Security and prejudice in the Browser Wars
Consultants and statisticians have a similar function: to confirm the preferences and prejudices of the client.
On December 9, Accuvant LABS produced a security analysis of the different browsers – and demonstrated that Chrome is the most secure. Well what do you expect? It was commissioned by Google. Now this is not to suggest for one moment that there is anything misleading in Accuvant’s report, nor that Google is attempting anything underhand: merely that prejudice will out.
But some have certainly cried ‘bias!’. One has been NSS Labs. “If you choose to read the Google/Accuvant report, do so with the understanding that the methodology appears to be skewed in Google’s favor, and does not reflect real world attack scenarios.” It is, of course, purely co-incidental that NSS’ own browser test comes to a completely different conclusion – that IE9 is considerably, nay, very, very considerably, superior security-wise to Chrome. While NSS claims that Google is undermining Firefox in favour of Chrome, one could also suggest that NSS is undermining the Accuvant report in favour of its own.
Prejudice will always out.
Having said that, NSS certainly has a point. Firefox, once a close friend of Google, is now a pain. I tried Chrome for a few weeks because, as a user, I love its built-in searching capabilities. But I soon got fed up with the adverts Google was spraying all over the place – adverts that Firefox or its add-ons were seamlessly hiding from me; and I went back to Firefox. This hits Google below the financial belt – no adverts equals less revenue.
So what is the answer? How can we navigate our way through this minefield of well-funded unprovable prejudice? “Who has the manliest browser?” asks Rob Rachwald, Director of Security Strategy at Imperva.
Browsers are very much like cars only in earlier stage of their life cycle. In the beginning, the competition was on who has the best basic features (e.g., driving from point A to point B or showing web content). After the basic functionality was achieved, Maslow’s law of hierarchal needs sets in. Namely, users’ focus moves to functionality and efficiency (e.g., fuel consumption or speed of rendering).
However, when comparing security features, some of the logical conundrums that plague cars similarly plague browsers:
- If one car has ABS system and the other one has air bags – who is safer?
- If one browser runs flash in sandbox and the other has anti-XSS filter – who is the safer?
Rachwald points to some basic differences in the way the two tests were conducted: “The NSS study focused solely on malware blocking… The Accuvant study, by contrast, added and focused on other criteria. URL reputation and application reputation are barely considered. In fact, the category “URL Blacklisting” is – oddly – virtually ignored…”
But, he concludes
If you’re a geek, go for security through obscurity: The best way to minimize accidents’ consequences to is to avoid it altogether. The way to avoid cyber accident is by using a platform which is less targeted by hackers due to its small market share. Such an example would have been Firefox with Linux when Windows and IE dominated the web. At the time, Firefox wasn’t less vulnerable than IE but it was less exploited due to its marginal market share. This method is of course limited to tech geeks willing to invest in installing learning and dealing with exotic platforms in rapid manner. But this won’t work for the masses who may not have the time nor expertise to learn a new browser.
For consumers, use newer browsers…
But I don’t know. Nothing I read changes my own prejudices. I want to believe in Firefox. I love its open source philosophy. I feel safe with its own and added security add-ons (especially NoScript!). And I couldn’t live without Scrapbook. Therefore, relying on the final arbiter, my own prejudice, I do believe in Firefox.
Who Makes the Manliest Browser? Imperva