Chrome Most Secure? Depends on Your Frame of Reference

Wednesday, December 21, 2011

Ed Moyle

Fe3139b2aae983885565da7757da08a8

In interesting research news, there's a paper out from Accuvant that attempts to compare the relative security merits of the "big three" browsers: Chrome, FireFox and Internet (Exploder) Explorer.

It's an interesting read, so I suggest checking it out.

Now, I admit that I was skeptical when I first started reading it.  Not only can the "which product is more secure" evaluations be a little spurious, but this particular report is also actually sponsored by Google, so... well... you can see how one might wonder about that...  At least without a deeper dive.

image

However, after reading it in more depth, I think they've done a reasonable job in impartially analyzing the question in their scope.  

In other words in analyzing the "software security" side of the argument - put another way, the resistance of the product to attack via coding or software architecture vulnerability.

Note that's not the same as security features -- or security of the product overall.  Security features are another matter entirely.

But I think it's useful to bring it up because the industry press coverage doesn't really seem to be discriminating between the two.  And they really are different questions.

As an example of what I mean by this, consider the SSL/TLS implementation of the various browsers.  This isn't in the scope of the Accuvant analysis (since it doesn't directly relate to attack resilience)... but it would be relevant, I'd think, to the broader "which is more secure" question.  

Like, I've griped in the past about the fact that until recently Chrome supported SSL 2.0 by default (seems like a major no-no in my humble opinion) and the fact that FireFox is the only one of the big three to have OCSP checking enabled by default (again, haven't looked at these settings in a while so maybe this is a moving target in light of the certifipocolypse a while back).  

These aspects of "browsing security" (note how that's  different from "browser security" - at least as evaluated through resistance to software-directed attack) would have been a "score one" for FireFox in my estimation.

But again... not in the scope of their analysis.

So the point is: I'm impressed with the fact that they've tried to come up with an actual methodology to evaluate the security of the underlying codebase.  And I'm also interested in their conclusion.  

Although I'd recommend sticking close to their actual research vs. how the industry press seems to be spinning it.

Image source: itsalltech.com

Cross-posted from: Security Curve Weblog 

Possibly Related Articles:
15102
Firefox SSL Browser Security internet report Internet Explorer Chrome Analysis
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.