One Browser to Rule them All? - SANS Internet Storm Center

One Browser to Rule them All?
A reader emailed in with the question, in short, which is currently the most secure browser and how to stay up to date on the different browsers. In the interest of Chrome having an update today it seems fitting to post the answer as a Diary. Before the browser war ignites, let me be the first to say in my opinion "It Depends." Chrome [1] is regarded as a very safe and secure browser but when you get to the number of lines of code in any browser architecture it is hard to say [3]. There has been some great research on lines of code in different systems [4] and when you get to that level of complexity errors are bound to occur. There are several different thoughts and many books on this subject but what I am getting at here is complexity and trust. At some point you have to trust the development team that wrote the code for the browser, what operating system you are running and how you have deployed your browser. Second, the browser, or the technology is only part of the matter. You still have Phishing and the human factor. Even on the most secure platform the user can be tricked. [4] Another commonly accepted deployment strategy is Firefox with add on components of No-Script and Adblock. Research into your specific deployment scenario and resources is the key to identifying what works in your environment. Infoworld had a great article on securing different browser types [5], it is a little old but still relevant. The pwn2Own contests held at some of the CanSec conferences can lead to some good reading on this subject. [2] In the end, a huge browser war will ignite over which is the most secure but as organic as feature and code has become it is arguable that the best way to secure your environment is layers of defense but finally check out the SANS reading room for papers on the subject. Specifically refer to a paper written by one of SANS GIAC Students [6]. And to our Reader who wrote in, stand by for the heavy opinions on the subject. To our readers, please comment on your experiences or how you stay current. [1] http://www.google.com/chrome/ [2] http://en.wikipedia.org/wiki/Pwn2Own [3] http://www.ohloh.net/p/chrome/analyses/latest [4] http://www.securingthehuman.org/ [5] http://www.infoworld.com/d/security-central/test-center-how-secure-firefox-282 [6] http://www.sans.org/reading_room/whitepapers/bestprac/preventing-incidents-hardened-web-browser_33244 Richard Porter --- ISC Handler on Duty Twitter: Packetalien Email richard at isc dot sans dot edu	Richard 173 Posts ISC Handler Jun 9th 2011
Thread locked Subscribe	Jun 9th 2011 1 decade ago
All browsers carry a risk - I do agree Chrome seems to have a good standing on security, however its more than the browser it is the java, flash and all the other pretty add ons. Personally I run my browser in sandboxie, with office applications, pdf reader and IM in others which are deleted when the application closes (so I have to manually save anything out of the sandbox. Basically anything that is an I/O with the internet I don't trust.	W60 14 Posts
Quote	Jun 9th 2011 1 decade ago
I agree with Matt in that they all carry a risk. I have personally chosen Firefox with NoScript. This particular add-on has been mentioned in quite a few ISC diary entries over the years. As Matt mentioned, it is the add-ons like java, flash & javascript as well as click jacking that present the most risks, not the browser itself. Firefox itself does not protect against these things, but Firefox with NoScript does.	W60 7 Posts
Quote	Jun 9th 2011 1 decade ago
I use Firefox with a mix of extensions and profile separation. I documented a specific Facebook-focused instance over at http://www.starmind.org/2011/05/31/firefox-and-facebook/ , but I have other profiles set up for other activities.	Josh 4 Posts
Quote	Jun 9th 2011 1 decade ago
I usually use firefox under linux, unless there is a specific need to use another browser, such as IE8 under xp. Whenever I think there is a need to be extra careful, I clone a vm and work inside that, then trow it away when I am done.	Moriah 133 Posts
Quote	Jun 10th 2011 1 decade ago
Thanks for posting yet another great question for discussion. Unfortunately, I don't have any great answers, but I would like to throw a couple more questions into the mix. 1. Which browswer offers the best balance of functionality, manageability and security for an enterprise environment? 2. How much of a difference is there between the desktop/laptop version and the smartphone version of the same browser, both in design and usage? We turn off some browswer functions, such as java script, on our corporate smart phones, which are enabled in the browsers on our PC clients. Of course we are hearing more and more user complaints about this, and are currently reviewing our configuration policy. Some of our stakeholders are pushing for equivalent configurations in mobile and desktop browsers, while others see a higher risk profile and lower business need on the smartphones, and therefore are advocating keeping java script and some other functionality turned off. Any thoughts on these questions from the ISC community?	John 13 Posts
Quote	Jun 10th 2011 1 decade ago
Google Chrome - the only browser with key logging and data exfiltration built in. Run on the Chrome O/S for maximum self pwnage. It's like, all clouds and rainbows man, my data's in the sky with diamonds. How much do you trust Google? They'd sell their own mother's geolocation to a hitman for the right price.	John 22 Posts
Quote	Jun 10th 2011 1 decade ago
Does anyone know anything about this browser? http: // www. srware. net/en/software_srware_iron_download.php Sounds good, but not exactly a known quantity either. Based on the description, I think it would be worthwhile for some of you true infosec experts to take a look at it. I'm just a security-aware IT guy, not an expert, by a long shot.	John 2 Posts
Quote	Jun 10th 2011 1 decade ago
I've taken a fairly involved and paranoid approach to this, but after the initial setup time it's not that bad (although its a horrible waste of resources). Note this is a home setup, and probably wouldn't scale well in a business environment, without a lot of modification. I run a Win7 x64 VM in non-persistent mode. Inside this VM I typically run Firefox with NoScript, and if I install Java I disable the plugin. I also run MS Security Essentials in there, but overall I try to keep things light. When I have to update anything, I turn off persistence, update, then turn it back on. Yes, it's a bit of work, but I use the same basic setup for my lab environments anyway, so it doesn't seem like much of a hassle anymore. There are a couple problems: 1. Setup time: it takes a bit to install the OS and get all my programs that I want on there. Updating as well. 2. Non-persistent mode is actually depreciated. It still works with the latest VMWare Player if you modify the file manually, but at some point it will stop working. Snapshots would work just as well. Snapshots would be a better idea, but VMWare Player doesn't have that feature. 3. It requires another OS liscence puchase (legally). It works for me! Also, on the general browser note, IHMO Chrome is the "most" secure, as we have seen so far from the pwn2Own contests. However, I find Firefox with NoScript to be my preferred setup (I'm going to enjoy using my browser).	John 2 Posts
Quote	Jun 10th 2011 1 decade ago
That was a very fair answer but the problem with Chrome is its script blocking. They are never going to patch the two bugs that are needed to port a "noscript" plugin which is why the browser is useless to me.. Its also way to much Google for my comfort and lags with ABP installed. FF6 Aurora with IE 9 for some pages is a great combo. Note: The Chrome plugin "notscript" is garbage and has not been updated since 2010.. I would not use it..	John 1 Posts
Quote	Jun 12th 2011 1 decade ago

A reader emailed in with the question, in short, which is currently the most secure browser and how to stay up to date on the different browsers. In the interest of Chrome having an update today it seems fitting to post the answer as a Diary.

Before the browser war ignites, let me be the first to say in my opinion "It Depends." Chrome [1] is regarded as a very safe and secure browser but when you get to the number of lines of code in any browser architecture it is hard to say [3]. There has been some great research on lines of code in different systems [4] and when you get to that level of complexity errors are bound to occur. There are several different thoughts and many books on this subject but what I am getting at here is complexity and trust. At some point you have to trust the development team that wrote the code for the browser, what operating system you are running and how you have deployed your browser.

Second, the browser, or the technology is only part of the matter. You still have Phishing and the human factor. Even on the most secure platform the user can be tricked. [4]

Another commonly accepted deployment strategy is Firefox with add on components of No-Script and Adblock. Research into your specific deployment scenario and resources is the key to identifying what works in your environment. Infoworld had a great article on securing different browser types [5], it is a little old but still relevant.

The pwn2Own contests held at some of the CanSec conferences can lead to some good reading on this subject. [2]

In the end, a huge browser war will ignite over which is the most secure but as organic as feature and code has become it is arguable that the best way to secure your environment is layers of defense but finally check out the SANS reading room for papers on the subject. Specifically refer to a paper written by one of SANS GIAC Students [6].

And to our Reader who wrote in, stand by for the heavy opinions on the subject. To our readers, please comment on your experiences or how you stay current.

[1] http://www.google.com/chrome/
[2] http://en.wikipedia.org/wiki/Pwn2Own
[3] http://www.ohloh.net/p/chrome/analyses/latest
[4] http://www.securingthehuman.org/
[5] http://www.infoworld.com/d/security-central/test-center-how-secure-firefox-282
[6] http://www.sans.org/reading_room/whitepapers/bestprac/preventing-incidents-hardened-web-browser_33244

Richard Porter

--- ISC Handler on Duty

Twitter: Packetalien

Email richard at isc dot sans dot edu

Richard

173 Posts
ISC Handler

Jun 9th 2011

All browsers carry a risk - I do agree Chrome seems to have a good standing on security, however its more than the browser it is the java, flash and all the other pretty add ons. Personally I run my browser in sandboxie, with office applications, pdf reader and IM in others which are deleted when the application closes (so I have to manually save anything out of the sandbox. Basically anything that is an I/O with the internet I don't trust.

W60

14 Posts

I agree with Matt in that they all carry a risk. I have personally chosen Firefox with NoScript. This particular add-on has been mentioned in quite a few ISC diary entries over the years. As Matt mentioned, it is the add-ons like java, flash & javascript as well as click jacking that present the most risks, not the browser itself. Firefox itself does not protect against these things, but Firefox with NoScript does.

W60
7 Posts

I use Firefox with a mix of extensions and profile separation. I documented a specific Facebook-focused instance over at http://www.starmind.org/2011/05/31/firefox-and-facebook/ , but I have other profiles set up for other activities.

Josh

4 Posts

I usually use firefox under linux, unless there is a specific need to use another browser, such as IE8 under xp. Whenever I think there is a need to be extra careful, I clone a vm and work inside that, then trow it away when I am done.

Moriah

133 Posts

Thanks for posting yet another great question for discussion.

Unfortunately, I don't have any great answers, but I would like to throw a couple more questions into the mix.

1. Which browswer offers the best balance of functionality, manageability and security for an enterprise environment?

2. How much of a difference is there between the desktop/laptop version and the smartphone version of the same browser, both in design and usage?

We turn off some browswer functions, such as java script, on our corporate smart phones, which are enabled in the browsers on our PC clients. Of course we are hearing more and more user complaints about this, and are currently reviewing our configuration policy. Some of our stakeholders are pushing for equivalent configurations in mobile and desktop browsers, while others see a higher risk profile and lower business need on the smartphones, and therefore are advocating keeping java script and some other functionality turned off.

Any thoughts on these questions from the ISC community?

John

13 Posts

Google Chrome - the only browser with key logging and data exfiltration built in.

Run on the Chrome O/S for maximum self pwnage. It's like, all clouds and rainbows man, my data's in the sky with diamonds.

How much do you trust Google? They'd sell their own mother's geolocation to a hitman for the right price.

John
22 Posts

Does anyone know anything about this browser? http: // www. srware. net/en/software_srware_iron_download.php Sounds good, but not exactly a known quantity either. Based on the description, I think it would be worthwhile for some of you true infosec experts to take a look at it. I'm just a security-aware IT guy, not an expert, by a long shot.

John
2 Posts

I've taken a fairly involved and paranoid approach to this, but after the initial setup time it's not that bad (although its a horrible waste of resources).
Note this is a home setup, and probably wouldn't scale well in a business environment, without a lot of modification.

I run a Win7 x64 VM in non-persistent mode. Inside this VM I typically run Firefox with NoScript, and if I install Java I disable the plugin. I also run MS Security Essentials in there, but overall I try to keep things light.
When I have to update anything, I turn off persistence, update, then turn it back on. Yes, it's a bit of work, but I use the same basic setup for my lab environments anyway, so it doesn't seem like much of a hassle anymore.

There are a couple problems:
1. Setup time: it takes a bit to install the OS and get all my programs that I want on there. Updating as well.
2. Non-persistent mode is actually depreciated. It still works with the latest VMWare Player if you modify the file manually, but at some point it will stop working.
Snapshots would work just as well. Snapshots would be a better idea, but VMWare Player doesn't have that feature.
3. It requires another OS liscence puchase (legally).

It works for me!

Also, on the general browser note, IHMO Chrome is the "most" secure, as we have seen so far from the pwn2Own contests. However, I find Firefox with NoScript to be my preferred setup (I'm going to enjoy using my browser).

John
2 Posts

That was a very fair answer but the problem with Chrome is its script blocking. They are never going to patch the two bugs that are needed to port a "noscript" plugin which is why the browser is useless to me.. Its also way to much Google for my comfort and lags with ABP installed. FF6 Aurora with IE 9 for some pages is a great combo.
Note: The Chrome plugin "notscript" is garbage and has not been updated since 2010.. I would not use it..

John
1 Posts