The State of Browser Security: 2011

First, there are three security issues related to browsers to keep in mind.

  • Intrinsic security. How well can a browser deal with malicious payloads coming back through port 80 that can either harm a system or install software that takes control? Such payloads bypass a firewall because it’s a valid return of an outgoing request from your browser.
  • Browser exploitation. Can a malicious website, with embedded code in the return stream trigger the extraction and retrieval of browsing history or other personal data in autocomplete preferences or elsewhere? This affects your privacy.
  • Social engineering. How well does the browser, in concert with an alert user, detect that a link is trying to dupe the user into visiting a malicious website or is redirecting the user to a malicious site that mimics a legitimate website? These malicous sies can steal your identity and/or money.

Selecting a Browser Based on Security

The problem modern browser users face is that there are few if any tools that allow them to evaluate the product. There are websites that can evaluate standards compliance, for example, the Acid3 test or the HTML5 test. But there is no widely accepted, independently developed, trusted website that I know of that will give your browser a comprehensive security score.

There’s a reason for that. Browser security is a very complicated affair. For example, it has several distinct elements that I listed above, and even when exploits are discovered, it’s often difficult to weaponize them into usable form. Moreover, browser security is a political hot potato. The Big Three browser vendors, Apple, Google and Microsoft are from multi-billion dollar organizations that have a lot at stake. (I’m dividing here based on commercial size vs. smaller independents, not market share.) Rating one browser as quantitatively superior over another has been almost impossible because of differences in design, the complexity of security issues, and the desire by those developers to patch the problems and retain confidence in their product. They all slowly converge on equality.

While the very size of Apple, Google and Microsoft means that they have the means and motive to deliver the best browser security, those large companies also have agendas that can interfere in a subtle way with the customer’s best interests. For example, Apple wants the user to be happy and comfortable with its products. So while Apple will talk about how secure Safari is, it won’t go into excessive detail about security that might have the effect of alarming the customer. That, in turn, affects the design of Safari. (The situation is different for iPhone where security is paramount.) Google wants to protect your security, but the company only built Chrome for one reason — to better capture and understand your search habits. That’s something you may not like.

Because these companies have so much at stake, the science of discovering browser security holes has become somewhat of business in itself. Some people are trained to find exploits and will sell this information to the Big Three so the company can avoid public embarrassment. Why build websites that give away this information to consumers when you can sell it to the developer for serious money?

As a result, smaller, independent groups seeking larger market share have no choice but to put the customer first by taking a more public stance on privacy. For example, Camino, Firefox and Opera. The browsers from these developers are just as secure as the Big Three, in general, but they’ll likely place more visible emphasis on protecting your privacy.

This brings up an important distinction. One shouldn’t confuse intrinsic browser security (described above) with features and functions that help the user preserve his/her personal data, searches and browsing history. They are two different things. On top of that, many users don’t want to be bothered playing nursemaid to their browser and expect the developer to just take care of their privacy. Other users are more paranoid and want to take a more active role in controlling the operation of the browser. This naturally affects how people select their browser.

But what about research? Can we look for specifics there?

Browser Research

Because browser security is so complex, few website columnists are technically prepared to go into deep detail about browser security. On the other hand, there are researchers who do it for a living. It was researchers at the University of California Berkeley who first discovered and reported on the potential abuse of (Adobe) Flash Cookies. To get a feel for the kinds of research going on, you can take a gander at what Stanford has been doing. Unfortunately, it’s often hard for customers to translate research like that into practical benefits.  Developers must do it in their own way and own time.

Along those lines, however, one has to be careful. Occasionally you’ll find what seems like an independent lab research report on browser security, but one has to follow the money. For example, a frequent search result will bring up the NSS Labs reports on browser security, but those test were funded by Microsoft. Despite pleadings of scientific independence by the lab, guess which browser trounces the others in their findings? Internet Explorer.

So what’s the real problem if we can’t depend on research findings?

Market Forces

There are several effects that conspire against the consumer. The complexity of browser security, the financial rewards for keeping exploits a secret, funded reports by a semi-hidden benefactor, developer agenda and the political sensitivity of exploits all conspire to leave the user to select a browser based on other criteria. The selection ends up being a beauty contest. Even counting “Common Vulnerabilities and Exposures” (CVE) listings at secunia.com isn’t a rigorous approach because every browser uses vastly different code built with different compilers. The only issue is how serious discovered exploits are and how fast the developer patches them.

Contrast this to buying a car. Many customers are well aware of tools at his or her disposal to make a choice. Reviews at Edmunds and Consumer Reports can be consulted. Is the candidate on the Car & Driver Top Ten list? What does the government say about gas mileage and crash tests? One can take a test drive and evaluate maneuverability and braking. In contrast, if the car buying community were in the same boat as browser customers, the choice on buying a car would boil down to something like: “Oh, cool. I love the red leather and tail fins. I’ll buy THAT one!”

Okay, if we can’t depend on research, websites that measure browser security and tech columnists, then what?

What the Experts Say

One way to navigate out of the mess is to listen to people who hack into browsers for a living. Charlie Miller is one of those who frequents the CanSecWest events and has earned a reputation for finding vulnerabilities in browsers. While Mr. Miller is no big fan of Apple, likely because of the way they’ve reacted to his interaction with the company, reading between the lines of his experience is useful information. TUAW quoted him as saying, when asked about the relative security of modern browsers: “there probably isn’t enough difference between the browsers to get worked up about.” TUAW’s T.J. Luoma went on to say that the highlight for him was the next quote by Miller: “The main thing is not to install Flash!

Another security technique that is now being used is called sandboxing. You can read the technical details at the Chrome blog. Sandboxing isolates malware so that it has a hard time accessing files and/or damaging the host machine.

Currently, Chrome is the only browser that uses this technique*, and it’s only available on Windows. It’s a very CPU-intensive task, and can run well only on the latest and fastest computers. In principle, any user would admit that giving up a little speed for better security is a good thing, but, in practice, when delays reach a certain threshold, a user will flee to a browser that feels snappier, and so other developers are sensitive to that. Eventually, however, sandboxing should work its way into all the browsers on all OSes.

The Envelope, Please…

After all is said and done, in 2011, it’s virtually impossible for an average consumer to make a browser selection based on intrinsic security. The reality is that definitive answers just aren’t easy to come by no matter what your favorite OS platform is. As a result, users will likely depend on the reputation of the developer, the emotional reaction to the browser design and features, personal history of security snafus (if any) and compatibility with certain support software and financial websites — plus special plug-ins and affordances that suit them. That goes a long way towards explaining the inertia of browser market share and is why it’s so hard for the secondary players to make significant market share gains.

Meanwhile, there will always be a percentage of browser users who want to believe that they can cut themselves a break by taking specific actions. They revel in the public stance of the smaller developer and the developer’s explicit support for privacy control. They may value browser security over a minor loss of privacy and opt for a browser like Chrome with sandboxing. They’ll delete Adobe Flash or, at the minimum, install Click-to-Flash and Little Snitch. They may be a follower of Opera or Firefox (even Safari) thanks to their familiarity with certain special plug-ins than enhance security or privacy — or their preference for the way cookies are managed.

So there is hope. If you want to delve into the many features afforded by certain browsers, you can do so. In the end, browser security boils down to how steadfast you are in guarding your habits and interests, how much time you want to spend tinkering and tuning to give yourself every possible edge and how suspicious you are of the sites you tend to visit.

_______

* Apple says its extensions are “sandboxed.”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.