9 Oct, 2016 No Comments Bobby Software Security

It’s been almost three years since my last comparison of browser security. There have been some considerable changes since then, so let’s take another look.

Why this doesn’t matter as much as you may think

Would you park your Maserati in a bad part of town and say, “It’s okay. The doors are locked!” No. Because door locks and alarm systems don’t matter if you do dumb things with your car.

The same can be said of surfing the web. Visit enough shady sites or click the wrong links and it won’t matter how secure your browser is or what antivirus you use. You will regret it eventually.

So take what you learn here with a few grains of salt. We security nerds like to make a big deal about everything. Is it important which browser we use? Sure, but with a caveat. Our behavior is far more important than nitpicking security features and vulnerabilities.

I make this point simply to illustrate that, in the end, the majority of the responsibility is yours. There’s only so much a browser can do to protect you. I can safely say that all of these browsers are acceptable to a point. They all make a good effort to keep you safe. With that said, there are definitely some that I would recommend above others.

The Real Browser Security Test

Time is the only real test of how secure a browser is. We simply can’t know how secure they are until hackers have poked at them with their Cheetos-stained fingers for a while. The thing is, vulnerabilities will always exist no matter how talented the programming team is. Just ask Google, Microsoft, Apple, or Mozilla. Decades after their software is released, we’re still finding problems with them.

All software has something go wrong eventually. The question is not whether vulnerabilities will be discovered, but what will be done about them. How does a company respond when an exploit in their browser is discovered and how quickly do they get a patch out?

Thankfully, all the browsers I list here (except one) have been around for a long time. And all of them get security patches and updates in a relatively timely fashion, so we won’t cover that aspect in much detail.

Just be careful if you decide to use a more obscure browser that’s not listed here. Smaller development teams typically mean slower response times to security issues.

Comparison Chart

Browser Version Security Privacy *Browserscope
Chrome 53 The Best The Worst 16/17
Firefox 49 Okay The Best 15/17
Opera 40 Very Good Good 16/17
Edge 38 Good (Tentative) Okay N/A
Safari 10 Good Okay 15/17
IE 11 The Worst Okay 14/17

*About the Browserscope score

This score tests only certain elements of overall safety and should not be relied upon exclusively. The Browserscope project is an open source project and lately development has been spotty and may not reflect the most up-to-date features. Besides, no browser here scores below 14/17 anyway, so there isn’t much variation. For more details on what features are included in the test, check out the website.

Conclusion

Keep scrolling if you want to know more about each individual browser and why I scored them this way. Otherwise, here are my recommendations.

Google Chrome seems to be the best choice for security these days. It’s based on a very good engine and has a history of getting new security patches applied the most quickly.

Firefox, I’m sad to report, is no longer a contender for best security. But If privacy is more of a concern for you, then Firefox is the one I recommend the most.

You can’t go wrong with Opera. If you want one browser that does both security and privacy very well, then it would be your best choice. Opera is based on the same engine as Chrome and has similar privacy polices to Firefox. I put Opera in “second place” only by the thinnest of margins in both these areas.

Safari, as always, is perfectly fine. There are no major issues with its WebKit engine and Apple has a history of taking security very seriously.

Microsoft Edge is also shaping up to be a good contender. But it only came out recently so it’s a little too soon to know for sure.

Just stay away from Internet Explorer. For the love of everything holy.

Browser Security Reviews

Google Chrome

Chrome Logo

Google has long had a solid reputation for security. It seems that reputation is only getting stronger.

In the most recent Pwn2Own hacking competition, Chrome came out ahead of every other browser with only one exploit being successfully executed.

It also sports the most powerful sandbox of any browser. A sandbox is an isolated environment which attempts to keep the internet contained and away from your system. Even though it has been shown to be vulnerable before, it’s still a necessary feature for the modern internet.

It’s also worth mentioning that historically, Google has had the fastest response time to security vulnerabilities. The difference is slim, but still worth mentioning.

For all this security, there are always bound to be some weak spots. Not to be overlooked, the use of Chrome apps may be one of those weaknesses. But since this isn’t a review of third party applications, I won’t include them in the final verdict. Just be aware that if you use downloaded Chrome apps from the Chrome Web Store, you’re opening new attack vectors in your browser.

Chrome is now a mature browser. It’s been around for a decade and has proven to be a solid workhorse. Google’s business is the internet, so it only seems natural for them to have such a handle on it. If all you’re looking for is a secure browser, Chrome would be the one to have.

But security is only half the story. Chrome loses some sparkle when you throw privacy concerns into the mix. Google makes its billions by knowing things about you. They collect and store everything. And what’s the best way to collect that information? With a browser.

Google makes money by using targeted advertising on you. That means that your browsing history, location, purchases, music preferences, subscriptions, on and on, are kept and analyzed extensively. They’ve even gone as far as removing ad-block software from the Google Play store so that you can’t use it to block their advertising.

You may not care. There’s so much tracking done on the internet these days that it probably won’t matter if you use Chrome or not. I mean, you already use the Google search engine, right? Not to mention Gmail, Google Drive, YouTube, et al. Those are all Google services as well. But installing their software on your computer takes the privacy concern up a notch that some people won’t like.

Of course, I don’t believe Google is going to misuse anything. It’s just good to keep this in mind if you use their products.

Mozilla Firefox

Firefox Logo

This saddens my heart something fierce, but Firefox has lost its edge. It’s just become too long in the tooth. The underlying architecture of Firefox was designed for a 2004 internet and it just can’t keep up these days.

In fact, at the Pwn2Own competition previously mentioned, no one even tried hacking Firefox. I guess it just isn’t a serious contender anymore. Basically, Mozilla hasn’t made enough recent security improvements for it to be taken seriously.

One of Firefox’s biggest shortcomings is that it does not use a sandbox to keep the internet separated from your system. These days I consider a sandbox essential for most users. Every other browser I cover here uses a sandbox of some kind.

We’re also discovering some major problems with Firefox’s architecture. For instance, one of the worst is that JavaScript plugins in Firefox share the same namespace. This exposes all your other plugins to possible attack by a malicious plugin you may have unknowingly installed. It’s really not a good thing if your password storage plugin is exposed like that, for instance. The worst part is that this is built into the basic architecture so can’t be fixed.

Basically, it’s time for Mozilla to scrap Firefox and rebuild it from the ground up, much like what Microsoft did with Edge and what Opera did three years ago (see below).

That doesn’t necessarily mean you shouldn’t use Firefox anymore. It’s not going to matter much as long as your browsing habits are safe and you’re not installing evil plugins. And it’s still getting timely security updates for the things that they can fix.

As always, Firefox’s strongest point is its privacy. In fact, it’s their mission. Mozilla collects very little data and does not trade information on its users. Not to mention that Firefox is completely open source, which none of the other browsers here can claim. That means anyone can open up the source code and make sure there’s nothing shady inside.

Opera

Opera Logo

Opera is the oldest browser in this comparison, a few months older than Internet Explorer in fact. And like Firefox, Opera was really beginning to show its age. That is, until in 2013 when it went through a major overhaul.

Just shortly after writing my last browser comparison, the Opera developers ditched its proprietary engine in favor of Chromium – the same engine used by Chrome and many other obscure browsers. Because of this, Opera has made a giant leap forward in security. It now uses sandboxes for browsing and has all the other inherent security features made available in Chromium.

Unlike Chrome, however, Opera lacks support for Chrome Apps. That may be an inconvenience for some, but where security is concerned, the fewer attack vectors the better.

Also, having a very small market share (about 1-2%) makes it a less juicy target for hackers. This is called security through obscurity, which doesn’t actually increase its security, but it also doesn’t hurt.

Opera also has a very conservative data collection policy, similar to Mozilla, even if they’re not making as big of a deal about it. That said, they’re still not fully open source, so it ultimately comes down to trust.

Opera has really matured as a browser in the last few years and I don’t hesitate to recommend it anymore.

Microsoft Edge

IE Logo

We have a new entry in the lineup: Microsoft’s Edge browser. It’s only available on Windows 10 where it has replaced Internet Explorer as the default browser.

Edge doesn’t seem to be a completely new browser. It’s most likely a stripped down version of IE. But this can only be an improvement. It no longer supports ActiveX or Browser Helper Objects which also kills support for toolbars. These features were common attack vectors in IE and will not be missed. The result is a much more lightweight, faster, and undoubtedly more secure browser.

Here’s a list of features no longer supported by Edge

In addition, Edge uses a sandbox to help isolate the internet from the operating system. This makes it harder to gain access to your system through the browser. IE has had a sandbox in some form ever since version 9, but with questionable effectiveness. This seems not to be an issue in Edge. At least not yet.

One promising sign is that Edge passed its first real trial by fire with aplomb, at the 2016 Pwn2Own hacking contest. It fared better than every browser except Chrome. So far so good.

It’s possible that, being based on IE, some of the same vulnerabilities will have transferred to Edge. And Edge is still young, the first public version having been released only one year ago as of this writing. So we can’t get ahead of ourselves and make any assumptions at this point. But it looks promising.

As for privacy, the same issue still exists as with Internet Explorer. Edge is completely closed source and built by Microsoft. For those with serious privacy concerns it’s something to keep in mind.

Apple Safari

Safari Logo

This review is only for Safari on Mac. Safari on Windows was abandoned a long time ago and should never be used.

Apple Safari continues to be a good contender, despite having 3 out of 3 hacks against it successful in the previously mentioned Pwn2Own contest. Apple has typically been very good about releasing patches in a timely fashion.

Safari is the last major browser to be using the WebKit engine since Chrome abandoned it in favor of Chromium (which is just a fork of WebKit). That’s not a bad thing as WebKit is a proven engine and does not have any known major issues.

If security is your concern, Safari is a good choice. But as usual, it’s not open source and is provided by a major tech company that is ultimately in it for the profit. That puts it in essentially the same boat as Microsoft Edge and Chrome. I don’t think Apple would use their collected data for anything dubious, but it’s just good to keep in mind.

Microsoft Internet Explorer

IE Logo

Don’t even bother with IE anymore unless it’s absolutely necessary. Only the latest version (11) is still being updated, but who knows for how long. All versions 10 and below are no longer receiving security updates as of the beginning of 2016. IE is sure to be abandoned entirely someday soon and its retirement can’t come early enough.

Unfortunately there are some internet applications that still require legacy extensions like ActiveX which is why it hasn’t completely disappeared. That’s why IE11 is still included in Windows 10 as a backup to Edge. It’s buried somewhere in the menus if you can find it. But I say leave it buried.

Related Articles