A reader emailed in with the question, in short, which is currently the most secure browser and how to stay up to date on the different browsers. In the interest of Chrome having an update today it seems fitting to post the answer as a Diary. Richard Porter --- ISC Handler on Duty Twitter: Packetalien Email richard at isc dot sans dot edu |
Richard 173 Posts ISC Handler Jun 9th 2011 |
Thread locked Subscribe |
Jun 9th 2011 1 decade ago |
All browsers carry a risk - I do agree Chrome seems to have a good standing on security, however its more than the browser it is the java, flash and all the other pretty add ons. Personally I run my browser in sandboxie, with office applications, pdf reader and IM in others which are deleted when the application closes (so I have to manually save anything out of the sandbox. Basically anything that is an I/O with the internet I don't trust.
|
W60 14 Posts |
Quote |
Jun 9th 2011 1 decade ago |
I agree with Matt in that they all carry a risk. I have personally chosen Firefox with NoScript. This particular add-on has been mentioned in quite a few ISC diary entries over the years. As Matt mentioned, it is the add-ons like java, flash & javascript as well as click jacking that present the most risks, not the browser itself. Firefox itself does not protect against these things, but Firefox with NoScript does.
|
W60 7 Posts |
Quote |
Jun 9th 2011 1 decade ago |
I use Firefox with a mix of extensions and profile separation. I documented a specific Facebook-focused instance over at http://www.starmind.org/2011/05/31/firefox-and-facebook/ , but I have other profiles set up for other activities.
|
Josh 4 Posts |
Quote |
Jun 9th 2011 1 decade ago |
I usually use firefox under linux, unless there is a specific need to use another browser, such as IE8 under xp. Whenever I think there is a need to be extra careful, I clone a vm and work inside that, then trow it away when I am done.
|
Moriah 133 Posts |
Quote |
Jun 10th 2011 1 decade ago |
Thanks for posting yet another great question for discussion.
Unfortunately, I don't have any great answers, but I would like to throw a couple more questions into the mix. 1. Which browswer offers the best balance of functionality, manageability and security for an enterprise environment? 2. How much of a difference is there between the desktop/laptop version and the smartphone version of the same browser, both in design and usage? We turn off some browswer functions, such as java script, on our corporate smart phones, which are enabled in the browsers on our PC clients. Of course we are hearing more and more user complaints about this, and are currently reviewing our configuration policy. Some of our stakeholders are pushing for equivalent configurations in mobile and desktop browsers, while others see a higher risk profile and lower business need on the smartphones, and therefore are advocating keeping java script and some other functionality turned off. Any thoughts on these questions from the ISC community? |
John 13 Posts |
Quote |
Jun 10th 2011 1 decade ago |
Google Chrome - the only browser with key logging and data exfiltration built in.
Run on the Chrome O/S for maximum self pwnage. It's like, all clouds and rainbows man, my data's in the sky with diamonds. How much do you trust Google? They'd sell their own mother's geolocation to a hitman for the right price. |
John 22 Posts |
Quote |
Jun 10th 2011 1 decade ago |
Does anyone know anything about this browser? http: // www. srware. net/en/software_srware_iron_download.php Sounds good, but not exactly a known quantity either. Based on the description, I think it would be worthwhile for some of you true infosec experts to take a look at it. I'm just a security-aware IT guy, not an expert, by a long shot.
|
John 2 Posts |
Quote |
Jun 10th 2011 1 decade ago |
I've taken a fairly involved and paranoid approach to this, but after the initial setup time it's not that bad (although its a horrible waste of resources).
Note this is a home setup, and probably wouldn't scale well in a business environment, without a lot of modification. I run a Win7 x64 VM in non-persistent mode. Inside this VM I typically run Firefox with NoScript, and if I install Java I disable the plugin. I also run MS Security Essentials in there, but overall I try to keep things light. When I have to update anything, I turn off persistence, update, then turn it back on. Yes, it's a bit of work, but I use the same basic setup for my lab environments anyway, so it doesn't seem like much of a hassle anymore. There are a couple problems: 1. Setup time: it takes a bit to install the OS and get all my programs that I want on there. Updating as well. 2. Non-persistent mode is actually depreciated. It still works with the latest VMWare Player if you modify the file manually, but at some point it will stop working. Snapshots would work just as well. Snapshots would be a better idea, but VMWare Player doesn't have that feature. 3. It requires another OS liscence puchase (legally). It works for me! Also, on the general browser note, IHMO Chrome is the "most" secure, as we have seen so far from the pwn2Own contests. However, I find Firefox with NoScript to be my preferred setup (I'm going to enjoy using my browser). |
John 2 Posts |
Quote |
Jun 10th 2011 1 decade ago |
That was a very fair answer but the problem with Chrome is its script blocking. They are never going to patch the two bugs that are needed to port a "noscript" plugin which is why the browser is useless to me.. Its also way to much Google for my comfort and lags with ABP installed. FF6 Aurora with IE 9 for some pages is a great combo.
Note: The Chrome plugin "notscript" is garbage and has not been updated since 2010.. I would not use it.. |
John 1 Posts |
Quote |
Jun 12th 2011 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!