Which browser is safest? The browser wars are back and this time you win

Filed Under: Adobe Flash, Featured, Firefox, Google Chrome, Internet Explorer, Privacy, Vulnerability

Browser logosSeveral media organizations have recently reported that Chrome has bypassed Internet Explorer in worldwide browser market share.

Here at Sophos, we don't keep track of that sort of thing, but we have seen a major change in browser marketing over the last 24 months. The browser makers are selling security.

Microsoft has been promoting Internet Explorer 10's security chops, which will ship later this year with Windows 8 and will reportedly be made available to Windows 7 users as well.

The new version of IE will be a full 64 bit application on 64 bit Windows, increasing the difficulty of bypassing exploit mitigation techniques like ASLR. IE 10 also introduces a new setting called Enhanced Protected Mode (EPM). EPM adds several new sandbox-like technologies and introduces the concept of plug-in-free browsing.

Firefox logoMozilla is preparing to launch Firefox 14 any day now with its own set of security-enhancing features. Firefox will now default to using HTTPS for search queries submitted to Google. This is a great improvement for privacy and it appears that the Firefox developers are exploring similar features for other search engines.

My favorite new Firefox feature is the "Click to Play" plugin preference. If you enable this feature (plugins.click_to_play under about:config), websites containing content such as Flash or Quicktime will be blocked by default, to prevent drive-by exploitation. If you wish to see the video, you simply click on the box to enable the plugin.

Chrome 20 was released last month, and attempts to get a grip on malicious extensions being distributed on Facebook and other sites. The latest version of Chrome will no longer allow extensions to be loaded from any web page other than the Chrome Web Store.

Chrome logoAdditionally, Google has begun screening applications submitted to the official Web Store. It is a bit shocking that Google wasn't doing any screening before - but better late than never.

The Google Chrome team are now bragging about Chrome 21 including a fully-sandboxed version of Adobe Flash for all versions of Windows.

(Adobe released a sandboxed version of Flash for Firefox in June. The differences between the Firefox and Chrome sandboxes is unclear.)

With the browser developers trying to gain market share and using security as a competitive advantage, we all win.

Security doesn't need to be annoying or difficult and when implemented elegantly is an advantage. Hopefully the developers of Java are listening and will try to catch up with Adobe, Microsoft, Mozilla and Google.

, , , , , , ,

You might like

58 Responses to Which browser is safest? The browser wars are back and this time you win

  1. Duncan · 836 days ago

    I was toying with upgrading to win 8 until I heard a number of unfavourable reports from friends, and nothing positive from anyone. Still persevering with Vista, which falls over if I try and install IE 9. Chrome seems about the fastest, user friendly browser available for non 'geek chic' users like me. With AVG free and Spybot S&D in tandem, seems pretty much attack proof.

    Incidentally, whilst Microsoft's spell check is going bananas, 'unfavourable' is spelt with a 'u' in England (where the language was born) - geddit y'all?

    • Chester Wisniewski · 836 days ago

      I think if you choose English (UK) in your language preferences it is smart enough to figure that out. I have mine set to English (Canada) and it knows the strange mix of British and American English we use here.

    • Paul Ducklin · 836 days ago

      Technically, you could probably say that English was born across the Channel, somewhere on the North Sea coast, in roughly the region where the Dutch/German border is today.

      IIRC, the "u" in "favourable" is a comparatively recent insertion, and wouldn't have been there during the language's nascent period.

      To the best of my knowledge, the Americans took "favor" with them on the Mayflower, and never got around to Frenchifying the spelling later, as they were busy with other tricky linguistic stuff, such as working out what to call maize.

      (They settled on the word "corn", which wasn't inaccurate but _was_ undeniably confusing :-)

      Oh...on a related security matter....darn! Can't think of one.

      • Guest · 836 days ago

        Are you saying that "favour" is an exception? From what I read in the Wikipedia, the -our endings came into the English language with the Norman conquest of England, which they date at 1066. Before that it was either -ur or -or. It says the Webster's 1828 dictionary is given much of the credit for the -or endings in the USA.

    • Mr Oh · 835 days ago

      Haha. You call moving from Vista to Win 8 an upgrade?

      • Rifleman · 809 days ago

        I know nothing about Win8, except I got real sick of MS coming out with a whole new OS in progress every few years. About the time they get most of the bugs worked out, they release a new half-baked OS. Anyway, to me, anything is an upgrade from Vista, even XP.

    • Lee · 834 days ago

      Upgrade to Windows 7 from Vista and looking better than 8 at the moment. Far better!!!

    • bob3160 · 821 days ago

      Nothing wrong with Windows 8. You've just been listening to the wrong friends.
      It's faster, lighter and more secure. It certainly put Vista to shame.
      I've even been able to run some of the old 16 bit games which I had to shelve after installing Windows 7.
      If you hurry, you can even insure getting Windows 8 for less than $40.00.

      • Rifleman · 809 days ago

        Win7 was noticably lighter and fast installing, but won't run a lot of my older software. I would think with the RAM, processing power, and OS capabilities available these days, they'd be able to create a backwards compatible environment for even the old DOS sims.

    • Rifleman · 809 days ago

      I hated vista enough, myself, to go back to XP64, but recently had to upgrade to 7 to use the hardware features on my Mar2012 LGA2011 build. I usually wait until at least one service pack is out. I must say, Win7 is stable, had every driver I needed, and is easy to install and set up on a hot build (I do a lot of CAD/CAM, I don't know how it performs on a modest build). Most of my problems with it so far, are more along the lines of interface annoyances. They're coming out with 8 pretty fast though, so I have to wonder if there's a serious flaw somewhere in 7.

      Back to the subject at hand, I used to associate mozilla software with spyware, so I shy from them. I'm coming to associate google with spyware, so i shy from them. I'm using IE9, and I dislike it enough that I'm looking for something else.

      I don't know much about AVG, but the S&D folks have saved me enough time and trouble to send them money every so often.

  2. Frank · 836 days ago

    Safari isn't even worthy of a mention! haha

    • Chester Wisniewski · 836 days ago

      Not true. Safari and Opera are worthy, but I can't cover every single browser and still have time for lunch :) Safari and Opera have been making lots of improvements as well.

      • frank · 836 days ago

        Are you going to update it or leave it as is?

      • I thought Safari was a major security breach when installed on Windows?

        • ddddddd · 835 days ago

          Indeed, it also causes massive performance problems and thrashing of my hard drive, just uninstalled it immediately.

          Same thing BTW for iTunes, it had a major security problem left unfixed for years. It was used in Syria to spy on people.

      • Erinn · 835 days ago

        You titled the article which Browser is safest, yet to fail mention Opera. Maybe it should be re titled Which Browser is most popular. Hopefully lunch will over soon.

      • Rifleman · 809 days ago

        Thanks, keep us up to date. I'm looking for a new browser, and though the ones featured are currently at the bottom of my list, the info on what is happening with them is still very useful. And thanks for using a comment moderation sytem I'm registered with, it's easier to keep track of a few usernames and PWs than a lot.

  3. Karan · 836 days ago

    I'm using google chrome an can not get into one of my favorite games in facebook. i have contacted zgyna days ago with no response. IE is even worst for the loading problems i'm having. my flash player is up to date an history has been cleared. i'm at a loss i have asked many people about how to fix this to no avail. thank you for your time an site

  4. Espen · 836 days ago

    Opera.....?

    • Chester Wisniewski · 836 days ago

      Opera's security is actually quite great. Sandboxing, "click to play" like plugin loading, etc. Opera Mini is more concerning as it surfs through Opera's proxy servers, but that doesn't mean they are spying on you.

    • Isar · 836 days ago

      I switched to Opera, and am loving it. And Espen is right: why isn't it mentioned here? The reason I switched was that I read if you turn on Opera's Turbo feature, it adds a level of security, and makes it harder to be tracked. What I've ended up with is a much faster surfing experience. The speed change was quite dramatic. Mind you I was using the latest version of IE for Windows XP (premium), which is quite old. IE was constantly crashing, freezing, and self-closing. All that has changed. Wish I'd known about Opera a long time ago; would have had a lot more hair :-)

  5. Mauricio · 836 days ago

    My favorite is IE9, I'd use it full time if it had an HTTPS Everywhere option/plugin. Chrome and Firefox (I'm currently using Waterfox, a x64 Firefox variant) crash a lot and use up to much RAM.

    • fffffffffffffff · 835 days ago

      Try Firefox Aurora, it uses less RAM than any other alternatives, and is Faaaaaaast!

      And BTW, IE9 using little RAM is only an illusion, it uses a lot more than it seems to because a lot of it is loaded 24/7 in the OS already.

  6. Andrew · 836 days ago

    Since IE became embedded in the operating system, it has been the least secure browser for 2 reasons.
    With ActiveX it has a larger attack surface (adding plugins to any browser increases their attack surface also).
    A compromise of the browser is a potential compromise of the operating system as well.

    • Chester Wisniewski · 836 days ago

      ActiveX is disabled by default in IE 10 for internet tabs. I won't defend Microsoft's other choices, but the ActiveX threat is largely mitigated.

  7. Ted · 836 days ago

    Let's hope we can get David Rice at Apple to keep plugging away at the Apple hierarchy to make a super safe browser out of Safari.

  8. opti · 836 days ago

    i use opera.
    everything feels stupid
    still chome for banking and checking bills; but only because so many 'secure' sites refuse to acknowledge opera as a contender

  9. Sponebob · 836 days ago

    i WANT to go to Chrome because I am a huge Google fan but there are two reasons I cannot.

    1) There is no drop-down rss feed reader for chrome. In firefox, I simple att a new rss feed in the toolbar and ,wa-lah, drop down rss feed with auto update.

    2) There is no "gmail manager" add on.

    • cs2012 · 835 days ago

      Being a fan of a company? Srsly? I thought fanboyism was already dead and superseded by common sense

    • viverra · 834 days ago

      There are several good gmail add-ons with varying degrees of management capabilities. I'm currently using "simple mail checker for gmail", because it has excellent notification options for multiple accounts.
      I don't use them, but I believe there are several rss feed add-ons as well.

  10. matt · 836 days ago

    I usually avoid the OS/DE (operating system/desktop environment) browsers as a means of compartmentalizing.

    I don't use Konqueror in KDE.

    I don't use Internet Explorer with Windows.

    And I wouldn't use Chrome with Chrome OS.

  11. Mario · 836 days ago

    I use Firefox and it's my favorite browser. I switched to it from Internet Explorer last year, and I'd never go back. Safari is ok, but I think it's just too basic and un-customizable.

  12. The Green Wizard · 836 days ago

    I use Opera since 1998, and I had only once troubles with banks, I send them a very unpleasing email and eventually they changed their way of selling IE. I use for security reason Comodo Dragon, it's based on chrome with more security....that's what I was told.

  13. Mark · 836 days ago

    I use FF because of NoScript. Chrome sorta has one but I find it harder to use. IE doesn't have one at all, I don't see how anyone could surf without it.

  14. wolsonjr · 836 days ago

    Opera since about 3.0.
    Have others on hand and use them occasionally, but Opera is my 90% on several Linux and several windows

  15. Opera, at home. It's quite amazing and had tons of features long time before Chrome and Firefox. It's the best out there.

  16. guest · 836 days ago

    what about TOR browser(s)???...

  17. Cameron · 835 days ago

    Use Tors! Problem solved.!

  18. mrssmith · 835 days ago

    I use Comodo Dragon too for the reason given above

    I keep trying Opera but probably don't spend enough time with it

    I use IE for sites [to do with work] that won't function with Dragon

  19. Sushi Dude · 835 days ago

    In response to the last sentence... what does Java need catch up on?
    Most attacks that involve Java do not actually exploit a vulnerability in the latest version Java as they are Trojans. They ask the user for permission to run on the system.

  20. Grant · 835 days ago

    I don't know which browser is safest. I use Firefox most of the time. Every browser has flaws & in the 16 years I've been using the Internet, the one thing I've learned, is there is no such thing as a safe browser. One reason being, the browser is man made, (how many man made products are free of flaws) the other is the one "extension" of the browsers that doesn't get enough attention, the user at the keyboard.

    I haven't used Chrome for the simple personal reason, that I do not want to give Google any more power than they already have. I do not like the way the Internet has turned into a place where corporations (Google, Facebook, Microsoft, Adobe, Sun etc,) control so much of the way our computers interact from the keyboard commands to the webpages.

  21. giselle · 835 days ago

    If they can just get Chrome to stop crashing all the time...

  22. roy jones jr · 835 days ago

    I use 3 browers at work. 3!!!! Why? because all of them do have their own issues. Speed is a non-issue. I can go to one site on Internet Explorer with no problems and Opera could not load it without several refreshes. Or I would use firefox for one page but then it would freeze on another.

    Sometimes its the server running the site thats the problem, not your browser. there is no safest browser.

  23. mittfh · 834 days ago

    At work I tend to use all three browsers installed:
    * Internet Explorer for the information management system we use - even the latest release is still optimised for IE 7 (although IE 8 and 9 are supported in Compatability Mode)
    * Firefox for most 'net surfing
    * Chrome for Webex webinars by the supplier of our IMS - they refuse to run in IE.

    At home, a mixture of FF and Chrome (although since I've acquired a Raspberry Pi, I'll probably start using Midori as well!) - FF for almost everything (at least in part due to the huge number of extensions and tab grouping), with Chrome for if something starts misbehaving in FF (and for Google+ since, unsurprisingly, there are more extensions relating to that social network for that browser than FF).

  24. Oxfordshire Bob · 834 days ago

    Well, according to an article I read on Security Focus at the start of this year, Google has more security flaws in their TWO main products, than the whole of Oracle and then all of Microsoft's products combined. I used Chrome ONCE - and never will again.

    I use IE9, FF, and Opera. Most of the time Opera. I am a Techy Geek with a strong security background. Most of the time the problems are not the browser, but the organic interface, and then all the additional plug-ins said organic interfaces install, and their bad habits.

    At the end of the day, the only SECURE system is one in 100 cubic meters of concrete at the bottom of the ocean with no cables attached. After that, we have to educate USERS who still think computers are only for geeks....

  25. Mason Graham · 834 days ago

    I have the latest version of Chrome 20 and have yet to have an issue with loading an extension from a non-Chrome Web Store location. e.g. userscripts.org.

    I understand downloader beware, however I have posted personal scripts that only assist myself and others with an online game we play. One beauty of Chrome was not having to have GreaseMonkey to load the script(s).

    To date no issues.

  26. Internaut · 833 days ago

    I can't believe that there are people who are willing to fork out a couple of hundred dollars for yet another Windoze O/S. Remember DOS? MS never got that right, and had buggy insecure Windows 3.1, Win95, 98, 2000 Millennium, XP, Vista, Windows 7 and now MS is convincing the gullible to hand off another $300.00 a pop for another kick at the can?

    Of course, to get it, one will need to upgrade RAM, their CPU, and new Office, new browser, new security, and slumber along nervously waiting for the first Service Packs, security patches, bug fixes, updates and upgrades.

    I can appreciate a choice of browsers, but it's more about keeping up with the Gates's than providing a secure Internet experience. Browsers are built and upgraded to work with the latest Windows O/S's, sharing each others bells and whistles.

    What I'm seeing in the browser war is each are implementing the most popular public built apps in to their browsers and changing the version numbers - much like MS does with Office - change the icons, buttons locations, mess around the visuals and re-sell it as something new and great and, very necessary if you want to keep up with the Gateses.

    New browser? When ever any new software is released, it goes through a secondary beta test - every 'upgrade' to a new version, is a end-user beta test. Then there are the numerous security patches, bug fixes, updates, and need to upgrade to a new anti-everything software, learn a new email program, and lest we forget the upgrade to another insecure, buggy, expensive Windows O/S.

    I'll wait until the public is done beta testing Windows 8 and the browsers have settled back down before I throw money away just to brag I have the latest statusware.

    The sky is not falling! Lean on the "Upgrade Later" key.

  27. roz · 833 days ago

    You mentioned the Firefox feature "about:config plugins.click_to_play" How do I install it? Have looked under tools and add on manager and have yet to find a way to access it. I use a mac for work and home but am not a professional computer expert and would appreciate your help. Thank you.

    • Mario · 826 days ago

      Type about:config in the address bar, go, and click past the warning screen. Then, search for plugins.click_to_play, and change it's value to "true" by double-clicking it.

  28. for gods sake when will flash go away? I cant even use Firefox to watch videos any more. Please make it go away!

  29. omgitshim · 821 days ago

    Palemoon............A 64 bit souped up firefox...Can't beat it

  30. demonchild · 821 days ago

    And where is Safari in all this mix??? Not all of us are window zombies, and still use older Power Mac's and Laptops.

  31. peter · 715 days ago

    I got Comodo dragon browser safest best browser ever so many security features o a chrome base browser, also use there antivirus can now get 30 day trail and their pc cleaner had no problems u b mad not to try it i been using it for months now very fast and safe excellent parent control

  32. Marcia Jones · 613 days ago

    Thank you, Chester for this site. I learned a lot by reading all the comments and the answers to the comments.

    .

  33. DarkHorse73 · 266 days ago

    Why does no one ever include additional programs in these comparisons, like Comodo's browsers, Dragon (based on Google Chrome) or IceDragon (based on Mozilla's Firefox), or their Internet Security program? They have a ton of other security related programs on their website. Many of them for free, too. (comodo.com).

    • You can't cover every possible browser, so more often than not we have to choose the top 5 most popular. People interested in browsers with less marketshare often have the skills to look a little deeper for information. Sorry, but there is only so much time in a day.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.