Versions
I didn't spot any mention of browser versions in the article and I don't want to read 20Mb of data. Can anyone more motivated help out?
Google Chrome offers more protection against online attacks than any other mainstream browser, according to an evaluation that compares exploit mitigations, malicious link detection, and other safety features offered in Chrome, Internet Explorer, and Firefox. The 102-page report, prepared by researchers from security firm …
Chrome 12 (12.0.724.122)
Chrome 13 (13.0.782.218)
Internet Explorer 9 (9.0.8112.16421).
Firefox 5 (5.0.1)
Also interesting to note:
"As of July, 2011 a combination of Google Chrome, Microsoft Internet Explorer and Mozilla Firefox represent 93.4% of all users accessing the Internet [W3_Schools_Market_Penetration]. While other browsers would have been interesting to compare, in the interest of time they were excluded from this study."
So, test two versions of Chrome, but skip Safari and Opera, because they would take too long.
Opera may only have a tiny sliver of users, but leaving it out proves to me that this study wasn't really meant to test which browser is more secure, just which browsers make Chrome look better. Only mentioning FF and IE, and leaving out Safari and Opera, is just not a good study for "best". Even if those browsers didn't do as well, I'd still like to see the results...
Then again, in my recent study involving myself, my son, and two college guys, I've determined I'm the oldest man in the world!
If I was a security researcher I'd be very happy getting to 93.4% coverage.
Any rational study has to do cost benefit analysis. Two versions of chrome may seem excessive, but they seem to be taking the perfectly rational approach of getting the largest shares in first. This produces the most cost effective measurement of the market.
Why bother with around 1% of the UK market (go see Opera's market share) when there's nothing wrong with the rest? From a business perspective it's simply not worth it.
Hummmm..... comparing mainstream browsers with more secure browsers might mean people use more secure browsers, which in turn would mean the more secure browsers become mainstream because they are more secure.
Simply comparing a top 3 popular browsers doesn't really do much for benchmarking in a report comparing security of browsers. It would be a sensible include browsers with claimed security credentials along with the usual top browsers to give balance of what is possible.
They left out Opera, which has historically had the best security track record of them all... Seems like an intentionally knobbled set of results.
How can they claim that when Google sponsored it, and they excluded a browser that sits of the tree for security, that it's impartial. Here are some results based on the real world...
Google Chrome 159 - http://secunia.com/factsheets/Chrome-2011Q2.pdf
FireFox 72 - http://secunia.com/factsheets/Firefox-2011Q3.pdf
Internet Explorer 25 - http://secunia.com/factsheets/IE-2011Q3.pdf
Opera 36 - http://secunia.com/factsheets/Opera-2011Q3.pdf
I hope they've managed to program the sandbox to a higher quality than the browser itself which has over twice as many known security holes as Firefox, six times as many as IE, and four times as many as Opera.
Maybe Safari's not there in this sponsored test because if the other mainstream WebKit-based browser has fewer holes then questions start to be asked.
If a sandbox for Firebox or Opera is that important, it can be run with user privileges instead of admin privileges (which is what I do incidentally).
Can we avoid the inevitable "You didn't mention Opera!" "Only losers use Opera" flame war and stick to actually figuring out if there's any merit to this study? I mean they didn't test the browsers' Linux versions either (believe it or not there are people who actually run IE on Wine. No, I can't figure it out either unless you're a developer and then a VM would probably be easier) but hey, let's deal with what we have, OK?
The one disappointment for me was that Safari was not on the list. I believe the point was to show the most commonly used browsers. Safari IS on that list. I agree that if the point of the study was to showcase security then it would not of hurt the researchers if they added Opera. There are some pretty rabid Opera fans out there who insist that it is the most secure. Which is fine and great but it is one of those things where if no one tests it how can it be proven. To bad Opera didn't join in the party and have their browser tested.
Round 2...Fight?
My opinion of Chrome would have increased if MS had sponsored this survey and Chrome was shown to be clearly superior to IE and Firefox.
As Google sponsored the survey and the survey showed Google's Chrome was the best, I'll stick to treating this as there might possibly be security issues with other browsers but I will wait for an independent source to verify them before changing to Chrome.
I read that process creation was allowed by IE and Firefox. So, why don't we see loads of DOS attacks based on maliciously launching a command prompt with FORMAT C:?
There is presumably more to that comparison table than meets the eye, so presumably Chrome's long list of green ticks isn't quite as impressive as it looks.
So you invest the 10 minutes or so it takes to figure out how to script it, and then send it to all your friends running XP. XP still has an appreciable fraction of the market, so it would still work.
Moreover, if *today's* browsers are still open to this attack, presumably in the years before Win7 turned up, you could have used the same attack on just about all Windows users. (Vista's market share has always been insignificant.)
History suggests that this didn't happen, so presumably Firefox and IE aren't as open to attack as this report suggests.
I use Chromium for my grad school email since the university has been assimilated by Google anyway-- and it's nice and fast though I dislike the UI-- but until I have NoScript/AdBlock/BetterPrivacy/RequestPolicy on Chromium... they can have my Firefox when they pry my cold, dead, fingers away from it.
Tried out chrome when FF was having some issues with sites, ended up removing and reinstalling. What I liked about FF was when I quit the program it did not stay in memory just in case I wanted to use it.
Chrome's adblock and other mods are all seperate processes that are memory resident
No surprise that google won a google sponsored comparison that missed out opera and safari
Why is that relevant? I'll bet a lot less than 10% of FF users have that setup. Most browser users have the default install and only geeky little nerds have anything else.
But the point is that this is a test on the default install. You can make any browser more secure without installing externsions or plugins, just by changing your settings.
...plus Sandboxie. Then you'd be getting somewhere. Remember that one of your trusted sites can become compromised, and there goes your NoScript protection. Statistically, more than half the malicious websites out there are legit sites that got compromised.
FireFox's lack of sandboxing or Low-integrity operation is hard to excuse.
Just because it's a browser, doesn't mean you need the exact same plugin to get the exact same functionality?
Chrome, like any webkit browser, comes with dev tools: hit ctrl-shift-I and there it is, doing everything for you in Chrome that dragonfly does in Opera, and firebug does in Firefox. Except you don't have to install it yourself, it doesn't slow down the browser (the current complaint by people working on firefox on the mozilla side), and doesn't require you to constantly phone home to your browser's maker (like dragonfly, which sends the page data to opera.com for analysis, unless you install it locally, at which point it becomes really slow).
"secured" (and really should read "sandboxed")
That says it all. There was no attempt made to assess the security/vulnerability of the browsers. Just "how strictly is the stuff sandboxed". It's nice to know, but shouldn't be mistook for actual security.
Cars with more airbags are not less likely to have accidents; a reliable braking system, good road holding, etc are more important (the consequences, however might or might not be mitigated).
The interesting thing here is that FF is still largely funded by Google. As such if Google were showing any bias you'd expect FF to come second. The fact that it didn't might point to there being no bias, or more likely there was no way the authors could fudge the report in such a way that would put Chrome first and FF second.
The only time I ever picked up a drive by download that actually infected my system with some potent malware was when I was using Chrome.
Admittedly it was over a year ago and before Chrome went mainstream, but it reminded me never to trust the security claims of any software. I foolishly believed the claims made for Chrome's sandbox and promptly got bitten. It was around that time that I found NoScript and to this day I'd take FF+NS over anything else.
That would be taking prejudice to the other extreme. It's not about who funds it, it's about whether the report stands up to scrutiny. Someone paid to have the research done. Can you refute the claims derived from the data gathered? Good. Tried, but can't? Also good. Not bothered to? A failing party are you. It's easy to wave away research because a party that may benefit from the result, should it turn out in their favour, shoved some money at some people to do the research for them, but that's also demonstrating exceptionally poor critical thinking skills.
You dont need to be able to refute the claims. Chrome may well be the most secure according to their criteria, but they may have looked at the browsers using many different criteria and chose the ones that gave the results they wanted. What they say may have some merit, firefox ought to ad sandboxing, but this doesnt mean ff users should switch to chrome.
I agree that a standard profile should be part of a Linux distro. On the other hand, different enterprises might have different ideas about how to lock down their firefoxes (and other programs such as OpenOffice or g++). That's why it might be best left to system administrators of an organization to define the AppArmor profile for their user base.
World's 3 most popular? Taking into consideration WinXP's still high market share numbers their choice to use IE9 in the testing indicates they were using some other performance metric than 'popularity'.
...and I agree with the numerous posts that Opera should have been included. This study lost some relevance to me as Opera has more than earned its status as a modern, viable web browser.
Im not sure wether google have done it deliberately, but Chrome is not a comfortable user experience for me despite being fast and accurate.
I use my book marks to go to the same sites and forums every day, in FF and Opera the bookmarks are always on the left of the screen, along with the close buttons.
In Chrome, the "other bookmarks" are over on the extreme right, with the close button or arrow on the left. It makes it hard work going back and forth , wereas in FF and opera its much more intuitive so quicker to browse.
Opera 3 was superb in its day, along with Netscape 3 , just as fast as the modern equivalent.
Interested in other users opinions.
.
If you visit sites a lot then "pin" them from the tab bar context menu. The tab will move to the left hand side and only the icon will show. Pinned tabs open automatically when you open Chrome.
Here are some keyboard shortcuts:
Bookmarks: f6, then type a few letters of the site name
Close tab: ctrl+w
Close Chrome: ctrl+shift+w
Back: backspace or alt+<left arrow>
Search: ctrl+e then type
New tab: ctrl+t
New window: ctrl+n
Downloads: ctrl+j
New bookmark: ctrl+d
...and many more
That irritated me too, so I looked at the code. Curiously, although the user can move other bits of the UI, the "other bookmarks" button is treated as an exception and fixed in place.
In addition, this makes the bookmarks heirarchy always cascade to the left, which seems unnatural to me. Maybe I should learn Arabic.
A conspiracy theory explanation is that, for Google, bookmarks are BAD, because you can get to a site without using Google Search to find it.
Just look at the source for yourself. Full of char* and other plain pointers (as opposed to much more safe smart pointers).
Then using "modern" STL containers such as vector, which feature unchecked index operators and unchecked iterators. libpoppler (the major open source PDF renderer ) even sports void* containers. You can store everything in these containers, clever ain't it ?
All that to make these programs 10% faster than using smart pointers and range checked containers/arrays/strings.
I've been using Chrome for years and have found it to be an excellent browser. I migrated from Firefox, as the update procedure - both for the browser and extensions - was hugely inconvenient and interfered with my browsing. Chrome has a better interface, better security, better standards support and, most importantly, better performance. Firefox used to be my go to browser but it just didn't keep up with the competition and inherited many of the problems that people criticised about Internet Explorer (problems with performance, standards support, security, etc).
Don't get me wrong, if Chrome starts to fall behind the competition then I will switch just as quickly. Afterall, it's only a web browser.
.. and if they have, it's only because their geek mates say its infested with ad ware.. (they are still hanging on to the decade old news, when ads were used to sponsor development..)
go on, go to a student union near you and say "what do you think when I say 'opera' , and 'firefox' ?"
NO! YOU try.. :P
Hey, you do know that only the top 10% of people know THIS place *exists* , never mind them being able to find it???
now if Opera was not that shy to advertise aggressively, like Mozilla back then, they might now even be as 'recognizable' as FF...
I will raise you 270,000,000 .... and that was 2 years ago!!
http://downloadsquad.switched.com/2009/05/05/how-many-firefox-users-are-there-mozilla-estimates-270-million/
If the current Internet population is about 1.5 billion and Firefox has 22.8% browser share, that works out to roughly 342 million users. Either way, impressive numbers for the open source browser.
hey I'm hopeless at math, but it looks like opera (by YOUR figures!) has less than 7% ??
I you read that opera link, you will know desktop opera only has 50 million, so much less...
you work it out... :)
You do make a good point about WinXP... maybe I should have said "3 most popular _current_ browsers".
I definitely would like to see the study extended to Mac/Linux versions of Chrome/FF, and Safari on Win/Mac... but I still think Google are fine not to pay for testing every combination, since they let us do this.
Surely it makes better sense for browsers to focus on being good browsers and for separate security suites to focus on security. OK that's not a license for browsers to be full of holes but as a consumer I'm not happy to if my annual "Norton tax" still leaves me vulnerable to attack.
I would be quite happy to take the results of this 'independent' study at face value except for the fact that all of the tests seems to have been chosen to favour Chrome.
For a start they tested two versions of Chrome and yet excuse not testing some other contenders due to limitations on resources - a clear bias right out of the gate.
Then, over all of the individual tests (highlighted in the article) Chrome gets a tick for every single one - scoring a golden 100%. In not a single aspect was IE or Firefox better than Chrome? I find that very hard to swallow. Usually competing products have different pros and cons!