×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google-Funded Study Knocks Firefox Security

Soulskill posted more than 2 years ago | from the time-to-argue-again dept.

Google 225

Sparrowvsrevolution writes "Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top. More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards. Though the study seems to have been performed objectively, it won't help Google's fraying partnership with Mozilla." The full research document is available here (PDF), and it goes into much greater detail than the Forbes article. Accuvant also published the tools and data they used in the study, which should help to evaluate their objectivity.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

225 comments

Chrome and IE are the most secure browsers (4, Informative)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38326472)

More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards.

How is this surprising? Apart from some ignorant cases on Slashdot who believe Microsoft is the devil and should die, it's not a new fact that IE has been a really secure browser for a long time. Both IE and Chrome offer sandboxing, JIT hardening and ways to make vulnerable plug-ins less easy to exploit and gain access to system. Firefox offers none of these.

Currently, it's not even often that you find a vulnerability directly in the browser. Most of the attacks target either plug-ins like Flash or PDF reader, and if someone does find an exploit in the browser, the extra security layer makes it much harder to exploit. Yes, you can use something like NoScript in Firefox (and other browsers), but majority of people don't. In fact even I don't because frankly, it's pain in the ass to use. This is the reason why extra security layers provide so much better overall security.

Anyone who still says that IE is insecure browser just doesn't know what he is talking about. On top of that, this study doesn't really bring anything new to table (but it is really well done with comprehensive disassemblies and exploit testing), it just confirms what has been known for a long time now - both Chrome and IE are really secure browsers, followed by Opera. The one that is lagging behind is Firefox. I don't know what happened to them, but they seem to copy the aspects of Chrome that no one actually cares about (UI and version number scheme) while completely forgetting what Chrome and IE do underneath and what actually counts - sandboxing, JIT hardening, auto-updating browser and plug-ins and separating different tabs to different processes.

Re:Chrome and IE are the most secure browsers (3, Informative)

bunratty (545641) | more than 2 years ago | (#38326560)

I think the folks at SecurityFocus disagree. Although IE 9 is more secure than previous releases, IE still has plenty of vulnerabilities [securityfocus.com]

Re:Chrome and IE are the most secure browsers (5, Informative)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38326650)

If you browse the same site for Chrome, you'd notice that the list is about same length for the latest version. And the total vulnerability count is huge for Firefox compared to Chrome and IE.

Re:Chrome and IE are the most secure browsers (1, Informative)

bunratty (545641) | more than 2 years ago | (#38326758)

Here are the lists for: Chrome [securityfocus.com] which shows zero vulnerabilities, and Firefox [securityfocus.com], which shows two. Ah, good old cognitive dissonance -- making people ignore evidence that doesn't match their conclusions since the dawn of man.

Re:Chrome and IE are the most secure browsers (4, Informative)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38326842)

The links you showed lists new vulnerabilities for:

Chrome 15.0.874.121 (really minor version number)
Firefox 8.0 (FF 11.0 is in the works already!)
IE 9.0 (now we suddenly have a major version number)

Both Chrome and Firefox use insane version number schemes which really doesn't make that comparison valid. Because of that you have to compare the vulnerabilities within some time frame, for example one year or two years. But I suspect you knew that.

Re:Chrome and IE are the most secure browsers (-1, Troll)

bunratty (545641) | more than 2 years ago | (#38327210)

Yes, of course, dismiss any and all evidence I could possibly provide, and provide none of your own. And the choir mods you up. It's classic denialism and groupthink.

Re:Chrome and IE are the most secure browsers (-1)

Anonymous Coward | more than 2 years ago | (#38327306)

Way to miss the point, jackass.

You're obviously comparing different things. Rather than discuss that, you get all butthurt and complain about the people with modpoints.

Which may just be indicative of someone who's coming to this party with his/her mind already made up and is personally offended by contrary ideas. You've got some issues, dude(tte).

Re:Chrome and IE are the most secure browsers (0, Offtopic)

iserlohn (49556) | more than 2 years ago | (#38328252)

Way to go, lose an argument and use an alt to reply.

Re:Chrome and IE are the most secure browsers (1)

Anonymous Coward | more than 2 years ago | (#38327726)

I don't think you understand how debate works. You don't have to provide support of your own if your goal isn't to prove a given side. All you have to do is prove that your opponent's support is invalid, as he does. Try making valid, sustainable points, and maybe you'll get some credit.

Re:Chrome and IE are the most secure browsers (1, Troll)

calibre-not-output (1736770) | more than 2 years ago | (#38326562)

Anyone who still says that IE is insecure browser just doesn't know what he is talking about..

I beg to differ. IE comes tied-in with Windows and is the most widely used web browser in the world. That also means that it is the most targeted web browser by people bent on exploiting its vulnerabilities in order to gain unlawful access to someone else's computer. Even though it might have less security flaws than Opera or Firefox, you can bet your gonads that the proportion of security flaws that actually get exploited on IE is a lot bigger than in either of these two browsers. It comes with the turf. Of course, this doesn't mean that IE is inherently less secure than Firefox. You're right to say it isn't. Still, if I had to choose between IE and FF based only on security, I"d go for FF simply because it's probably a lot less targeted. I have no data to back up my claim, though, and could be completely wrong. Does anyone have any numbers on this?

Re:Chrome and IE are the most secure browsers (5, Interesting)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38326608)

You would only gain additional security if the exploits actually targeted the browsers. They don't - most of them target plug-ins and work in every browser. Now, both Chrome and IE sandbox them and have extra security layers for plug-ins just so that even if plug-in is vulnerable, you can't actually gain access to system. Since Firefox doesn't offer any of these options, you gain access directly after compromising the plug-in.

Re:Chrome and IE are the most secure browsers (1)

calibre-not-output (1736770) | more than 2 years ago | (#38326734)

I see. But doesn't that mean that if I don't use any of these plug-ins, the differences in browser security become irrelevant? I'd lose the ability to view flash videos or read PDF files in-browser, but Youtube already has an HTML-5 mode anyway, and I usually download my PDFs and read them locally later.

Re:Chrome and IE are the most secure browsers (3, Insightful)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38326784)

Yes. But 99% of people are going to keep their Flash and PDF readers. But if you download PDFs and read them locally later, you can still be exploited if you use vulnerable reader. All of them have had exploits too, but Adobe's is the most targeted one.

And yes, these exploits work for Linux too, if someone just remakes their payload to target them. In many cases you don't even need root access to most malware, so Linux security doesn't really offer much. However, in that case it actually needs the malware author to create separate payload for Linux.

Re:Chrome and IE are the most secure browsers (4, Interesting)

Anonymous Coward | more than 2 years ago | (#38327620)

You don't even need to read them, if you happen to ever have had adobe's reader installed, the shell extension remains lingering around, which means merely hovering over the file icon will open you to exploits.

Re:Chrome and IE are the most secure browsers (1, Informative)

Billly Gates (198444) | more than 2 years ago | (#38327096)

Keeping flash and Java up to date helps. WIth Java these days it is best to disable it in your browsers if you have to use it for things like eclipse on the desktop. Thats what I do as Java 7 is a pile of dung even if it is much more secure. I haven't used a Java applet since 2002 seriously. SO I can still use Java 6 and not worry about being hacked when I browse.

With WIndows Vista and Windows 7 it is very difficult as hell to target a browser with the exception of Firefox because it does not support sandboxing. The reason why is because ASLR is a ram address randomization technique so if you overflow a buffer you can't say "use server.exe by its ram address and inject your dll into it". DEP is something XP only partially supports that Vista and 7 do fully where you can't plant data execution code in regular data like a picture file. In XP with IE 6 you simple render the pic on the page and you have instant data execution as the CPU/Kernel are too dumb to know which is data and which is executable. That is another common broswer exploit.

But today these are rare and hard to do so a plugin is a great way to do it. IE 9 even has a special compiler option which the engineers even control exception handling so the program will never go into an area out of bounds.

Flash and Adobe Air are teh way to go. Keep them updated or use adblock if you can. The first thing I always do when I get a new computer is uninstall PDF reader and flash and then go to file hippo and download only the latest.

Re:Chrome and IE are the most secure browsers (0)

Anonymous Coward | more than 2 years ago | (#38327532)

Flash and Adobe Air are teh way to go.

Go mad with rage because Flash is a pile of fucking shit?

Re:Chrome and IE are the most secure browsers (1)

Runaway1956 (1322357) | more than 2 years ago | (#38327694)

Off on a slight tangent here - but if you don't install Adobe flash, you can still watch flash movies in your browser. And, it does happen to be Adobe's version of flash that has grown infamous for vulnerabilities. Likewise, Adobe's PDF reader is the vector for PDF vulnerabilities. So, if I install some other PDF reader, and some other version of flash, I might (probably will) be secure from most vulnerabilities. Right?

Microsoft has lost their standing as the most common attack vector, giving way to Adobe, the last I read.

Re:Chrome and IE are the most secure browsers (1)

Noughmad (1044096) | more than 2 years ago | (#38327824)

Off on a slight tangent here - but if you don't install Adobe flash, you can still watch flash movies in your browser.

Which do you recommend? I tried both gnash and lightspark, albeit some time ago, and most flash sites wouldn't play, or wouldn't play correctly. Also, neither improved the power consumption, which is my main complaint about flash.

Re:Chrome and IE are the most secure browsers (2)

Runaway1956 (1322357) | more than 2 years ago | (#38327970)

I've had pretty good luck with gnash, myself. To be perfectly honest, though, I most often right click the video, and save it to disk, then view it locally, in VLC.

Lightspark, I just looked at, and never did try it. Maybe I'll test it out soon.

Re:Chrome and IE are the most secure browsers (1)

Vellmont (569020) | more than 2 years ago | (#38327724)


They don't - most of them target plug-ins and work in every browser. Now, both Chrome and IE sandbox them and have extra security layers for plug-ins just so that even if plug-in is vulnerable, you can't actually gain access to system.

I'd be far more interested in actual results, from actual attacks (by white or blackhats) rather than undemonstrated theories on how to protect the plugin from the OS. How many times has one party made a "super great security layer that's unbreakable", only to be thwarted very quickly by something they never thought of?

Re:Chrome and IE are the most secure browsers (2)

LordThyGod (1465887) | more than 2 years ago | (#38328026)

Windows is also Operating System for Dummies, Desktop for Dummies and Internet for Dummies all in one convenient package. Malware authors know they have a much better chance of such people not updating their software and doing other dummy kinds of things. Its a natural fit.

Re:Chrome and IE are the most secure browsers (4, Insightful)

hey! (33014) | more than 2 years ago | (#38326596)

Well, let's wait and see.

Software products are products of corporate cultures. That's not just how people in a corporation tend to think, it's what they tend to value. There is no doubt that Microsoft is capable of producing a secure browser when faced with public criticism and strong competition. The question is whether they will continue to do so if public attention flags or the competition declines, or whether security will be sacrificed to some other business goal.

Of course you can ask that of *any* browser produced by *any* organization, but the point is that it is a bad idea to accord any one browser product a privileged position. Developers should develop to standards then test against multiple products, and users should not be shy about changing browsers. The problem is that IE inherently has a privileged position, and Microsoft has a history of using interlocking, non-proprietary product stacks to drive sales across product categories. That means Microsoft has unusual temptations when it comes to security, because of IE.

Re:Chrome and IE are the most secure browsers (3, Insightful)

hedwards (940851) | more than 2 years ago | (#38326676)

The study itself appears to be bunk. They assume that the browser is going to be exploited which doesn't give any credit to how difficult that might be. It is valid to look at that, but it's incredibly misleading for them to suggest that all browsers are equally likely to be broken. Ultimately, by the time those technologies come into play you're more or less screwed. They can somewhat limit the damage, but if somebody's broken into the browser they probably know where one of the exploits is to get out of the browser.

It also doesn't take into account common security extensions that people are likely to have or the types of people that use the browsers. Ultimately, it doesn't matter how secure your browser is if you just go around clicking random links and downloading questionable software.

Re:Chrome and IE are the most secure browsers (1)

Vellmont (569020) | more than 2 years ago | (#38327910)


Ultimately, it doesn't matter how secure your browser is if you just go around clicking random links

WTF? This is the entire experience of the World Wide Web! Are you really suggesting that we're all supposed to "just know" which are the "good" links to click on, and which ones are the "bad" ones? Do you really think an attacker isn't clever enough to trick you into clicking on his malicious site? And no, I'm not talking about the "punch the monkey", or "take this IQ test" crap.

Re:Chrome and IE are the most secure browsers (2)

dln385 (1451209) | more than 2 years ago | (#38327068)

Yes, you can use something like NoScript in Firefox (and other browsers), but majority of people don't. In fact even I don't because frankly, it's pain in the ass to use.

Install NoScript and enable scripts globally in its options. I do this and it's like it's not even there, but once in a while when I'm on a shady website, it'll pop up and say that it blocked a suspected malicious script or XSS attack. Better than nothing.

Re:Chrome and IE are the most secure browsers (1, Informative)

Ucklak (755284) | more than 2 years ago | (#38327076)

Don't care how secure IE is now, it renders differently between versions 7, 8, and 9 and is incredibly slow.

Firefox has a fucked up "architecture". (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38327128)

Of all of the major browsers, Firefox has by far the most fucked up architecture. When you examine it, it's no wonder why Firefox suffers from so many performance problems, excessive memory usage, and various other problems.

The core parts of it are written in C++, which isn't a bad idea, by any means. However, they've decided to use a stuck-in-the-1990s variant of C++ that's extremely handicapped and limited. This might make it portable, but it also encourages the creation of obtuse, low-quality C++ code.

It's the crap they've layered on top of this core that really makes any good software developer ask, "What the fuck ?" XPCOM is braindead. It's a pile of crap beyond belief. It makes MS COM a pleasure to work with, if you can even imagine that.

Then they implement the UI in a horrid mix of JavaScript and XML (they call it XUL). If you've done any serious UI development using real toolkits like Motif, MFC, wxWidgets, Swing, SWT, WinForms, and even Gtk+, you'll immediately see how stupid this JavaScript/XUL approach is. It's everything that's bad about JavaScript (and that's just about everything about it), combined with everything that's bad with XML, combined with everything that's bad about HTML and web development.

The use of JavaScript and XUL to build desktop applications is, to me, a sign of ignorance. When all you know is web development, you'll try to use the same techniques for application development, and it'll be a disaster. See Firefox.

It should be clear to any good software developer why Firefox has such poor performance, and why it uses so much memory. Its architecture is complete rubbish. It's as if every bad idea possible was chosen, from the use of a poor subset of C++ to the extensive use of JavaScript and XML where neither is appropriate for use.

It also becomes clear why it was relatively easy for Chrome to crush Firefox so easily. It's apparently developed by proper C++ developers, who are smart enough to know to not use web development techniques for desktop application development.

Re:Firefox has a fucked up "architecture". (1)

iserlohn (49556) | more than 2 years ago | (#38328274)

Firefox is built on Javascript, just like the rest of the web. That's the standard architecture now, live with it.

Re:Chrome and IE are the most secure browsers (-1)

Anonymous Coward | more than 2 years ago | (#38327508)

> More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards.

That's ridiculous. Visit the web with IE (version 6 - 9 don't matter) and your Windows PC will immediately start infecting with all sorts of infectious software. Do the same with Firefox or Chrome, and your PC will stay sober and clean.

Potential shill: First post & instant Score 5? (0, Flamebait)

improfane (855034) | more than 2 years ago | (#38327554)

You may have a valid point but circumstance leads me to presume you are paid for your post. Especially since you are spreading FUD about NoScript.

Please note the first post combined with high ID and instant score 5. Shills do have cooperating accounts. There is a network that infiltrates communities like Slashdot...

Re:Chrome and IE are the most secure browsers (-1, Flamebait)

GameboyRMH (1153867) | more than 2 years ago | (#38327648)

I've suspected this for a while and now I'm calling it: You're a shill for Microsoft.

Re:Chrome and IE are the most secure browsers (0)

Anonymous Coward | more than 2 years ago | (#38327740)

Not this shit again.

Re:Chrome and IE are the most secure browsers (1, Informative)

Zamphatta (1760346) | more than 2 years ago | (#38327650)

But a flaw in IE can root your system, since IE is tied in so deep. So, even if the insecurity is in Java or Flash or some other plugin, it can have much nastier effects than the same problem via Chrome since Chrome isn't tied into the system. (assuming we're talking about Windows comp's and not Chrome OS or Linux/WINE). In this way, IE is still a bigger insecurity than any other Windows browser even when the insecurity isn't specifically an IE flaw, because IE's "tied in" design is flawed.

Re:Chrome and IE are the most secure browsers (3, Interesting)

Vellmont (569020) | more than 2 years ago | (#38327868)


Anyone who still says that IE is insecure browser just doesn't know what he is talking about.

Care to point to any actual data on breakins, rather than theoretical security models to demonstrate this point?

You might want to look at the pwn2Own contest results from this year:
http://en.wikipedia.org/wiki/Pwn2Own [wikipedia.org]

Teaser:
The second and last browser to fall for the day was a 32-bit Internet Explorer 8 installed on 64-bit Windows 7 Service Pack 1.[23] Security researcher Stephen Fewer of Harmony Security was successful in exploiting IE. Just as with Safari, this was demonstrated by running Windows' calculator program and writing a file to the hard disk.

Day 3
No teams showed up for day three. Chrome and Firefox were not hacked.

Only IE8 was in the competition since IE9 wasn't even released until shortly afterward. We'll see how the new batch of browsers does next year.

So I have to ask: Why does "anyone who thinks IE is an insecure browser doesn't know what he is talking about"?

Re:Chrome and IE are the most secure browsers (-1)

Anonymous Coward | more than 2 years ago | (#38327902)

Did microsoft pay you to say that? Is your Redmond boss looking over your shoulder as you type this, or is it a tamper proof key logger that you have to worry about? Have you been a sock puppet your entire life, or is it a new thing for you? Is it fun to have someones hand 'in you' like that or does it take getting used to? Do you enjoy it now? Do you have to bend over to allow the hand access? Go ahead, you can tell all, /. readers are curious, inquiring readers.

Re:Chrome and IE are the most secure browsers (1)

metacell (523607) | more than 2 years ago | (#38328276)

I assume the TFS meant it was surprising considering who funded the research...

Here it comes (4, Insightful)

masternerdguy (2468142) | more than 2 years ago | (#38326506)

Nobody is going to RTA. This is going to be a good flamewar though.

Re:Here it comes (1)

Aerorae (1941752) | more than 2 years ago | (#38326552)

The problem is that, though I agree whole-heartedly with the results of the study, it was funded by Google. Even if it wasn't we'd have controversy, but since it does, it's gunna be more than a flamewar!

Re:Here it comes (1)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38326690)

The PDF contains all the things they tested, and goes to very technical details. I also doubt Google would want to make Microsoft look better than Mozilla.

Re:Here it comes (1)

Trepidity (597) | more than 2 years ago | (#38327094)

That's true, and a good instinct to have, but I apply it less in this case than usual, because the study appears to actually include substantial technical detail, and Accuvant is a well-respected security firm. At the very least it looks like a more serious commissioned study than the stuff you get from the usual "independent" shill consultants that write most commissioned tech whitepapers.

Re:Here it comes (0)

Anonymous Coward | more than 2 years ago | (#38326768)

Aye, this study is about exploit mitigation. Basically reducing damages from bugs/exploits that does happen. This is only a subset of security and not a full look at security which includes number of bugs/exploit including ease and severity of them, how often they appear, and patch time. Of course Firefox is last as it focuses on normal more traditional security but does nothing like sand-boxing to reduce exploit damage. Doesn't mean that firefox is more insecure, but is an aspect that should be taken into consideration.

Basically, if exploit takes away 2 points from security, sandboxing like stuff would reduce it to 1 point (reduces severity). This doesn't mean anything if IE gets 100 exploits and firefox gets only 10 (-50 vs -20). Note: This is just an example to explain my reasoning.

Opera (5, Interesting)

jaak (1826046) | more than 2 years ago | (#38326576)

The researchers dd not evaluate Opera in their study. I wonder how that would have compared...

Re:Opera (5, Interesting)

kangsterizer (1698322) | more than 2 years ago | (#38326718)

They don't care about opera. It's not a technical study. It's a marketing study.
Opera has no market share. Chrome's easiest target is Firefox.
IE's easiest target is Firefox too, and they made a similar advertising study, where IE is on top of security, way ahead of Chrome - but not too much.
Both put Firefox down.

All of them fail to mention other security features of Firefox. All of them fail to mention noscript and the like.
(and before you ask a list, take a look at Firefox's separated memory management per tab, or frame poisoning protection, etc.)
Also, no mention of CVE count of course, aka the actual discovered vulnerabilities.

That's just making a checklist where you put names of technologies that the opponent doesn't have, but don't put names of the ones you do not have.
Then put a mark in front of them to make you appear better.

In the past they've been (as in all corporations) doing that for ages, Microsoft certainly did a lot of it. The difference here is that they now buy out companies to do it for them.

Re:Opera (4, Informative)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38326742)

Opera is the most used browser in many CIS countries, having almost 50% market share in some and beating all IE, Chrome and Firefox. Maybe you wanted to say that Opera has no market share in the US.

Re:Opera (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38327160)

Fine.
Opera has a market share of 30 000 person worldwide.
Safari has a market share of 23 millions worldwide
Firefox has a market share of 517 millions worldwide
Chrome has a market share of 527 millions worldwide
IE has a market share of 600 millions worldwide.

Yay, Opera is indeed a browser worth considering!

Re:Opera (0)

allo (1728082) | more than 2 years ago | (#38327436)

> Opera has a market share of 30 000 person worldwide.
troll.
more like 30 million.

Re:Opera (1)

Anonymous Coward | more than 2 years ago | (#38327818)

Globally Opera has around 1.8% market share (http://gs.statcounter.com/ other show similar). There are around 2.1 billion internet users WW (http://www.internetworldstats.com/stats.htm). That would peg Opera at close to 38 million. So you are right. But it is still very small. Even Safari has more than 3x the user base. I've tried Opera several times, but never liked it myself. But it do seem to have a very strong and vocal supporter base for its miniscule size.

Re:Opera (1)

kangsterizer (1698322) | more than 2 years ago | (#38328136)

Funny.
You're using the same tactic I pointed out Google is using.

September 2011, median of all worldwide browser usage statistics:
Opera 2.7% = Yay for CIS 10 users! 2.7% woohoo!

Chrome was at 20%, Firefox 25 and IE 38%. See the difference?

That doesn't mean Opera is a bad browser. In fact, Opera mobile is very, very good. But that doesn't mean one should write FUD now should it?

Re:Opera (0)

Anonymous Coward | more than 2 years ago | (#38327396)

Extensions don't count. They aren't default behavior, nor installed by most of the userbase.

If Mozilla were smart, they would hire the NoScript guy and work to improve it even more, particularly making it easier to filter or unfilter.
Even as a power user, I still find it pretty obtuse sometimes.

Of course, Mozilla aren't smart and they continue to bewilder even their most diehard fans with all of the recent nonsense.
How far they have fallen since the early days of Firefox.
Just like Notch of Mojang, they let the fame get to them too much and thought they could get away with anything, and it backfired. Horribly.

Re:Opera (1)

Noughmad (1044096) | more than 2 years ago | (#38328054)

Just like Notch of Mojang, they let the fame get to them too much and thought they could get away with anything, and it backfired. Horribly.

How exactly did it backfire for him?

Secretly Funded? (0)

Anonymous Coward | more than 2 years ago | (#38326614)

What of it were secretly funded by Microsoft as well?

Nothing to see here (-1)

Anonymous Coward | more than 2 years ago | (#38326632)

Any browser study that doesn't include Opera might as well be printed on toilet paper, because that's about all it's good for.

What a load of massive donkey shit. The last time I heard this many misstatements, half truths, and BS was at a Herman Cain rally.

Chrome is a great browser, yes, I'll give you that. IE and the ever bloated Firefox, not so much.

But let's see Chrome and Opera head-to-head, mano a mano. Opera wins hands down in terms of performance and security. JIT, yup. Plugin hardening, yes sir. Sandboxing, indeed. Hotboxing, that too. URL filtering, phish detection, of course.

Dear Forbes, please take this "analysis" and shove it where the sun don't shine.

Good day sir.

I said good day.

Good for Firefox (0)

Anonymous Coward | more than 2 years ago | (#38326644)

Firefox needs kicks in the balls like this.

Marketing People have started writing the code at Mozilla.

Marketing People are writing the code for GNOME3 and Unity.

Marketing People are picking and troll- or flaimbait-tuning the stories here at Slashdot.

Looks like even people who switched to Linux are still not smart enough to know what they want without the marketing people.

Ah well... escalation comes before restauration...

Who woulda thunk it. (1)

RandomAvatar (2487198) | more than 2 years ago | (#38326678)

Who would have thought that a company that makes a browser, then does a comparison, would end up having their browser come out on top? This is why I never trust studies or comparisons done by a company that has had any funding or is related in any way to the market, company, or product they are doing the study on.

NoScript! (0)

Kaz Kylheku (1484) | more than 2 years ago | (#38326716)

Did they install NoScript? Evaluating Firefox security without this script blocker is like evaluating a compiler without using its optimization options.

Re:NoScript! (4, Insightful)

calibre-not-output (1736770) | more than 2 years ago | (#38326756)

They tested the vanilla browsers, as they should. Most people don't install NoScript, and many who do get annoyed with it and switch it off.

Re:NoScript! (1)

Kaz Kylheku (1484) | more than 2 years ago | (#38326822)

So, since most people won't use Firefox, so we shouldn't test it at all.

Re:NoScript! (4, Insightful)

calibre-not-output (1736770) | more than 2 years ago | (#38327248)

Yes, that's exactly what I didn't mean. The test was a test of Firefox (and IE and Chrome), not a test of "Firefox with some add-ons installed". Chrome has optional third-party security plugins too, and they also weren't enabled for the test. NoScript isn't a part of Firefox, doesn't come bundled with the browser, and isn't developed by Mozilla. Why should it be included in the test?

Re:NoScript! (1, Interesting)

TheGratefulNet (143330) | more than 2 years ago | (#38327302)

NoScript isn't a part of Firefox

every install I build has NS and adblock installed, at the very min.

the value of FF is its plugins. why is that not obvious?

it would be like reviewing an SLR and not using its raw mode. its a slanted test, its not fair, really. or a fast car that is not taken out to a racetrack for a proper test run.

FF by itself is not what people MEAN by firefox. not really. its value is its plugins and to test it 'bare' is ignorant and has a bit of market-speak to it that I find distasteful.

Re:NoScript! (1)

Anonymous Coward | more than 2 years ago | (#38327482)

It's not slanted, it's realistic.

Running it with all the best security enabled and all the best practices and extensions, that is taking the fast car to a race track with expensive tires and a professional driver. That analogy fits really well - taking the base model that 90% of users will have and run, adding stuff to make it better that most people won't, and putting it in the hands of someone far more capable than 90% of the users.

I mean, seriously. Look at your post. You're actually arguing that Firefox is better because you can make it do what you want with extensions. Security? We don't need that by default. The user should have to opt in to it. Because.... choice, or something. Freedom to get exploited! Yay!

Re:NoScript! (3, Insightful)

calibre-not-output (1736770) | more than 2 years ago | (#38327498)

it would be like reviewing an SLR and not using its raw mode

No, it'd be like reviewing an SLR without an external flash bulb. Raw mode is built-in to the camera, NoScript is not built-in to Firefox. NoScript, like the external flash bulb, is an optional feature that the browser/camera is made to accept, but also made to work without. Most Firefox users don't use NoScript, even though almost every power user does. Likewise, most people who buy SLRs are overspoiled teens who will never leave the safety of "Auto" mode and probably don't even know that you can swap lens at all - but every serious photographer has a bag full of peripherals for each specific kind of photo they want to make. I've never read a side-by-side comparison of, say, a Nikon and a Canon camera where the reviewer concludes that despite being all-around worse than model B, you should still buy model A because it fits more different kinds of peripherals. It's the same thing with web browsers.

Re:NoScript! (2)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38327500)

Most people don't use AdBlock or NoScript. That's what matters. You can disable scripting and plug-ins in other browsers too, and get practically the same results. But it's not a real world scenario, not how 99.9% users use their browsers.

In fact ... (3, Informative)

Kaz Kylheku (1484) | more than 2 years ago | (#38326878)

The PDF paper trashes NoScript. That is to say, it is mentioned in a paragraph that basically states that Firefox has add-ons, and add-ons are a security threat. Nothing is mentioned about the security benefits that add-ons can provide.

Re:In fact ... (2, Insightful)

makomk (752139) | more than 2 years ago | (#38326960)

Chrome of course is "secure" because it protects against malicious extensions by restricting them to the point they can't actually do a lot of things people want them to do. Talk about spin...

missing "bug" from web browsers ! (1)

cosmas_c (1079035) | more than 2 years ago | (#38326754)

Kosmas Karavopoulos i think all browsers are missing an about:cra(ppy) page :-)
(1st posted or flux ed , if you like , on facebook)

Very "common practice" (0)

Anonymous Coward | more than 2 years ago | (#38326760)

I read the article. I do not agree with some elements. For example, the first element, the process model, dictates there's a better process model than another. So by splitting processes and allowing a browser to run multiple independent processes instead of using threads or a flat model, they say it's automatically better. ... which isn't necessarily true. In order to make the multiple processes work, you must have a marshall process, and you can literally spam your computer with multiple processes, rendering it inoperable, instead of working with one single sandbox, where the system knows how to manage the complexity.

I do not say it's right or not, I simply say the research was made with a set of security elements that are more relevant to design consideration than actual security problems.

But it's still a very interesting read nonetheless.

Full story: I never directly participated in any browser coding, I use Mac Safari @ home (with Firefox backup for the odd site that doesn't work with Safari, like my bank's password reset page, oddly!), Firefox @ work (with IEx64 for the odd stupid site that only supports IE, yes they still exist!)

Won't hurt either (3, Interesting)

hal2814 (725639) | more than 2 years ago | (#38326778)

It won't hurt Google's fraying partnership with Mozilla. Their "partnership" is Google writes a check and Mozilla cashes it. I'm pretty sure Google can say or do what whatever they want. It's not like Mozilla will stop cashing any checks that Google writes.

Re:Won't hurt either (0)

Anonymous Coward | more than 2 years ago | (#38326924)

I wonder if there's talk in Redmond about picking up Mozilla sponsorship so that the default FF home page is bing.

That is a big deal. Google's sponsorship was not charity.

Switching to Chrome on Linux? (2)

yuna49 (905461) | more than 2 years ago | (#38326802)

I've read the first few pages of the report and intend to read the details about the three areas where the authors think Firefox is lacking -- sandboxing, plug-in security, and JIT hardening.

However I will point out the comparison applies only to versions of these browsers running on Windows 7. For Linux users, the comparisons might not be so important, though I'd obviously prefer a browser that employs technologies like sandboxing and enforces security on plug-ins.

If I switched to Chrome, how much privacy would I sacrifice to gain these security enhancements? I already use Google dozens of times a day, sometimes with a Google account. I use Ghostery to block most tracking cookies except for Google Analytics. I have some clients' sites subscribed to Analytics so I figure I should support the service myself. Would switching to Chrome provide Google additional information about me that it doesn't get now?

What about the state of plug-ins for Chrome? Along with Ghostery I use AdBlock Plus, ForecastFox and some download helpers. I won't switch browsers if it means abandoning the functionality available in Ghostery and AdBlock.

I could just use Konqueror or rekonq, but I've never preferred either of KDE's browsers to Firefox.

Re:Switching to Chrome on Linux? (2)

FoolishOwl (1698506) | more than 2 years ago | (#38326970)

You could use Chromium instead, as it's the open source basis of Chrome, and pretty much the same in functionality, but without the Google branding, and I don't think it sends usage data to Google by default.

Re:Switching to Chrome on Linux? (1)

calibre-not-output (1736770) | more than 2 years ago | (#38327556)

Even better, use SRWare Iron Browser. Also based on Chromium, but with a bunch of privacy- and security-oriented tweaks. AFAIK, it's nothing you couldn't do yourself while compiling chromium, but it's a lot more convenient like this.

Re:Switching to Chrome on Linux? (1)

Anonymous Coward | more than 2 years ago | (#38327920)

Iron runs an out-of-date build with known vulnerabilities, hasn't posted their source changes in a long time, and is widely accepted to be a scam [hybridsource.org]. By all means make your own decisions on browsers, but I think you're doing more harm than good with Iron. And if all you want to is to run Chrome disconnected entirely from Google, the instructions are here [googleusercontent.com].

Re:Switching to Chrome on Linux? (1)

Bacon Bits (926911) | more than 2 years ago | (#38327640)

Ghostery looks to be available on all major browsers [ghostery.com] including Chrome.

There's an extension Adblock [google.com] which is similar to AdBlock Plus. It isn't identical, but other than issues with video-embedded ads (which I remember having with Adblock Plus occasionally) it works just as well as far as I'm concerned.

As other posters have mentioned Chromium. Here [google.com] are the major differences. "User metrics" and "crash reporting" are the only two differences with potential privacy issues, AFAIK.

Re:Switching to Chrome on Linux? (0)

Anonymous Coward | more than 2 years ago | (#38327950)

I prolly watch half of a dozen YouTube videos every day, and I cannot remember ever seeing an ad.

Re:Switching to Chrome on Linux? (0)

Anonymous Coward | more than 2 years ago | (#38328244)

It is a security study, not a privacy study. That study in in the works and is being funded by Facebook.

lemme guess... (0)

Anonymous Coward | more than 2 years ago | (#38326846)

google not only funded this study that says they rock, but they also advertise on/in forbes...

isn't that right out of microsoft's playbook?

chrome installs in insecure place (2)

Billly Gates (198444) | more than 2 years ago | (#38326852)

The folder has default write privileges. This is how a standard user can install it. It also means privilege escallations dll injections and other nasties. Worse on XP the default user is a full admin without aslr or dep fully implemented.

Mozilla needs to stop drinking the Chrome-aid. (0, Insightful)

Anonymous Coward | more than 2 years ago | (#38327004)

This basically the core of Firefox's issues. Up until version 3.6, Firefox was a respectable browser and it was enough to Microsoft to improve from IE6. But ever since version 4.0 and the rapid release "versions" that inflate the number Firefox has been crippled by breaking extensions, disruptive UI changes and over idiocy by the Chrome-aid drinking Firefox developers.

If Firefox is to be a good browser again, it needs to be forked away from Mozilla and taken over by good developers just like Xfree86 had to be forked into X.org.

Firefox still a single-process browser (5, Informative)

Animats (122034) | more than 2 years ago | (#38327090)

Many of the security issues mentioned in the paper for Firefox come from the fact that Firefox is, for historical reasons, a single-process browser. It's the last of the single -process browsers.

This is both a performance problem and a security problem. Even add-ons aren't yet running in separate processes. The Mozilla project to make Firefox multiprocess [mozilla.org] is behind schedule and in trouble.

"Fennec", the Mozilla browser for mobile devices, is already multiprocess. But getting that machinery into the main line of Firefox has run into problems, and, after two years of effort, multiprocess Firefox is now on hold. [lawrencemandel.com] "Converting an established product, like Firefox, from a single- to multi-process architecture requires the involvement and coordination of many teams. ... Electrolysis requires a large investment of resources and time and has a long timeline for completion. How long? At this point we do not have a definitive answer...."

Re:Firefox still a single-process browser (1)

TheLink (130905) | more than 2 years ago | (#38328018)

You can run firefox using different user accounts, and set up the user account privileges accordingly. You can have one for banking, one for slashdot and one for youtube or whatever. That way the main desktop user and its data doesn't easily get pwned just because the browser does. You can't do the same thing easily for Chrome or IE anymore.

Where multiprocess really helps is with memory use. Right now if some page or plugin or add-on leaks, with firefox you have to close the entire browser - all tabs, all pages everything, in order to return the memory to the operating system.

With chrome, you just close the offending tab, or at most the browser window, and the memory is freed. You don't even lose the session info - you can actually reopen the page again without having to re-login.

So even though firefox may actually use less memory and leak less, in practice because of its architecture the leaks cause more problems.

Re:Firefox still a single-process browser (1)

makomk (752139) | more than 2 years ago | (#38328332)

This is both a performance problem and a security problem. Even add-ons aren't yet running in separate processes.

On the other hand, plugins like Flash are run in a separate process and have been for quite a while. It does wonders for browser stability.

Yes.... (0)

Anonymous Coward | more than 2 years ago | (#38327120)

...we all know it's more important to fix things that aren't broken (https://bugzilla.mozilla.org/show_bug.cgi?id=435013) instead of really doing something for bloatfox...

What about Opera! (1)

stanlyb (1839382) | more than 2 years ago | (#38327156)

Is Opera not considered a web browser? What is the point of missing one of the best, and fastest web browser!

Re:What about Opera! (2)

calibre-not-output (1736770) | more than 2 years ago | (#38327570)

This was a market-oriented study and Opera has a negligible market share when compared to IE, Firefox and Chrome. It's a pity. I really like Opera, but from a market standpoint it's irrelevant.

Re:What about Opera! (1)

Tyrannosaur (2485772) | more than 2 years ago | (#38328056)

I even did a word search through the document- it's not even mentioned :'( Google just doesn't want to deal with a browser better than chrome ;)

Sounds impressive, doesn't look it though (1)

Anonymous Coward | more than 2 years ago | (#38327474)

This study sounds impressive about all these complicated things that are beyond my area of expertise. However, one thing that is not is that they claimed to run this on Windows 7 32-bit; however, the images make it quiet clear they are actually running the 64-bit version (most especially the "Program Files (x86)" directory does not exist in the 32 bit version of Windows 7). If they cannot get a simple fact like that right, how can I trust the rest of the analysis?

Firefox is still more secure. (1)

Khyber (864651) | more than 2 years ago | (#38327806)

See, with ABP and NoScript, nothing touches my computer without explicit permission.

It's that simple. These 'vulnerabilities' are mostly due to third-party shit (Adobe, JS)

Re:Firefox is still more secure. (0)

Anonymous Coward | more than 2 years ago | (#38328058)

Unless you are running something like CookieSafe, then tracking cookies are touching your browser. Unless you are running something like BetterPrivacy, then flash cookies are touching your browser.

Competitor-funded "studies" (1)

EmagGeek (574360) | more than 2 years ago | (#38327852)

Competitor-funded "studies" automatically lack credibility. Nobody expects a study by google to come to any other conclusion than "firefox sucks, use Chrome."

No privacy considerations? (0)

Anonymous Coward | more than 2 years ago | (#38327878)

Interesting that the full-text of the study does not mention "privacy."

The focus on malware is well and good as far as it goes. But privacy seems not to be a concern of these researchers. Such as, oh for example, Chrome's integration of URL bar with search bar... meaning every URL you enter gets sent to Google just-in-case it's a search term.

Yeah? And? (0)

Anonymous Coward | more than 2 years ago | (#38328318)

Still waiting on a working noscript for chrome...

don't be evil, but massive conflict of interest (1)

decora (1710862) | more than 2 years ago | (#38328392)

is a-OK! because, after all, we are the 'dont be evil people'. therefore, conflict-of-interest doesn't apply to us

Welcome To Software Politics (0)

Anonymous Coward | more than 2 years ago | (#38328412)

If we can destroy everything else, nothing will be left but the app stores.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...