Browser Wars – Everyone Else Does It

Browser Wars – Security Style

Browser wars are monthly blogs (typically following the latest release of a browser) that basically pit the latest versions of todays browsers against each other. It’s kinda lame and I feel like a tool for doing it but I’m also really bored and I think browsers in the context of security are awesome.

So, let’s start.

What Makes A Program Secure?
In an ideal world we humans would be perfect and our code would be perfect and vulnerabilities wouldn’t exist. This is not an ideal world and we are not perfect nor is our code. Vulnerabilities do exist and for the foreseeable future this will not change. So what do we do to secure programs if they’ll always be full of holes? We accept that those holes are there and we make it as hard for hackers to make use of them as we can. There are various ways to accomplish this.

So What About Browsers?
Browsers aren’t typical programs. They’re fast paced, constantly changing, plugin-filled conduits to the wide open internet. By design they take in untrusted code. They’re just dangerous and that’s why they’re so great to look at for security.

Internet Explorer 9
Internet Explorer has laughable security, right? I mean, hey, IE6 on XP was terrible and nothing’s changed. Not exactly. Microsoft has learned from their (massive, gaping) mistakes and then some. IE9 is no IE6 by any stretch of the imagination. It’s got a multiprocess architecture that allows for tabs to be separated into low-rights processes, which means that an exploit in a tab is confined to that low-rights process.
On top of that IE9 has a new version of SmartScreen, a URL and File Blacklist based on “File Reputation” and heuristics. There hasn’t been a formal study other than the one by NSS Labs on this that I know of but NSS Labs gave a remarkable score of blocking 96+% socially engineered malware (compared to trivial scores hovering around 13% for other browsers.)
As I recall Adobe Flash also runs at low integrity when used with IE9.
The low rights sandbox and smart screen make IE9 a very secure browser.
IE is Windows only and closed source.

Mozilla Firefox 4.0+
The Firefox browser, which is developed by Mozilla, is a free and open source browser that’s been very successful. In terms of customizing UI and features Firefox is top notch and it blows Chrome and IE9 out of the water in that respect. In terms of security it is… lacking.
Firefox does implement modern techniques like ASLR, DEP, and SEHOP and it even forces ASLR on toolbar binaries.
It also makes use of the Safe Browsing API 1.0, which (last I checked) blocks something like 15-20% of malware downloads.
Firefox does not implement any “extraordinary” security measures. There is no sandbox, there is no special file reputation whatever or special memory hardening technique. There’s just nothing that really stands out about Firefox.
Firefox users are able to make use of the NoScript extension, which is potentially a really great tool, but it’s not exactly accessible for the average user and I’m partial to security features that don’t bug me.
Linux users can make use of a “whole-browser” sandbox via Apparmor/LSM. A profile is provided by default on Ubuntu but it may take some tweaking, I highly recommend you check out AppArmor for your browser – check out my guide here.

All in all, I want to love Firefox, but I can’t really give it a ton of credit here.

Google Chrome X.XXX.XX.XXXX+ (or whatever)
Google Chrome is the (relatively) new player in the browser market. At only 3 and change years old it’s had a pretty impressive start, now holding market share close to Firefox. Chrome is based on Chromium, which is an entirely open source project – the difference being that Chrome packages Flash, a PDF viewer, and an update manager (on Linux it also packages support for closed codecs.)
It uses the Safe Browsing API 2.0, which includes a file reputation module. I think NSS  Labs puts it up around 40% block rate. Again, there hasn’t been what I would consider a formal study on this.
Chrome’s main feature is a sophisticated sandbox based on the Windows integrity access control and job tokens. It is similar in architecture to IE9’s sandbox but the restrictions are much tighter, with the renderer having no file access and most of the browser running at absolute lowest rights possible  on Windows.
Chrome also sandboxes the GPU process and all extensions. Each has its own separate process.
Chrome sandboxes the Flash plugin (responsible for a large number of infections) and will soon include a much more powerful sandbox for Flash via the PPAPI(nterface, which is in beta 20.)
On Linux Chrome makes use of a namespace and chroot sandbox as well as the seccomp mode 2 filters. This allows for a strong sandbox, it’s very tight. Apparmor profiles exist for it, which are useful as they’ll even restrict the zygote process. The weakness is that the zygote process must be setUID, which is why an apparmor profile is suggested.
Chrome also limits inter process communication between it and the Java plugin, which can potentially prevent Java exploitation though it’s uncommon.

Opera 11.x
Opera is the lonely browser. On a good day it gets 4% of the market. It’s got something of a cult following and boasts pretty nice performance and a ton of features built in. As with Firefox it’s pretty lacking when it comes to security.
Opera is closed source and there isn’t a ton of documentation for security. There does not seem to be anything special about it.
No sandbox (there might be one on Linux actually but I’m not sure), not too great at filtering malware (I think NSS labs had it at 0-5%, again there needs to be more formal studies here.)
Closed source doesn’t inspire confidence either frankly.

I can’t really suggest Opera if you’re looking for security.

Conclusion:
I guess I should order them or rank them or something – answer that “Which browser is most secure?” question. I won’t try to apply anything numeric to this, that would be dumb, the system is basically an amalgamation of the above and my own personal beliefs on security.

Greatest to least: Chrome, IE9, Firefox, Opera.

I think it’s pretty close between Chrome and IE9. Firefox with NoScript and Apparmor is a pretty secure browser but for a defense in depth approach I’ve got to go with Chrome. It’s dependent on what you’re trying to secure against – when it comes to system compromise you’ll want Chrome but if it’s about preventing XSS/Clickjacking Firefox with NoScript is the way to go.

There you have it. My opinion.

I left a lot out. JIT Hardening isn’t something worth measuring as the javascript VMs all work pretty differently and they just don’t apply. I didn’t both going into ASLR or other mitigation techniques, all of the browsers have these by default at this point and the differences are subtly and in the implementation. I didn’t go into privacy, incognito/ private browsing modes, not much into extensions (this could be its own post), and some other stuff to. So consider this a very simple rundown on security. Even if I were to include everything the results would be the same, you’d just be better informed.

I’m also not going into IE10, which will include some fairly significant security improvements.

Choose the browser that is right for you. Maybe that’s the one that you think is most secure, maybe it’s the one with the UI you like best, or really any other reason. It’s your choice and it’s entirely up to you.
Sources:
http://www.accuvant.com/blog/2011/12/05/which-web-browser-is-most-secured
https://www.nsslabs.com/assets/noreg-reports/2011/nss%20labs_q3_2011_browsersem%20GLOBAL-FINAL.pdf [PDF]
http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do

9 thoughts on “Browser Wars – Everyone Else Does It

  1. Nice post, in spite of the lameness and tackiness 😉 Actually I found the part about IE9 interesting. I keep meaning to get to know IE better, but I haven’t found the time.

  2. The Opera bit isn’t correct. While Opera may not have much in the terms of *sandboxing* and *permissions* and what-not, well, it also has the best patch times of any browser according to Symantec- http://translate.google.co.uk/translate?hl=en&sl=no&u=http://www.digi.no/840574/ingen-slaar-opera-i-sikkerhetsfiksing&prev=/search%3Fq%3Dslaar%2Bopera%2Bsite:www.digi.no%26hl%3Den%26biw%3D1920%26bih%3D973%26prmd%3Dimvns&sa=X&ei=7lwEUOLsFoia0QWJy5GlBw&ved=0CE0Q7gEwAA and keep in mind Opera has great content control over JS, plugins, cookies, etc. and doesn’t require third-party extensions to do things like connect to a simple proxy or encrypt yoour passwords.

    • Patch time comparisons between closed and open source browsers mean almost nothing, especially when there’s such a variance in market usage ie “eyes on bugs.”

      I probably mentioned that in this post but if not I’ve mentioned it in others.

      When you’re looking at Opera all of their patches can happen internally – they’re closed source. They could have a known bug for a year and then only patch it the day after someone mentions it. There’s no proper disclosure.

      Opera also has significantly fewer bugs to deal with as it has a significantly smaller database. Same goes for reported vulnerabilities.

      Opera also doesn’t have a bounty project. So Chrome and Firefox may have 1,000 vulnerabilities reportedly shown and Opera may have 5 but that just means no one’s looking.

      Basically, looking at vulnerabilities isn’t a great way to measure security. Security is about principals. This has always been the case historically. It’s the same reason why solving VirtualAllocEx()’s rand problem is far more important than fixing a hundred buffer overflows. It’s the same reason why I’d rather have a strong apparmor profile than the latest patched version of a program.

      Not to say that patching isn’t important. It is. It’s just not a way to measure.

      I agree that Opera doesn’t need an extension for a proxy but neither does Chrome, at least not on Windows. It uses IE settings. As for passwords, they’re encrypted locally with your passphrase with Chrome. It’s not as robust as LastPass but Opera’s password encryption is the worst of the three and I’ve probably posted about that too but if not I soon will.

      • Your first point is interesting- but the questions really is, how often has Opera actually been broken? When you say that Opera vulnerabilities could have existed for a long time before being fixed… It’s a bit contradictory. I mean, of course the Opera developers have missed out stuff in their browser and there are vulnerabilities, but then, the Linux kernel 1 could have had loads and loads of vulnerabilities- but actual exploits? The reference is talking about patches after exploits. Sure, vulnerabilities exist within the code- but that’s with every piece of code. The question is, how fast does the vendor fix them once real life exploits get on the web?

        Chrome does need an extension. First of all, a browser that can use the proxy settings of another browser is the exact same thing as a browser that requires an extension- the point is, the default install without anything else can’t do it. It’s still using a third party application, be it an extension or IE. And why are we talking about Windows anyway? Linux is obviously a better choice for the security minded.

        What’s wrong with Opera’s encryption? At least it has one (no, passwords decrypted by OS on login whose masters are stored in plaintext does not count).

        • I can write a program right now with a buffer overflow and it will never be exploited. Does that mean it’s safe?

          My point about disclosure is not that the the vulnerabilities exist, it’s that they’re known to exist. Time to patch is broken because they could have had knowledge of the vulnerability for ages before someone outside pointed it out.

          All software of reasonable complexity that undergoes change has vulnerabilities. That’s really just besides the point here.

          Keep in mind that Chrome’s never been exploited in the wild so there’s no way to compare the two. I doubt Opera has either. What it’s comparing is disclosure times to time to patch – disclosure times for closed source are completely unknown, not for open source. Chrome also has way more on its plate, same goes for Firefox, as they have bounty programs. Even CVSS is usually bias, it’s built for discretion to be used.

          Chrome does need an extension. First of all, a browser that can use the proxy settings of another browser is the exact same thing as a browser that requires an extension- the point is, the default install without anything else can’t do it. It’s still using a third party application, be it an extension or IE. And why are we talking about Windows anyway? Linux is obviously a better choice for the security minded.

          I can’t speak for Linux Chrome as I’m on ChromeOS but I can configure a proxy with no issue on here without IE.

          Here’s information on the browser encryption.
          http://gregoryszorc.com/blog/2012/04/08/comparing-the-security-and-privacy-of-browser-syncing/
          Basically there’s not nearly enough documentation on the sync for me to feel secure using it. Kerschoff’s principal doesn’t go far enough, I always assume the attacker doesn’t just know the system but that they know the system much better than me. The only thing I can do is try to know the system as best as possible.

          Again, a principal.

          Opera also doesn’t provide an option where they don’t know how to decrypt your data. Chrome does.

          ces. Opera sends the password to Opera when logging in to your Opera Account. Google allows you to change the entropy source to a custom passphrase so Google doesn’t receive the entropy source. Opera does not.

          Sending the entropy source to the server is an important security consideration because it means you are giving the key to your data to someone else. Even if your data is encrypted locally, someone with the key can decrypt it.

          Happy to continue discussing.

  3. Why would Opera leave known vulnerabilities unfixed? Isn’t that just a bit paranoid? What could Opera possibly have to gain from leaving vulnerabilities unpatched? Are they going to start making deals with AV vendors and selling their vulnerabilities to hackers? LOL.

    Ah, but I can’t configure a proxy for Chrome/Chromium on Ubuntu without an extension. The browser has no proxy connectivity whatsoever on this distro, it uses environment/system proxy, so you basically have to make every connection on your computer to use the proxy, and you can’t turn it on and off at will, or for specific sites only. Opera can connect to http, https, ftp and of course, SOCKS, proxy servers natively (i.e not through GNOME) and allows you to make per-site control by right clicking- edit site preferences, Networking tab- use proxy.

    Your talking about Opera Link, I’m talking about locally stored passwords using the password manager. I don’t use OL, because I just want my passwords synced and LastPass is cross-browser.

    • Damnit, I wrote a response and then accidentally deleted it lol

      Why would Opera leave known vulnerabilities unfixed? Isn’t that just a bit paranoid? What could Opera possibly have to gain from leaving vulnerabilities unpatched? Are they going to start making deals with AV vendors and selling their vulnerabilities to hackers? LOL.

      Nothing quite as mischievous. With open source you know to the second when the vulnerability was reported. With closed source you don’t.

      Day 1: Opera dev finds vuln
      Day 2: Opera dev works on patch
      Day 3: Opera dev pushes patch, Opera claims it was found on day 2.

      See? There’s simply no way to know when internal bugs were disclosed. You can only know if someone publicly states it. The only publicly stated vuln I can think of for Opera was exploitable for a year by the way.

      Ah, but I can’t configure a proxy for Chrome/Chromium on Ubuntu without an extension. The browser has no proxy connectivity whatsoever on this distro, it uses environment/system proxy, so you basically have to make every connection on your computer to use the proxy, and you can’t turn it on and off at will, or for specific sites only. Opera can connect to http, https, ftp and of course, SOCKS, proxy servers natively (i.e not through GNOME) and allows you to make per-site control by right clicking- edit site preferences, Networking tab- use proxy.

      Which is a real shame. I don’t think that a proxy is critical to security/ outweighs the benefits of least privilege. If you disagree there’s likely a discussion to be had there.

      Your talking about Opera Link, I’m talking about locally stored passwords using the password manager. I don’t use OL, because I just want my passwords synced and LastPass is cross-browser.

      If you don’t want your passwords synced what’s the issue?

      I think what you’re trying to say is you don’t want them synced and you’re not syncing them and the issue is that your locally stored passwords aren’t encrypted. I don’t know the details on Linux – I assume it uses /etc/passwd or some such thing.

      I don’t think Chrome security is perfect. I just think it’s better. There may be shortcomings in terms of password management, sure. But you’d have to compromise the system to access that or compromise an extension that has access to passwords.

      Chrome’s Javascript V8 (the area most likely to be exploited) is run in a sandbox that does not have file system access – an exploit in it won’t lead to password leaking. Chrome’s extensions don’t typically have access either unless they request it and exploiting Chrome extensions is about to get very very difficult when the new CSP comes out.

      • The slight problem here is terminology. Whether Opera decides to say how long it took them to fix a vulnerability is up to them, I don’t care. But when Opera fixes an EXPLOIT that went wild on the Internet, that’s a different thing. There you CAN say Opera fixed it the next day- because on 22nd July, site http://www.evil.com hosted x exploit that injected x malicious code into Opera, and update manager opened up the next day, downloaded & installed the “Other Updates” section, and hey presto, the exploit on evil.com no longer works! In other words, it’s not the vulnerabilities themselves that matter, but what the hackers (which sometimes include me- I have gained admin privileges on some forum sites…) do with it. Who cares that z vulnerability wasn’t fixed by Opera in y days when w exploit was fixed the next day and thus means I didn’t get affected?

        If I don’t want MI6 or the FBI or whomever I accessed x site on y day, or that I secretly DDoSed some annoying site of the ‘net, then proxies are actually quite useful. Of course, that’s PRIVACY and has nothing to do with security 🙂

        Yes, that’s the exact issue. I think Chrome makes use of KWallet in KDE and has started to use the Gnome version, which despite being annoying, will prevent a compromised application from going through your passwords as they’re stored in some root-owned folder with no rw access. Of course, encryption is still better, because that actually prevents thieves (or law-enforcement agencies…) from seeing your passwords (assuming the password is strong of course). Still, FF, Opera, Konqueror and others have this function built-in, so the fact Chrome uses another program to do it instead of doing it itself still seems a bit silly.

        Anyway, my point was that Opera is still a secure browser and the bashing was unnecessary.

        • It deleted my post *twice* now while editing. I hate wordpress right now. I’m going to just write a shorter one since I’m kinda annoyed at the world abuot this lol

          A single vulnerability may be patched more quickly by Opera. Let’s just assume that this is the case.*

          What do vulnerabilities do? They get exploited.

          An exploited Javascript renderer on Opera leads to system compromise.
          An exploited Javascript renderer on Chrome leads to compromise of a Chroot’d namespace PID sandbox’d process that has limited syscall access.

          pwn2own shows us that breaking out of even the Windows sandbox** takes multiple exploits. The cost of system compromised increases drastically with each new exploit needed.

          If the cost of exploit is 1 dollar for both browsers for all vulnerabilities than for Opera the cost is 1 dollar and for Chrome it’s at least 2, very more likely 6 or even 12 (based on pwn2own.)

          Realistically we aren’t talking about a linear progression but the point is clear.

          Anyway, my point was that Opera is still a secure browser and the bashing was unnecessary.

          Basically, Chrome has an insane sandbox, Firefox has NoScript and it’s open source, IE has a decent sandbox, Opera has what? They all patch – Chrome’s actually got a great patch time record for high and critical vulnerabilities*. So what does Opera do that makes it worthwhile? I just don’t see it as being secure. Even without discussion of plugins, which easily puts Chrome ahead with its PPAPI Flash player.

          If I don’t want MI6 or the FBI or whomever I accessed x site on y day, or that I secretly DDoSed some annoying site of the ‘net, then proxies are actually quite useful. Of course, that’s PRIVACY and has nothing to do with security

          Definitely – it would be great if they added it.

          Yes, that’s the exact issue. I think Chrome makes use of KWallet in KDE and has started to use the Gnome version, which despite being annoying, will prevent a compromised application from going through your passwords as they’re stored in some root-owned folder with no rw access. Of course, encryption is still better, because that actually prevents thieves (or law-enforcement agencies…) from seeing your passwords (assuming the password is strong of course). Still, FF, Opera, Konqueror and others have this function built-in, so the fact Chrome uses another program to do it instead of doing it itself still seems a bit silly.

          I really odn’t know about this password stuff on Linux. If Chrome isn’t encrypting locally that’s a shame.

          Like I said in the last post Chrome isn’t perfect. But purely in terms of preventing system compromise there’s no comparison with Opera even if we do consider patch times an important measurement of security forgetting CVSS and forgetting that users are rarely up to date. I just can’t see it.

          *Beacuse of CVSS and release cycles Chrome releases low vulnerabilities only through release cycles. Firefox does this too. Windows as well. Because of Opera’s release cycles it likely releases vulnerabilities as soon as the patch is ready – inconsequential as Low/Medium vulnerabilities mean nothing on Chrome unless you can chain them together.

          **The Windows sandbox in pwn2own actually isn’t as strong as the current Windows sandbox.

Leave a Reply

Your email address will not be published. Required fields are marked *