Tiny Core Linux
Off-Topic => Off-Topic - Tiny Tux's Corner => Topic started by: bmarkus on November 13, 2009, 12:49:49 PM
-
Cenzic just released its Web Application Security Trends Report, Q1-Q2, 2009 There are many interesting figures. One of the most supprising:
Our Q1-Q2, 2009 Trends Report once again points out the continued growth of vulnerabilities and increase in attacks through Web applications. The total number of reported vulnerabilities went up to almost 3100, an increase of over 10 percent, and the percentage of Web vulnerabilities continued to be dominate at around 78 percent.
Of the Web vulnerabilities, 90 percent pertained to code in commercial Web applications, while Web browsers comprised about 8 percent and Web servers about 2 percent. Of the browser vulnerabilities, Firefox had 44 percent of the total, but perhaps the biggest surprise was Safari, which formed 35 percent of the browser vulnerabilities. Internet Explorer was third, with 15 percent, and Opera was at 6 percent.
Whole report is available here: http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf
OK, number itself means nothing. Average response time to fix a vulnerability, severity, etc. are also important. However...
-
that's a little more than surprising
-
It seems to me this report is a bit flawed, as browser category 'Other' is missing in the pie chart and the numbers add up still to 100%.
Other would include such as Chrome.
Quote from the report:
"Vulnerabilities in Web browsers were concentrated among four popular technologies - Internet Explorer, Mozilla Firefox, Opera, and Safari."
This could either mean that Chrome was tested and did not expose any vulnerabilities worth incuding in the report or it was not tested at all, considering small market share...
It is expected that Opera has the least vulnerabilities, significantly lower than other browsers. It is unexpected IE has little, but the report does not seem to specify which versions were tested either...
-
Not sure why anyone's surprised by this. I think there's a too-casual assumption made by many people that "open source" is inherently safer or more secure because of all the eyeballs that can look at the code to find potential problems. It's true that more things can be detected when more eyes are looking at it and this no doubt attributes to detectable flaws in one application or another.
The problem with that kind of thinking, though, is that it presumes all the eyes are beneath white hats; for every contributor who fixes a flaw, there are plenty more looking for flaws they either can (ab)use or sell to people with malicious/criminal intentions. Regardless of open or closed source, code is written by humans and increased complexity brings a concomitant (or possibly even exponential) risk of flaws and the risk:reward for finding them overwhelmingly favors the criminal class. It's a lot easier to find flaws when you have the code right in front of you than when only a few people (and you're not one of them) have access to it. (Edit: So maybe a better benchmark would include the number of zero-day exploits plaguing a particular application; it's hard to blame anyone when the fix is offered pro-actively before it can be exploited in the wild.)
What's more staggering is the "market share" of Firefox (upon which Chrome is based, and Chrome's own share is marginal at best so its exclusionis hardly noteworthy) and Safari (WebKit-based like other browsers such as Konqueror) accounting for a combined 79% of flaws while making up (estimated) less than a third of all browser use (see link below which counts Chrome separately).
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
The moral of the story is to keep your system fully patched no matter what OS or browser or applications you choose to use.
-
The moral of the story is to keep your system fully patched no matter what OS or browser or applications you choose to use.
A good reason to install FF on HD, vs as an extension....with automatic updates. (although Jason has done a great job staying on top of them)
-
Considering the above, and assuming data is accurate to some degree:
Chrome appears to have almost 4% market,while vulnerability is possibly negligible (possibly, since it is not even mentioned in vulnerability share...).
Would this be a good conclusion that Chrome is the safest at this point, even safer than Opera?
I am not sure if Chrome is available for Linux yet, but if it is by now, any chance for Chrome extension as well as Opera 10.10 extension?
-
Google Chrome for Linux is in development* and a team of engineers is working hard to bring it to you as soon as possible.
-
chrome is available, or chromium if you will.
http://www.ghacks.net/2009/04/19/google-browser-google-chrome-and-chromium-download/
I personally know thier is a working copy for ubuntu that you could look at though i cant seem to find the link anymore but i have the package on my external drive.
-
Considering the above, and assuming data is accurate to some degree:
Chrome appears to have almost 4% market,while vulnerability is possibly negligible (possibly, since it is not even mentioned in vulnerability share...).
How do you get that? It's based on webkit so it presumably has at least some, if not all, of the same vulns from that. Additionally, it's been found to have vulns from things unique to itself. Then you add to that the vulns from plugins (Flash, etc.).
No browser is going to have "negligible" security issues because you're dealing with complex software coded by human beings and, perhaps most vital of all, used by human beings. The weakest security link is more often than not the user.
Security isn't a function of the number of users:number of advisories unless you're interested in "security through obscurity." But that's not really security, it's just obscurity.
Would this be a good conclusion that Chrome is the safest at this point, even safer than Opera?
Absolutely not, unless you're paid by Google to make such claims. I don't know of anyone at Google actually saying such things, though.
Product specific avisories:
http://secunia.com/advisories/product/20760/?task=advisories
http://secunia.com/advisories/product/25469/?task=advisories
http://secunia.com/advisories/product/25720/?task=advisories
Note that there are unpatched vulns listed in the first two advisories (Chrome 1 and 2). What should matter more is how fast things are fixed and whether you keep your own system patched. Otherwise, you're pissing in the wind with any discussion of which is safer without even getting into safe/unsafe browsing habits and third-party plugins.
The real problem isn't one of branding, it's how browsers leverage multiple pieces into one whole. The whole sum is only as strong as each of its component parts, some of which (like Flash) are third-party code which comes with its own vulnerabilities. There's no "safe" or even "safer" browser and users shouldn't beguile themselves into thinking they're safer using one or another if their own habits aren't safe.
-
Thank you Lucky, for such elaborate assessment in response to my polling opinions on browser security.
Now, even assuming that each browser has vulnerabilities and there are no better or worse browsers out there from this perspective (please correct me if my broad interpretation of the above is not what you meant), the differentiator remains the market share... The smaller the market share the more secure the browser can be in practice. This is because developers of programs exploiting vulnerabilities of browsers are focusing on those which have the largest market share. At least in logical theory. Therefore Opera is regarded as the most secure browser, not counting Chrome...
My question was that extrapolating our expectation, since Chrome has even smaller market share than Opera, is this a good expectation it should be in practice even safer? Are there some lab tests comparing them side by side?
-
Are there some lab tests comparing them side by side?
Lab tests never make it in the real world....too many unpredictable variables are involved. The safest browser is the one with the least functionality. FF has very active development, and prompt updates. There is a responsibility on the user, like what sites do you go to and what do you download.
-
Are there some lab tests comparing them side by side?
Lab tests never make it in the real world....too many unpredictable variables are involved. The safest browser is the one with the least functionality. FF has very active development, and prompt updates. There is a responsibility on the user, like what sites do you go to and what do you download.
The browser is just a small part of a much bigger security environment picture. The software operating environment as a whole is the best way to evaluate security. Where you go and what you download can cause harm in many different ways depending upon your software environment. Here's one of the best articles (actually an interview) I've read on the subject:
http://www.tomshardware.com/reviews/joanna-rutkowska-rootkit,2356.html
and just in case you missed it here's another good discussion:
http://www.securitytube.net/Attacking-Intel-Trusted-Execution-Technology-%28Wojtczuk-Rukowska%29-video.aspx
Be patient on this video, it starts getting interesting about 6 minutes in when the subject of bios protection begins. At 54 minutes in a discussion about Intel's response to their super dooper new hardware oriented code protection scheme vulnerabilities starts.
-
@tclfan
The smaller the market share the more secure the browser can be in practice.
Again, obscurity isn't security. Such statements also ignore the fact that there are myriad shared code/projects between browsers. Read, for example, the "Third Parties" section in the Opera "about" page. Nearly every browser uses either OpenSSL or TLS, zlib, libpng, etc. Depending on operating system, they also may share common graphic toolkits (such as GTK) and other code. Then there are the guts that render web pages, some of which are shared between projects. A vuln in one affects more than one, including some of the more "obscure" browsers. So we're right back where we started with security through obscurity, adding that the more shared code there is between projects the more risks there are no matter how obscure one or another project is in terms of market share. A vuln affecting a piece -- like OpenSSL -- shared by various browsers affects the security of all of them.
And that's only a tipping point. You're no safer with one browser over another if the point of entry to your system is something like Flash or some other unrelated piece of software common on enough systems.
"In practice" is the operative part of all of this. User practices count here. I don't click on every link sent to me. I know people who can't resist clicking on links. Am I more at risk with a more popular (and by your reasoning, riskier) browser with my very careful habits than someone else would be with a more marginally-popular browser and more risky habits? Bad habits get more people into trouble than "bad" browsers. And even good habits aren't without risks from things like cross-site scripting.
http://en.wikipedia.org/wiki/Cross-site_scripting
@jpThe safest browser is the one with the least functionality.
Correct. The more complex anything is, the more room for error. The safest browser is one lacking java, javascript, plugins like Flash, animated gif support, compression, etc. How boring.
Perhaps a safer alternative is the paranoid system used by RMS, who says he uses wget to fetch everything he browses.
http://lwn.net/Articles/262570/
Oops: http://secunia.com/advisories/product/3416/?task=statistics
-
The safest browser is one lacking java, javascript, plugins like Flash, animated gif support, compression, etc. How boring.
I suspect Lynx/Links browsers and their derivatives are very secure when you compare them against mainstream web browsers. ;) ;D
-
I personally like dillo. It is the only browser that I will use to view questionable links. It doesn't run javascript and doesn't have flash. It is a small extension and web pages do look better with pictures.
-
From perspective of the above browser security topic, I would like to ask for your opinion: Which browser would you recommend for TC, to be used for online banking? I have a feeling banking sites do not require javascript, flash, etc... The objective would be to maximize security of sensitive information.
-
From perspective of the above browser security topic, I would like to ask for your opinion: Which browser would you recommend for TC, to be used for online banking? I have a feeling banking sites do not require javascript, flash, etc... The objective would be to maximize security of sensitive information.
I do not see browser a main risk factor to be honest. Security is a more complex issue and this question do not have to much sense, sorry.
-
From perspective of the above browser security topic, I would like to ask for your opinion: Which browser would you recommend for TC, to be used for online banking? I have a feeling banking sites do not require javascript, flash, etc... The objective would be to maximize security of sensitive information.
A lot has to do with measures taken by the site itself. For instance, some sites no longer allow entering of passwords via the keyboard.
-
And the user itself is one of the most risky element in the system.
-
And the user itself is one of the most risky element in the system.
This is true - in general browsing on the internet and other user habits that compromise security...
However my question was more focused and browser specific to levelset across browsers:
Given the base system of TC, which browser would you consider the most secure for online banking? This is to eliminate the factor of general Internet browsing. User browsing habits are in this measurement taken out of the picture, because in online banking every user needs to act the same, e.g. enter userid and password, pay bills, etc. Taking user habits out of the equation we have a better measurement of browser security, don't we?
To narrow down this question, let us say fresh reboot TC, start browser and start online banking. In such context, is there any added security value of browsers without javascript, etc...? As stressed in the thread, these added functions compromise safety of even most secure browsers, whether by design or by obscurity...
-
And the user itself is one of the most risky element in the system.
Yes and no.
Yes, in terms of 'safer-unsafer' it is the user. A user unaware of the 1,000 different security risks may be 99% unsafe wheras a skilled user may be 1% unsafe only.
But in terms of 'how to eleminate 99% of these 1,000 different risks alltogether' it's not the user, it's always the system. And succeeding in this category would create security for the unskilled user too.
So let's talk about this system security and about the main problem, insecurty coming through the web.
How about putting the web into a sandbox, just by using a virtual machine.
Deleting all network connections of the host machine - browsing etc only from within the virtual machine.
And using two virtual machines - one for crazy browsing, one strictly for banking only.
For instance, ... entering of passwords via the keyboard.
I think, even a keylogger - working in the 'crazy browsing virtual machine - wouldn't be able to log keyboard input into the banking virtual machine.
As long as there is no bug chain (bug for highjacking the machine and bug for breaking out of the virtual machine) that seems technically safe.
Or do I oversee anything?
---------- edited
... let us say fresh reboot TC, start browser and start online banking.
Think, you are right. Never mind which browser using, this seems technically safe too.
And TC is ideal for that purpose.
Either by usb or as a super small system working within a virtual machine.
-
JoXo009:
I think this is absolutely great idea. I have been using this for years, starting with VMware player and VMware provided original secure browser based on stripped Ubuntu, then creating a virtual machine xubuntu, zenwalk, etc...
Here I do not want to get into discussion which is better - VMware or VirtualBox. I am testing the VB 3.1 and I am not taking any position at this point...
I did not go as far as your idea of disabling internet connection on the host machine, though, but such idea is great if we can get away with it...
TC virtual machine should have additional value that pristine state can be automatically restored on each boot of Virtual Machine, so 'crazy' browsing would be harmful only for the current session...
On the keyloggers in VM, they would most likely not be able to reach to host keyboard or keybord in other VMs, just curious if any keylogger on the host is able to read keystrokes in VMs...
-
Example of a fradulent email, allegedly from the FDIC:
You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets. You need to visit the official FDIC website and perform the following steps to check your Deposit Insurance Coverage:
Visit FDIC website
Download and open your personal FDIC Insurance File to check your Deposit Insurance Coverage
-
Example of a fradulent email ... Download and open your personal ... File
Just a provacative question: Why not open it?
Naturally I wouldn't open that email - not because I fear a virus, but because I don't like to waste my time on such kind of mail. But that's another aspect.
We are talking about security and from the security point of view to my opinion it's absolutely contraproductive to seek for security on the level of human behaviour.
What's needed is a technical solution to open even fradulent email without risking the ballance of your bank account.
As explained by tclfan it's possible with a TC usb install - after plugging it off, anything is away.
And it's possible with the sandbox environment of a virtual machine - after restoring last snapshot anything is away.
It doesn't matter which browser you use, it doesn't matter if an email is faked, it doesn't matter if an infected web site has become a new drive-by attacker.
With the solutions described above you needn't to worry about, you are just safe for technical reasons.
Or did I overlook something?
-
We are talking about security and from the security point of view to my opinion it's absolutely contraproductive to seek for security on the level of human behaviour.
What's needed is a technical solution to open even fradulent email without risking the ballance of your bank account.
Or did I overlook something?
yes, phishing
-
... phishing
How? Could you explain please.
Phishing is the attempt to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication - link (http://en.wikipedia.org/wiki/Phishing).
How could this attempt succeed by technical* means, if a user
1. handles all his sensitive data in a virtual machine, where he never visits other webpages and never opens emails.
2. handles his email in an email only virtual machine
3. uses a third virtual machine for web browsing and never enters real data there.
4. restores the setup snapshot, if he likes to have a clean start again.
To my opinion phishing of sensitive data isn't possible in a sandbox without such data.
------------
* Obviously there are other means too. The attacker could ring the the door bell and ask, please give me your credit card credentials. The attacker could try to convince you, to break above rules. But that's something else.
-
* Obviously there are other means too. The attacker could ring the the door bell and ask, please give me your credit card credentials. The attacker could try to convince you, to break above rules. But that's something else.
hey...as long as you stay in your sandbox environment, this shouldn't be an issue. :D