Slashdot Mirror
Google-Funded Study Knocks Firefox Security
Sparrowvsrevolution writes "Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top. More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards. Though the study seems to have been performed objectively, it won't help Google's fraying partnership with Mozilla."
The full research document is available here (PDF), and it goes into much greater detail than the Forbes article. Accuvant also published the tools and data they used in the study, which should help to evaluate their objectivity.
More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards.
How is this surprising? Apart from some ignorant cases on Slashdot who believe Microsoft is the devil and should die, it's not a new fact that IE has been a really secure browser for a long time. Both IE and Chrome offer sandboxing, JIT hardening and ways to make vulnerable plug-ins less easy to exploit and gain access to system. Firefox offers none of these.
Currently, it's not even often that you find a vulnerability directly in the browser. Most of the attacks target either plug-ins like Flash or PDF reader, and if someone does find an exploit in the browser, the extra security layer makes it much harder to exploit. Yes, you can use something like NoScript in Firefox (and other browsers), but majority of people don't. In fact even I don't because frankly, it's pain in the ass to use. This is the reason why extra security layers provide so much better overall security.
Anyone who still says that IE is insecure browser just doesn't know what he is talking about. On top of that, this study doesn't really bring anything new to table (but it is really well done with comprehensive disassemblies and exploit testing), it just confirms what has been known for a long time now - both Chrome and IE are really secure browsers, followed by Opera. The one that is lagging behind is Firefox. I don't know what happened to them, but they seem to copy the aspects of Chrome that no one actually cares about (UI and version number scheme) while completely forgetting what Chrome and IE do underneath and what actually counts - sandboxing, JIT hardening, auto-updating browser and plug-ins and separating different tabs to different processes.
Nobody is going to RTA. This is going to be a good flamewar though.
To offset political mods, replace Flamebait with Insightful.
The researchers dd not evaluate Opera in their study. I wonder how that would have compared...
Who would have thought that a company that makes a browser, then does a comparison, would end up having their browser come out on top? This is why I never trust studies or comparisons done by a company that has had any funding or is related in any way to the market, company, or product they are doing the study on.
They tested the vanilla browsers, as they should. Most people don't install NoScript, and many who do get annoyed with it and switch it off.
Nothing lasts forever but the certainty of change.
It won't hurt Google's fraying partnership with Mozilla. Their "partnership" is Google writes a check and Mozilla cashes it. I'm pretty sure Google can say or do what whatever they want. It's not like Mozilla will stop cashing any checks that Google writes.
cue
I've read the first few pages of the report and intend to read the details about the three areas where the authors think Firefox is lacking -- sandboxing, plug-in security, and JIT hardening.
However I will point out the comparison applies only to versions of these browsers running on Windows 7. For Linux users, the comparisons might not be so important, though I'd obviously prefer a browser that employs technologies like sandboxing and enforces security on plug-ins.
If I switched to Chrome, how much privacy would I sacrifice to gain these security enhancements? I already use Google dozens of times a day, sometimes with a Google account. I use Ghostery to block most tracking cookies except for Google Analytics. I have some clients' sites subscribed to Analytics so I figure I should support the service myself. Would switching to Chrome provide Google additional information about me that it doesn't get now?
What about the state of plug-ins for Chrome? Along with Ghostery I use AdBlock Plus, ForecastFox and some download helpers. I won't switch browsers if it means abandoning the functionality available in Ghostery and AdBlock.
I could just use Konqueror or rekonq, but I've never preferred either of KDE's browsers to Firefox.
So, since most people won't use Firefox, so we shouldn't test it at all.
The folder has default write privileges. This is how a standard user can install it. It also means privilege escallations dll injections and other nasties. Worse on XP the default user is a full admin without aslr or dep fully implemented.
http://saveie6.com/
The PDF paper trashes NoScript. That is to say, it is mentioned in a paragraph that basically states that Firefox has add-ons, and add-ons are a security threat. Nothing is mentioned about the security benefits that add-ons can provide.
After all they will all be 'queueing up' to vent their spleen won't they?
I'd rather be riding my '63 Triumph T120.
Many of the security issues mentioned in the paper for Firefox come from the fact that Firefox is, for historical reasons, a single-process browser. It's the last of the single -process browsers.
This is both a performance problem and a security problem. Even add-ons aren't yet running in separate processes. The Mozilla project to make Firefox multiprocess is behind schedule and in trouble.
"Fennec", the Mozilla browser for mobile devices, is already multiprocess. But getting that machinery into the main line of Firefox has run into problems, and, after two years of effort, multiprocess Firefox is now on hold. "Converting an established product, like Firefox, from a single- to multi-process architecture requires the involvement and coordination of many teams. ... Electrolysis requires a large investment of resources and time and has a long timeline for completion. How long? At this point we do not have a definitive answer...."
Of all of the major browsers, Firefox has by far the most fucked up architecture. When you examine it, it's no wonder why Firefox suffers from so many performance problems, excessive memory usage, and various other problems.
The core parts of it are written in C++, which isn't a bad idea, by any means. However, they've decided to use a stuck-in-the-1990s variant of C++ that's extremely handicapped and limited. This might make it portable, but it also encourages the creation of obtuse, low-quality C++ code.
It's the crap they've layered on top of this core that really makes any good software developer ask, "What the fuck ?" XPCOM is braindead. It's a pile of crap beyond belief. It makes MS COM a pleasure to work with, if you can even imagine that.
Then they implement the UI in a horrid mix of JavaScript and XML (they call it XUL). If you've done any serious UI development using real toolkits like Motif, MFC, wxWidgets, Swing, SWT, WinForms, and even Gtk+, you'll immediately see how stupid this JavaScript/XUL approach is. It's everything that's bad about JavaScript (and that's just about everything about it), combined with everything that's bad with XML, combined with everything that's bad about HTML and web development.
The use of JavaScript and XUL to build desktop applications is, to me, a sign of ignorance. When all you know is web development, you'll try to use the same techniques for application development, and it'll be a disaster. See Firefox.
It should be clear to any good software developer why Firefox has such poor performance, and why it uses so much memory. Its architecture is complete rubbish. It's as if every bad idea possible was chosen, from the use of a poor subset of C++ to the extensive use of JavaScript and XML where neither is appropriate for use.
It also becomes clear why it was relatively easy for Chrome to crush Firefox so easily. It's apparently developed by proper C++ developers, who are smart enough to know to not use web development techniques for desktop application development.
Is Opera not considered a web browser? What is the point of missing one of the best, and fastest web browser!
Yes, that's exactly what I didn't mean. The test was a test of Firefox (and IE and Chrome), not a test of "Firefox with some add-ons installed". Chrome has optional third-party security plugins too, and they also weren't enabled for the test. NoScript isn't a part of Firefox, doesn't come bundled with the browser, and isn't developed by Mozilla. Why should it be included in the test?
Nothing lasts forever but the certainty of change.
NoScript isn't a part of Firefox
every install I build has NS and adblock installed, at the very min.
the value of FF is its plugins. why is that not obvious?
it would be like reviewing an SLR and not using its raw mode. its a slanted test, its not fair, really. or a fast car that is not taken out to a racetrack for a proper test run.
FF by itself is not what people MEAN by firefox. not really. its value is its plugins and to test it 'bare' is ignorant and has a bit of market-speak to it that I find distasteful.
--
"It is now safe to switch off your computer."
This study sounds impressive about all these complicated things that are beyond my area of expertise. However, one thing that is not is that they claimed to run this on Windows 7 32-bit; however, the images make it quiet clear they are actually running the 64-bit version (most especially the "Program Files (x86)" directory does not exist in the 32 bit version of Windows 7). If they cannot get a simple fact like that right, how can I trust the rest of the analysis?
It's not slanted, it's realistic.
Running it with all the best security enabled and all the best practices and extensions, that is taking the fast car to a race track with expensive tires and a professional driver. That analogy fits really well - taking the base model that 90% of users will have and run, adding stuff to make it better that most people won't, and putting it in the hands of someone far more capable than 90% of the users.
I mean, seriously. Look at your post. You're actually arguing that Firefox is better because you can make it do what you want with extensions. Security? We don't need that by default. The user should have to opt in to it. Because.... choice, or something. Freedom to get exploited! Yay!
it would be like reviewing an SLR and not using its raw mode
No, it'd be like reviewing an SLR without an external flash bulb. Raw mode is built-in to the camera, NoScript is not built-in to Firefox. NoScript, like the external flash bulb, is an optional feature that the browser/camera is made to accept, but also made to work without. Most Firefox users don't use NoScript, even though almost every power user does. Likewise, most people who buy SLRs are overspoiled teens who will never leave the safety of "Auto" mode and probably don't even know that you can swap lens at all - but every serious photographer has a bag full of peripherals for each specific kind of photo they want to make. I've never read a side-by-side comparison of, say, a Nikon and a Canon camera where the reviewer concludes that despite being all-around worse than model B, you should still buy model A because it fits more different kinds of peripherals. It's the same thing with web browsers.
Nothing lasts forever but the certainty of change.
Most people don't use AdBlock or NoScript. That's what matters. You can disable scripting and plug-ins in other browsers too, and get practically the same results. But it's not a real world scenario, not how 99.9% users use their browsers.
See, with ABP and NoScript, nothing touches my computer without explicit permission.
It's that simple. These 'vulnerabilities' are mostly due to third-party shit (Adobe, JS)
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Competitor-funded "studies" automatically lack credibility. Nobody expects a study by google to come to any other conclusion than "firefox sucks, use Chrome."
is a-OK! because, after all, we are the 'dont be evil people'. therefore, conflict-of-interest doesn't apply to us
Converting an established product, like Firefox, from a single- to multi-process architecture requires the involvement and coordination of many teams...
As I recall, with Mozilla 5.0, they scrapped a large part of the classic Netscape code base because it had become too unwieldy to maintain. Any significant change impacted many teams and subsystems. In technical terms, the code suffered from "low cohesion and high coupling". It sounds like we're there again.
(This happens to a lot of software projects, and has since the start. The field of software development is interesting in its frequent inability to learn from history.)
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
It also ignores the security implications of the closed-source nature of Google Chrome. It is completely insecure from the end user's point of view (and so are IE and Opera), but Google, of course, funded the evaluation of the vendor's security, of which the user's security is just a small part.
Doesn't this "omg he must be a paid shill!" stuff never get old in Slashdot? It's even more telling that you get modded up for that instead of coming up with any arguments about the actual topic.
Youtube already has an HTML-5 mode anyway
Are videos with ads available in YouTube's HTML5 mode yet? And there are still a lot of animators on Newgrounds who have stated that they don't want their animations copied onto YouTube. And even if so, why bloat a vector animated SWF by a factor of ten and risk hitting viewers' monthly caps by converting it to MP4 or WebM?
You can disable scripting and plug-ins in other browsers too
With the sort of whitelisting that NoScript allows, or does the user have to manually turn on scripting when using a script-heavy web application and then remember to turn it back off, again manually, before visiting document-style web sites?
At least that one's actually technical, instead of the idiot move to remove the protocol substring from the address bar.
If you take away noscript and adblock, there is no point in using FF. I think it's safe to assume that at least a significant portion of the FF user-base have these installed.
Rather than rely on a biased study by Google that damns its competitors, look at what Secunia -- an independent source -- says.
At http://secunia.com/advisories/product/38734/?task=statistics_2011, we see that Firefox 8 has 1 minor vulnerability (unpatched).
At http://secunia.com/advisories/product/38537/?task=statistics_2011, we see that Chrome 15 has 3 vulnerabilities, with 2 considered "highly critical". Those two have patches; the minor vulnerability is not yet patched.
It seems that security for Chrome and Firefox are currently equal but not perfect.
Could we link better?
"Chrome came out on top" is the link to a blog article? What about
The text of the link indicates the thing being linked to.
And, Soulskill:
Not so bad. Could be a wee better, but I won't harp on the matter.
Anyway, less deciphering of what links mean lets us have a more enjoyable news reading experience.
What does google have to gain? Unless chrome is spying on you and they're reselling that data... Seems like a giant waste of effort and money.
Non impediti ratione cogitationus.
Okay, I have noted those things. Now can you explain to me why I should care?
The vast majority of his post was statements of fact that can be proven true or false. If you have something to say about the information he provides, by all means, enlighten us.
If your complaint is that he might be paid to post it, I honestly can not be bothered to give a shit. This is not a review site where he is posting fake opinions to make a product seem better or more well-liked than it is. His motives mean nothing; whether or not the information he gives is accurate does, and that is independent of whether or not he is a shill. (Getting facts out about a product is also called "marketing," if one is not instantly out to make it be a nasty thing.)
http://browserfame.com/38/firefox-addon-usage-stats
85% Firefox users have at least one add-on installed
http://blog.chromium.org/2010/12/year-of-extensions.html
one-third Chrome users use extensions
I can't find any data about IE "add-on/extension" usage nor could I locate a place on their site to look for plugins and as I do not run Windos not IE I do not know if it is in some menu somewhere, though I can get to chrome's and firefox's add ons from any browser. I know some exist and I have found few sites with lists of them, but due to the lack of ease finding them I figure most users wouldn't use them. (not that my guesses are worth much)
It would more accurately represent the browsers if firefox and chrome were tested with popular extensions installed as they could cause more security threats or in the case of noscript or adblock plus lessen them. (though noscript only has around a million users and adblock plus only eleven million.
Yes if it was a test between the vanilla browsers to see those differences then add ons and extension should of course not be included, but as it was a test of security their data is possibly skewed in favor of firefox and/or chrome/chromium/iron.
First of all, subscribers get early access to stories. Second of all, it isn't the high ID or the +5 score that makes you want to believe it's a paid account. It's the fact that it praises a Microsoft product. You even acknowledge that he has a valid point, but apparently, the sight of Microsoft praise is so shocking and unbelievable to you that you immediately accuse anyone posting it of being a paid shill. You come off like a stereotypical Slashdot poster, the kind that other tech communities are referring to when they tell a biased poster to "go back to Slashdot."
Are you dense? The study is comparing vanilla browsers in the default configuration that the majority of users will be running. It doesn't matter if every installation you use has NoScript and AdBlock installed. It's your personal opinion that Firefox by itself is not what people mean by Firefox. If you have to install plug-ins to secure your browser, that's a mark against your browser.
Claiming that comparing Firefox without plug-ins is a "slanted study" is like claiming Windows XP was never insecure because you could always install antivirus and antispyware software. Firefox should be secure by default.
raw PROCESSING is often overlooked and only 'out of cam jpegs' are used to compare cams. and its just as dumb as comparing a browser who's main bene is that it has a rich plugin arch.
the OOC jpgs on this thing sucks. yeah, well, you buying a $1k cam for jpg use? really?
you 'buy' ff because it supports plugins. shipped or not with them is not at all the issue and you know it.
--
"It is now safe to switch off your computer."
agreed. those are the 2 killer apps for safe browsing.
to talk about safe browsing and then ignore the rich plugins that are, for all practical purposes, very standard - is just intellectually dishonest.
I don't trust google and so I refuse to consider chrome. their goals are not consistent with my goals (google vs me) and I'll never trust things they push. if they are for it, I'm usually against it. so chrome is, by definition, NOT a safe and secure browser for me.
FF is slow and bloated but I've not lost any work in the last 5 years or so; about as long as its been since they added journaling so that you're data is checkpointed and you can resume after a possible crash (for me its usually running out of swap). I might get a FF crash a few times a year. its not that bad and again, it does not ever lose state or data.
finally, no corporation is behind mozilla. that reassures me. google is just too close to some things and I refuse to trust them any farther than I can throw them.
--
"It is now safe to switch off your computer."
Shipped or not with them is exactly the issue. It'd be a murky point if NoScript were developed by Mozilla, but not even that - if you want to keep your Raw Processing analogy, you'd have to assume that Raw Processing is only available if you root your camera and install a third-party firmware.
What good is a browser safety test that assumes every user is both very knowledgeable about Internet security and very diligent in protecting his/her own data, when in truth the average user is completely clueless and doesn't even care that much? Yet that's a built-in assumption in a test that pretends that an optional third-party security plugin used by a minority of the overall users of that particular browser is in fact part of the browser itself. Besides, if you want to add NoScript to Firefox when testing, it's only consistent that you also add every other extension that's at least as popular as NoScript, right? But why should you stop at that particular level of popularity? Why not install every single extension you can get your hands on? It'd be a miracle if you could get the browser to launch, and even then it wouldn't beat IE 4 on a security test with all those added vulnerabilities.
Nothing lasts forever but the certainty of change.
I really can't grasp the scope of such "marketing studies". Who are they and what is their supposed customer base and usage scenario? Are they comparing browsers with no plugins in the same way OS wars love to compare the "native security" of operating systems with no antivirus/firewall installed, because this is what the "average Joe" will do?
Or are they the kind of reductionist scientists that kill plants in order to study their roots? Finally, are they the kind of purist "security experts" who, when (and if) Microsoft releases its next OS with Microsoft Security Essentials preinstalled they'll remove it, in order to assess the security of the plain vanilla OS?
As for myself, in 2011 I cannot conceive setting up a computer for a friend or client without having him BUY my preferred non-free internet security suite and insisting on using Firefox with full plugin defensive and privacy armor. Initially they may protest at the extra clicks required to burn in the safety engines, but eventually they will be convinced that the Internet is a Dangerous Place and they need as hell be fully protected. By the way, I install Firefox Portable, so he can duplicate the full setup in his other boxes without fuss.
My ethics golden rule is what I configure for my friends and clients is what I consider optimal for myself, irrespectively of what their experience level, because "he who knows has the obligation to teach". Would the Accuvant gurus kindly please come forward and tell us what is the browser they use at work and at home and whether they use plugins or not?
In the last paragraph I meant to say "irrespectively of what their experience level is"
I love Slashdot, always have. But as a community, we seriously need to stop applying the term "study" to every observation, or web page with pretty charts on it. This last thing wasn't a study. Not in the formal sense. It was a feature comparison. Biased, maybe. But who cares? It's not a study. And it's not the first time this has happened here.
This signature has Super Cow Powers
cue
"You must be new here".
c++;
Sadly true, however that's the configuration I would care to see evaluated as well.
If there is a more secure browser configuration than this...while still remaining reasonably usable...I'd like to hear it. (I have played with various Chrome, IE, and Opera versions and configs over time, this one remains my preference to date.)
--- Mercutio was right.
Perhaps a significant portion of the FF user-base that browses slashdot does.
After you remove that 0.1% of the Firefox userbase, I imagine the percentage that runs noscript is pretty low. I imagine that the adblock userbase is larger, since it has an effect noticeable to the average user.
Firefox has something like a third of the browser market. If most of those users were running noscript web authors would be doing things a LOT differently.
I am still waiting for Google to add an option that allows me to have the History and other data delete on exit. The option to delete data on exit, excludes the history file. I think they use it to track users and market.
This does not sound verey secure to me. How about you?
I am a big Google fan and love Android, but when I realised the limited functionality when it comes to the privacy settings in the browser, I went back to Firefox.
I run Linux so I.E. is not an option, but I would try it if they would open it up.
The purpose of all arguments, is to change reality.
From a technical standpoint, the ideal solution would be to include both plain Firefox and Firefox with the most popular security extensions, like NoScript and AdBlock(Plus). But this was a marketing study, so I think they were justified in their approach.
Nothing lasts forever but the certainty of change.
IE's extension site is http://www.ieaddons.com/en/
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
I use Microsoft products on a day to day basis. There is something fishy going on Slashdot, see my jorunal.
Slashdot needs Geekcode | Can anyone recommend any good SCIFI? My tastes: Foundation, Startide Rising, CITY, Ringworld,
This seems about consistant with everything I've heard. Chrome and IE9 are at the top for security, FF lags and Safari isn't even playing. The question is why moderators allowed a flame-bate headline. The fact that google sponsored it is not the news.
I do security
"There is a network that infiltrates communities like Slashdot..."
Well that's pretty cool, seeing as the content of his posts is infinitely more useful and intelligent than the usual fanboy tosh that gets posted here nowadays.
If Slashdot is being infiltrated by a network of people who actually know what the fuck they're on about then that's pretty awesome.