meaning every URL you enter gets sent to Google just-in-case it's a search term.

Re:No privacy considerations?

[melikamp]

It also ignores the security implications of the closed-source nature of Google Chrome. It is completely insecure from the end user's point of view (and so are IE and Opera), but Google, of course, funded the evaluation of the vendor's security, of which the user's security is just a small part.

Yeah? And?

Still waiting on a working noscript for chrome...

don't be evil, but massive conflict of interest

[decora]

is a-OK! because, after all, we are the 'dont be evil people'. therefore, conflict-of-interest doesn't apply to us

Welcome To Software Politics

If we can destroy everything else, nothing will be left but the app stores.

We've heard this before, haven't we?

[DragonHawk]

Converting an established product, like Firefox, from a single- to multi-process architecture requires the involvement and coordination of many teams...

As I recall, with Mozilla 5.0, they scrapped a large part of the classic Netscape code base because it had become too unwieldy to maintain. Any significant change impacted many teams and subsystems. In technical terms, the code suffered from "low cohesion and high coupling". It sounds like we're there again.

(This happens to a lot of software projects, and has since the start. The field of software development is interesting in its frequent inability to learn from history.)

Re:Potential shill: First post & instant Score

[InsightIn140Bytes]

Doesn't this "omg he must be a paid shill!" stuff never get old in Slashdot? It's even more telling that you get modded up for that instead of coming up with any arguments about the actual topic.

Bloat by a factor of ten

[tepples]

Youtube already has an HTML-5 mode anyway

Are videos with ads available in YouTube's HTML5 mode yet? And there are still a lot of animators on Newgrounds who have stated that they don't want their animations copied onto YouTube. And even if so, why bloat a vector animated SWF by a factor of ten and risk hitting viewers' monthly caps by converting it to MP4 or WebM?

Re:Bloat by a factor of ten

[Billly+Gates]

No ads with HTMl 5 with youtube? Damn I will switch then

Re:Bloat by a factor of ten

[tepples]

If you get to a monetized video, it'll just be blocked if you don't have Flash.

Disable scripting with a whitelist?

[tepples]

You can disable scripting and plug-ins in other browsers too

With the sort of whitelisting that NoScript allows, or does the user have to manually turn on scripting when using a script-heavy web application and then remember to turn it back off, again manually, before visiting document-style web sites?

Re:Disable scripting with a whitelist?

[Nihilomnis]

Yes NoScript uses a whitelist. I have as many things diabled as possible for sites not on the whitelist, but the ones on function as if I did not have NoSript.

Re:Disable scripting with a whitelist?

[tepples]

I understand that. Perhaps my question was unclear: do the counterparts to NoScript for browsers other than Firefox support such whitelists too?

Re:Disable scripting with a whitelist?

[InsightIn140Bytes]

Yes, at least Opera does. And it's built-in.

Re:Disable scripting with a whitelist?

Yes. 15 seconds in Google would tell you that.

Secunia Gives Different Results

[DERoss]

Rather than rely on a biased study by Google that damns its competitors, look at what Secunia -- an independent source -- says.

At http://secunia.com/advisories/product/38734/?task=statistics_2011, we see that Firefox 8 has 1 minor vulnerability (unpatched).

At http://secunia.com/advisories/product/38537/?task=statistics_2011, we see that Chrome 15 has 3 vulnerabilities, with 2 considered "highly critical". Those two have patches; the minor vulnerability is not yet patched.

It seems that security for Chrome and Firefox are currently equal but not perfect.

what to hyperlink

[Onymous+Coward]

Could we link better?

Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top.

"Chrome came out on top" is the link to a blog article? What about

Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top. (Forbes reviews the study.)

The text of the link indicates the thing being linked to.

And, Soulskill:

The full research document is available here (PDF), and it goes into much greater detail than the Forbes article. Accuvant also published the tools and data they used in the study, which should help to evaluate their objectivity.

Not so bad. Could be a wee better, but I won't harp on the matter.

Anyway, less deciphering of what links mean lets us have a more enjoyable news reading experience.

Re:Potential shill: First post & instant Score

You're not a paid shill, it's just your day job.

Nobody gets that many posts modded up, learn to astroturf more stealthily

Nose biting to spite face

[RyuuzakiTetsuya]

What does google have to gain? Unless chrome is spying on you and they're reselling that data... Seems like a giant waste of effort and money.

Re:Nose biting to spite face

By merging the search bar and address bar, Chrome automatically searches for every URL you type into the browser, so Google is tracking every URL you visit. ABP is incredibly effective, and although the Chrome version is now decent, it's not nearly as good as ABP, particularly on videos. There is not currently any way to implement NoScript as effectively in Chrome, so Google-Analytics can track users across the Internet with impunity.

Dear Google

Take that proprietary piece of shit Chrome thing and shove it up your ass!

--
I'm an arrogant asshole, so I work for Google now.

Re:Potential shill: First post & instant Score

[Dhalka226]

Okay, I have noted those things. Now can you explain to me why I should care?

The vast majority of his post was statements of fact that can be proven true or false. If you have something to say about the information he provides, by all means, enlighten us.

If your complaint is that he might be paid to post it, I honestly can not be bothered to give a shit. This is not a review site where he is posting fake opinions to make a product seem better or more well-liked than it is. His motives mean nothing; whether or not the information he gives is accurate does, and that is independent of whether or not he is a shill. (Getting facts out about a product is also called "marketing," if one is not instantly out to make it be a nasty thing.)

Re:Potential shill: First post & instant Score

[bonch]

First of all, subscribers get early access to stories. Second of all, it isn't the high ID or the +5 score that makes you want to believe it's a paid account. It's the fact that it praises a Microsoft product. You even acknowledge that he has a valid point, but apparently, the sight of Microsoft praise is so shocking and unbelievable to you that you immediately accuse anyone posting it of being a paid shill. You come off like a stereotypical Slashdot poster, the kind that other tech communities are referring to when they tell a biased poster to "go back to Slashdot."

Re:Potential shill: First post & instant Score

Time for a new handle, shill

Re:Potential shill: First post & instant Score

Yeah, sure, you're not a shill. It's just a coincidence that you post comments to any google-related articles immediately as they are published and fill those comments with verifiable FUD. Learn to be subtle, shill-boy.

"No plugins" as in "no antivirus/firewall"?

[UBfusion]

I really can't grasp the scope of such "marketing studies". Who are they and what is their supposed customer base and usage scenario? Are they comparing browsers with no plugins in the same way OS wars love to compare the "native security" of operating systems with no antivirus/firewall installed, because this is what the "average Joe" will do?

Or are they the kind of reductionist scientists that kill plants in order to study their roots? Finally, are they the kind of purist "security experts" who, when (and if) Microsoft releases its next OS with Microsoft Security Essentials preinstalled they'll remove it, in order to assess the security of the plain vanilla OS?

As for myself, in 2011 I cannot conceive setting up a computer for a friend or client without having him BUY my preferred non-free internet security suite and insisting on using Firefox with full plugin defensive and privacy armor. Initially they may protest at the extra clicks required to burn in the safety engines, but eventually they will be convinced that the Internet is a Dangerous Place and they need as hell be fully protected. By the way, I install Firefox Portable, so he can duplicate the full setup in his other boxes without fuss.

My ethics golden rule is what I configure for my friends and clients is what I consider optimal for myself, irrespectively of what their experience level, because "he who knows has the obligation to teach". Would the Accuvant gurus kindly please come forward and tell us what is the browser they use at work and at home and whether they use plugins or not?

Correction

[UBfusion]

In the last paragraph I meant to say "irrespectively of what their experience level is"

Look people

[cshark]

I love Slashdot, always have. But as a community, we seriously need to stop applying the term "study" to every observation, or web page with pretty charts on it. This last thing wasn't a study. Not in the formal sense. It was a feature comparison. Biased, maybe. But who cares? It's not a study. And it's not the first time this has happened here.

Privacy settings in Chrome are lacking.

[OakWind]

I am still waiting for Google to add an option that allows me to have the History and other data delete on exit. The option to delete data on exit, excludes the history file. I think they use it to track users and market.
This does not sound verey secure to me. How about you?
I am a big Google fan and love Android, but when I realised the limited functionality when it comes to the privacy settings in the browser, I went back to Firefox.
I run Linux so I.E. is not an option, but I would try it if they would open it up.

Re:Privacy settings in Chrome are lacking.

[Kalriath]

It's called Incognito mode. Every browser has one now (even IE)

Re:Privacy settings in Chrome are lacking.

[OakWind]

What if I want to have a history file and allow cookies for the session, but want them all removed when I close the browser each time. Many sites require you to allow cookies.
I don't see why the browser can not have an option to dump everything on exit.

Re:Privacy settings in Chrome are lacking.

[Kalriath]

That's what incognito mode does. It doesn't dump cookies and all that, it just nukes them all when all the Incognito windows are closed. See https://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=95464

Re:Privacy settings in Chrome are lacking.

[OakWind]

Your right, thanks for the tip.
I have downloaded Chrome for my Debian box to test it out and I like it so far.
I wish I could set the cache to 0kb though, so that it does not even bother to create a cache.

Also I learned something new:

If you edit the launcher (Linux) or shortcut (Windows) and add -incognito at the end of command, it will launch chrome in that mode on start.

You learn something new everyday.

We found your real handle

Looks like we found another real handle. Why should someone care? Are you that fucking naive? Because we don't want PR agents shaping the discussion with cherry picked stories and facts. This stuff has had a very distinct pattern and purpose. If you're too stupid to just believe it's about whether or not one post has some validity you're either in on it, or one of the idiots he's here to dupe. Now go drink you're Ovaltine. After all it has water in it, and water is good for you. See it's true.

Bonch is one of the real accounts behind the shill

Bonch is one of the real accounts behind the shill.

Re:Potential shill: First post & instant Score

[improfane]

I use Microsoft products on a day to day basis. There is something fishy going on Slashdot, see my jorunal.

Funding for Firefox

[xipcloud]

Step 1: Cut funding & Discredit security Step 2: ? Step 3: Profit & more spying on users

Sounds Right

[Gyorg_Lavode]

This seems about consistant with everything I've heard. Chrome and IE9 are at the top for security, FF lags and Safari isn't even playing. The question is why moderators allowed a flame-bate headline. The fact that google sponsored it is not the news.

Re:Potential shill: First post & instant Score

[Xest]

"There is a network that infiltrates communities like Slashdot..."

Well that's pretty cool, seeing as the content of his posts is infinitely more useful and intelligent than the usual fanboy tosh that gets posted here nowadays.

If Slashdot is being infiltrated by a network of people who actually know what the fuck they're on about then that's pretty awesome.