A new Google-funded study of browser security by security research firm Accuvant Labs crowned Chrome the champion of security features, and ranked Firefox below Internet Explorer in terms of protection available from web-borne Predictably, Microsoft and Mozilla have different opinions on what makes a browser secure, and why Accuvant's findings are off base. All of this got us thinking about which browser is the most secure, and whether the security features listed in studies like this even matter to the rest of us.
How Was The Study Performed?
Accuvant looked at three browsers for its study: Mozilla Firefox, Google Chrome, and Microsoft Internet Explorer. All three were tested and examined running in 32-bit Windows 7, and the research was wrapped up in July of 2011, so the current release versions of each browser at that time were the ones included in the report. Accuvant says it left out other browsers, like Safari and Opera, to save time, but it does plan to update their findings on the big three as more data becomes available and each development house improves on its respective application.
Accuvant's study of browser security is probably the most comprehensive performed to date, even though other browsers and OSes weren't included. The researchers will be happy to tell you that they look deeper than bug-trackers and vulnerability lists, and try to get a bit more information about what makes a browser secure or vulnerable to threats -- both current and in the future. Part of that effort led the researchers to examine how each browser performed when an intruder already had access a machine with each browser installed, and how much information they could obtain.
What Did The Study Find?
Accuvant researchers determined that Google Chrome had the most new and effective security features aimed at protecting users from malicious code and scripts embedded in web pages, or code that automatically downloaded and executed from sites users visit. The study examined three major areas:
- Sandboxing, or the method by which a browser limits access to system resources and data beyond the confines of the browser, was one area of significant difference. Researchers found Chrome was most effective of all three browsers at keeping an intruder away from private data not associated with the browser. Internet Explorer also has sandboxing features but researchers claimed intruders are given some file-reading abilities even if they are prevented from installing software. Firefox, on the other hand, is simply listed as "unimplemented or ineffective".
- Plug-In Security was another area where Chrome rose above its competition, denying running plug-ins from installing additional software and from running scripts that don't require user interaction while on a web site.
In all three areas, Chrome came out on top. The researchers tied Chrome with Internet Explorer in Sandboxing and JIT Hardening, but point out that Chrome was just a bit better in both areas. In all three areas, Firefox got the lowest marks. In other areas however, all three browsers tied, and in one area at least, URL Blacklisting, all three browsers got poor marks, although the researchers again pointed out that Chrome did better than the other two -- however none of them did blacklisting very well.
Ultimately, Accuvant's researchers gave Chrome the top spot, with Internet Explorer right behind it. They pointed to Google's ability to build Chrome from the ground up, from scratch, without having to deal with legacy code or shoehorn in older capabilities the way Microsoft and Mozilla have with Internet Explorer and Firefox. Essentially, according to the research team, Chrome is the most secure because Google was able to write it with a fresh perspective and with security in mind, without baggage to bring along.
What Do Mozilla And Microsoft Say About This?
Mozilla's Director of Firefox Development, Johnathan Nightingale, responded to the study in in an article at Forbes, and said "Firefox includes a broad array of technologies to eliminate or reduce security threats, from platform level features like address space randomization to internal systems like our layout frame poisoning system. Sandboxing is a useful addition to that toolbox that we are investigating, but no technology is a silver bullet. We invest in security throughout the development process with internal and external code reviews, constant testing and analysis of running code, and rapid response to security issues when they emerge. We're proud of our reputation on security, and it remains a central priority for Firefox."
Similarly, Microsoft pointed to a study by NSS Labs that showed Internet Explorer dominating all of its rivals -- including Firefox and Chrome -- at protecting user systems from malware. However, just as the Accuvant study was sponsored and commissioned by Google, NSS Labs' studies are often paid for by Microsoft, so there's plenty of scepticism to go around.
How Impartial Is The Study?
Accuvant is a well-respected security and research firm, and has gone to great lengths to make not only the full text of the study available, but also the tools used and the supporting data behind the study in case other researchers want to examine their findings.
Google and Accuvant both explained that even though Google commissioned the study, they knew that if the results favoured Chrome, that fact would cast doubt on the merits of the result. Accuvant explained in an article at Ars Technica that Google gave them more than a wide berth to do the research, and insisted that the study be an impartial look at the state of browser security. Accuvant, for its part, has also put its reputation on the line, stating the study is representative of their company and its quality of work.
Whether Google was so open about the study being independent because they knew the testing methodology and the fact that their codebase put them at an advantage is another story, but as of now, no one's criticising Accuvant's results or methodology. The real question however, is how much should you or I care?
Does Any of This Matter? What Should I Do?
In the end, the study is important, but the real lynch-pin of browser security is -- and always has been -- the user behind the keyboard. Chrome may be on top now, but Microsoft and Mozilla will likely make changes as a result of the findings. Accuvant's methodology assumes your system is compromised, and also assumes that you have no other protection besides the browser's own security features to protect you, both of which aren't likely true for most users. In the interim, this study will wind up being used as cannon fodder in the browser wars, with one browser's fans firing it at another's without ever bothering to read it.
For the most part, browser security is a matter of user responsibility. Make sure you surf responsibly, and use SSL whenever possible. Don't accept, run, or even download anything if you're not sure what it is or why you were prompted to download a file, and only keep the extensions and add-ons running that you need on a daily basis.
What do you think of the study's findings? More ammunition for the browser wars, or does it actually set Chrome apart or Firefox below? Share your thoughts in the comments below.