Off-Topic > Off-Topic - Tiny Tux's Corner
FIrefox is the most insecure browser?
jpeters:
--- Quote from: tclfan on November 18, 2009, 01:20:53 PM ---Are there some lab tests comparing them side by side?
--- End quote ---
Lab tests never make it in the real world....too many unpredictable variables are involved. The safest browser is the one with the least functionality. FF has very active development, and prompt updates. There is a responsibility on the user, like what sites do you go to and what do you download.
bigpcman:
--- Quote from: jpeters on November 18, 2009, 03:06:22 PM ---
--- Quote from: tclfan on November 18, 2009, 01:20:53 PM ---Are there some lab tests comparing them side by side?
--- End quote ---
Lab tests never make it in the real world....too many unpredictable variables are involved. The safest browser is the one with the least functionality. FF has very active development, and prompt updates. There is a responsibility on the user, like what sites do you go to and what do you download.
--- End quote ---
The browser is just a small part of a much bigger security environment picture. The software operating environment as a whole is the best way to evaluate security. Where you go and what you download can cause harm in many different ways depending upon your software environment. Here's one of the best articles (actually an interview) I've read on the subject:
http://www.tomshardware.com/reviews/joanna-rutkowska-rootkit,2356.html
and just in case you missed it here's another good discussion:
http://www.securitytube.net/Attacking-Intel-Trusted-Execution-Technology-%28Wojtczuk-Rukowska%29-video.aspx
Be patient on this video, it starts getting interesting about 6 minutes in when the subject of bios protection begins. At 54 minutes in a discussion about Intel's response to their super dooper new hardware oriented code protection scheme vulnerabilities starts.
lucky13:
@tclfan
--- Quote ---The smaller the market share the more secure the browser can be in practice.
--- End quote ---
Again, obscurity isn't security. Such statements also ignore the fact that there are myriad shared code/projects between browsers. Read, for example, the "Third Parties" section in the Opera "about" page. Nearly every browser uses either OpenSSL or TLS, zlib, libpng, etc. Depending on operating system, they also may share common graphic toolkits (such as GTK) and other code. Then there are the guts that render web pages, some of which are shared between projects. A vuln in one affects more than one, including some of the more "obscure" browsers. So we're right back where we started with security through obscurity, adding that the more shared code there is between projects the more risks there are no matter how obscure one or another project is in terms of market share. A vuln affecting a piece -- like OpenSSL -- shared by various browsers affects the security of all of them.
And that's only a tipping point. You're no safer with one browser over another if the point of entry to your system is something like Flash or some other unrelated piece of software common on enough systems.
"In practice" is the operative part of all of this. User practices count here. I don't click on every link sent to me. I know people who can't resist clicking on links. Am I more at risk with a more popular (and by your reasoning, riskier) browser with my very careful habits than someone else would be with a more marginally-popular browser and more risky habits? Bad habits get more people into trouble than "bad" browsers. And even good habits aren't without risks from things like cross-site scripting.
http://en.wikipedia.org/wiki/Cross-site_scripting
@jp
--- Quote ---The safest browser is the one with the least functionality.
--- End quote ---
Correct. The more complex anything is, the more room for error. The safest browser is one lacking java, javascript, plugins like Flash, animated gif support, compression, etc. How boring.
Perhaps a safer alternative is the paranoid system used by RMS, who says he uses wget to fetch everything he browses.
http://lwn.net/Articles/262570/
Oops: http://secunia.com/advisories/product/3416/?task=statistics
julianb:
--- Quote ---The safest browser is one lacking java, javascript, plugins like Flash, animated gif support, compression, etc. How boring.
--- End quote ---
I suspect Lynx/Links browsers and their derivatives are very secure when you compare them against mainstream web browsers. ;) ;D
mwhit95:
I personally like dillo. It is the only browser that I will use to view questionable links. It doesn't run javascript and doesn't have flash. It is a small extension and web pages do look better with pictures.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version