Group test: which web browser is most secure?

Chrome, Firefox, Safari, Opera and IE tested

By | 07 February 09

All of the most popular browsers such as Chrome, Firefox, Internet Explorer, have different security advantages and shortcomings. We've put them through rigorous tests, to find out which is best for you.

Making a secure browser

If you're looking for the perfectly secure browser, stop looking. Each new browser entry typically promises a more secure browsing experience, only to prove that making a truly secure web browser is difficult. Each of the most popular browsers has dozens of patched vulnerabilities.

Even the newest, Google's Chrome, released in beta form in September 2008, has nearly a dozen exploits already. Perhaps the strongest testament to how hard it is to make a secure internet browser is the fact that even the text-only Lynx browser, which is as simple as a browser can be (it can't even display pictures or video without external programs), has had five vulnerabilities. If attackers can cause buffer overflows in a text-based browser, any browser more complex will have its issues.

In general, administrators must consider every internet-connected web browser as high risk. In very high-security environments, web browsers aren't allowed to run or aren't allowed to render content from the internet. But assuming your enterprise needs to browse the internet and seeks a browser with an acceptable level of security, keep reading. A secure browser must include the following traits as a minimum:

  • It was coded using Security Development Lifecycle (SDL) techniques.
  • It has undergone code review and fuzzing.
  • It logically separates network and local security domains.
  • It prevents easy malicious remote control.
  • It prevents malicious redirection.
  • It has secure defaults.
  • It allows the user to confirm any file download or execution.
  • It prevents URL obscurity.
  • It contains anti-buffer overflow features.
  • It supports common secure protocols (SSL,TLS, etc.) and ciphers (3DES, AES, RSA, etc.).
  • It patches and updates itself automatically (with the user's consent).
  • It has a pop-up blocker.
  • It utiliss an anti-phishing filter.
  • It prevents website cookie misuse.
  • It prevents easy URL spoofing.
  • It provides security zones/domains to segregate trust and functionality.
  • It protects the user's website logon credentials during storage and use.
  • It allows browser add-ons to be easily enabled and disabled.
  • It prevents mischievous window use.
  • It provides privacy controls.
  • It has been battle tested by hackers over a sufficient period of time.

Another good place to start learning the detailed basics of web browser security is Part 2 of the Browser Security Handbook maintained by Michal Zalewski. The Browser Security Handbook gives a great introduction to many of the behind-the-scenes security policies that underlie most of today's browsers and indicates which features are supported in various browsers.

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security products

Visit Broadband Advisor for the latest internet news, reviews, tips & tricks - and to take advantage of PC Advisor's unique, independent Broadband Speed Tester

NEXT PAGE: How to measure the security of a browser

  1. We put Chrome, Firefox, Safari, Opera and IE through their paces
  2. Making a secure browser
  3. How to measure the security of a browser
  4. Vulnerability announcements and attacks
  5. The most secure browser
  6. Google Chrome and Mozilla Firefox
  7. IE8, Opera and Safari

« previous 2 4 5 next » last »

Share this article




Comments

montse said: Succinct and to the point

RSebire said: All sites have vulnerabilities unless stated formally but the FBI therefore how can a browser be secure Java based code library and Python as such current form Net 1-Net2 and yes Net3 compatible allow all user to deengineer the HTML DHTML ect of the website even before the browsers is directed to it by DYnsThe only safe way of browsing the web is to use tried and test applications such as MSIE and Firefox remember Netscapethe newer generation promise a lot but have no credentials to support their claimsI prefer Firefox 3 with no script adblock and grease monkey as it allows me to use an firewall open NAT Port as software and internet based virus scanner a Peer guardian and an annomiser simultaneously - Thus 100 java executable code without malformations exploitsPlus i can chose how and what is displayed to me plus I know this might sound unpopular I do effectively disconnect around 50 countries from my internet and any of there productsSimple really

Ron said: Ha The most common complaint I see on my blog is - to put it politely - Chrome is an abomination I do prefer it with the profanity though Having tried this barely-formed foetus of a browser I have to agree

Si said: Surprise surprise that the author has nothing bad to say about IE8 despite it being in beta stage but can critique the other browsers But what do you expect when he works for MicrosoftPCA Are you seriously telling me that you couldnt find an impartial reviewer or do Microsoft sponsor you to put these up

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story. Both your name and the recipient's name and address will not be used for any other purpose.