One Browser to Rule them All?

Published: 2011-06-09
Last Updated: 2011-06-09 19:24:43 UTC
by Richard Porter (Version: 1)
9 comment(s)

A reader emailed in with the question, in short, which is currently the most secure browser and how to stay up to date on the different browsers. In the interest of Chrome having an update today it seems fitting to post the answer as a Diary.

Before the browser war ignites, let me be the first to say in my opinion "It Depends." Chrome [1] is regarded as a very safe and secure browser but when you get to the number of lines of code in any browser architecture it is hard to say [3]. There has been some great research on lines of code in different systems [4] and when you get to that level of complexity errors are bound to occur. There are several different thoughts and many books on this subject but what I am getting at here is complexity and trust. At some point you have to trust the development team that wrote the code for the browser, what operating system you are running and how you have deployed your browser.

Second, the browser, or the technology is only part of the matter. You still have Phishing and the human factor. Even on the most secure platform the user can be tricked. [4]

Another commonly accepted deployment strategy is Firefox with add on components of No-Script and Adblock. Research into your specific deployment scenario and resources is the key to identifying what works in your environment. Infoworld had a great article on securing different browser types [5], it is a little old but still relevant.

The pwn2Own contests held at some of the CanSec conferences can lead to some good reading on this subject. [2]

In the end, a huge browser war will ignite over which is the most secure but as organic as feature and code has become it is arguable that the best way to secure your environment is layers of defense but finally check out the SANS reading room for papers on the subject. Specifically refer to a paper written by one of SANS GIAC Students [6].

And to our Reader who wrote in, stand by for the heavy opinions on the subject. To our readers, please comment on your experiences or how you stay current.


Richard Porter

--- ISC Handler on Duty

Twitter: Packetalien

Email richard at isc dot sans dot edu

9 comment(s)
Diary Archives