March 20th, 2009
The browser battle: Where does security fit in the evaluation process?
With the launch of Internet Explorer 8 as the latest volley in the browser wars—IE vs. Firefox vs. Google Chrome vs. Apple’s Safari—there’s a lot of talk about speed, browsing improvements and rendering engines. Where does security fit into the equation?
Frankly, when I’m evaluating browsers—I use IE, Firefox and Chrome daily—security rarely enters the picture. Apple’s Safari is the odd browser out for no reason in particular, but as hacker Charlie Miller notes Safari is the easiest to pop.
As you ponder the browsing security topic you must peruse Ryan Naraine’s interview with security researcher Miller. He’s the one who broke into a fully patched MacBook via a Safari vulnerability. Safari, Firefox and IE were all exploited this week in the Pwn2Own contest.
When it comes to browsers everyone has an opinion, but security rarely is a part of the conversation. Ed Bott talks usability for IE 8. Chris Duckett wants Canvas support for the latest IE. Others are Firefox loyalists. A growing percentage uses Chrome and naturally the Mac crowd has its Safari. Where does security fit into the equation? Will there be a day when consumers put browsing security front and center?
The lessons learned from Miller:
Safari on the Mac is an easy mark. Miller tells Naraine:
Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don’t do. Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.
Vulnerabilities have a market value. That means you need to ponder what browser bug could deliver the biggest bang for a malicious hacker. Miller notes that an IE bug is worth more than a Safari one.
Firefox on Windows is hard to exploit as is IE 8, according to Miller.
Google Chrome is tough to exploit because it takes a sandbox model—that’s how Chrome can keep running even though a site crashes. In other words, a site crash means Chrome just loses a tab not the whole browser. However, Miller notes that if there’s enough money on the table Chrome could be exploited.
Will these security factors matter more than add-on support, neat usability features and raw speed? Not just yet, but ultimately security will matter more—at least to the enterprise. In the not-to-distant future the Web browser will increasingly be running applications. That’s what Google’s Chrome launch was all about: The search giant wanted a stable platform for its Web apps.
And if you’re going to be running applications and sharing important data via a browser security is going to matter—a lot.
More from Zero Day:
Larry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.
For daily updates, follow Larry on Twitter.
Subscribe to Between the Lines via Email alerts or RSS.
