Chrome Browser Sets Security Standard

[SrDriver]

"All browser makers should take a page from Google's Chrome and isolate untrusted data from the rest of the operating system, a noted security researcher said today."
Link To Article

The browser and a few extensions work well for me. I use in in both Linux and Windows environments. There is a version customized for Mac O/S too.

 

[DragRace]

It's like I've said before,anytime your able to isolate your browser from the rest of your OS,your safe.

Thats why I use sandboxie--FREE

 

[Drew99GT]

The way Chrome isolates itself from the system, while better then nothing, hardly compares to the way Sandboxie isolates applications. It's like a wood fence compared to a 3 foot thick steel wall!

 

[DragRace]

Originally Posted By: Drew99GT
The way Chrome isolates itself from the system, while better then nothing, hardly compares to the way Sandboxie isolates applications. It's like a wood fence compared to a 3 foot thick steel wall!


Agree

 

[Mystic]

One of the last people I would believe when it comes to computer security would be ...'a noted security researcher'... These are the people who recommended Firefox over other web browsers inspite of problems with security with Firefox add-ons and inspite of the fact that there is probably no real solid evidence that Firefox is really more secure than any other web browser. I imagine now they will recommend Google Chrome and they will hope that nobody will remember what they had written in their previous books.

And regardless how secure or insecure Google Chrome is, users better not forget the problems that Google has had with privacy and security. If you use GMAIL and there are potential privacy issues there what difference does it make if Google Chrome is secure? When a company develops a history of privacy issues I am not ready to use their products and services.

 

[Mystic]

And before someone decides to attack what I am saying I am going to say this: For years various so-called 'security experts' have been giving bad advice to ordinary computer users.

These people recommended that people use Firefox instead of IE because 'Firefox was more secure.' At first Firefox probably was more secure. It had a small user base and few of the evil people targeted it. But clearly today the bad people are targeting not just Firefox but the websites of independent developers who develop add-ons for Firefox. My personal guess is that Firefox and Google Chrome are no more secure than IE8 with InPrivate Browsing turned on. And if you visit the wrong website and get hit with a driveby download NO browser may be able to defend your computer.

Some of these so-called security experts told people to delay updating their software on Microsoft's 'Patch Tuesdays.' Now businesses and governmental agencies can delay patching computers and test patches before they are installed. But ordinary people are better off not delaying. Because 'Patch Tuesday' is followed by 'Hacker Wednesday' when the bad guys try to back engineer the patches.

Other so-called 'security experts' tell people not to use the Norton Antivirus. They say that Norton is bloated software. Norton has not been bloated software for at least the past two years. How long does it take for the 'security experts' to catch up?

For years people have been hearing this stuff: Use Firefox and not IE; delay patching because there may be a bad patch; etc. Nobody ever dares to tell the other side of the story. Firefox is no longer a little used web browser that is not likely to be targeted. And the bad guys look for any weaknesses and perhaps today the weaknesses for Firefox are the websites of the independent add-on developers. And yes there can be a bad patch (McAffee anybody?) but don't tell ordinary people to delay patching.

 

[simple_gifts]

Quote:

And before someone decides to attack what I am saying I am going to say this: For years various so-called 'security experts' have been giving bad advice to ordinary computer users.


Quote:

personal guess is that Firefox and Google Chrome are no more secure than IE8 with InPrivate Browsing turned on.


Personal guess?

yes, this advice to use Firefox was doled out when IE was @ version 5.5, so "years" of using Firefox was "good advice"; it was issued by both the German and US gov't.
CERT also recommended it

http://www.theregister.co.uk/2004/06/28/cert_ditch_explorer/

Quote:

statement on the CERT site said: "There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX

Is CERT "so called" security experts?

FF has a much better security track record than IE ever will. Your recent assertions about 2 addons doesn't invalidate years of proven performance. Why is IE it now secure? What took so long?

The best advice as you have indicated is be vigilant to security issues

 

[Mystic]

Sophos is a major antivirus company and they have a white paper that you can download from their website. In the white paper they list Firefox and say that it is one of the myths of internet security that Firefox is more secure than other web browsers. I think Sophos probably knows a little bit about security. And they also discuss actual testing of web browsers at Secunia.

I have a book on Windows 7 that was written by a man who was a Microsoft MVP. It is pretty informative. But the guy who wrote the book seems to have some kind of a hangup about Microsoft, Windows, and Bill Gates (who no longer even runs Microsoft). He has an even greater dislike for Apple. He basically calls Apple software 'junk.' His book does have a lot of good information but he has the usual advice about using Firefox instead of IE, delaying installing software updates and patches until they have been checked out, and using a free antivirus rather than a paid antivirus program ('why pay for security?').

Common sense should be enough when it comes to updates and patches. Businesses and governmental agencies can delay installing updates until they have been checked out but ordinary people obviously should have automatic updating turned on. An ordinary person could forget to install an update if they don't have automatic updating turned on.

Some people here have complained about the security of IE and than you find out they were using IE6. Microsoft has since come out with IE7 and IE8 and will soon release IE9. Time to update! And some people do not even know about features in IE8 such as InPrivate Filtering. It is simply not fair to test the latest version of Firefox against an old version of IE. There is no comparison between IE6 and IE8 when it comes to security. A lot of people could improve their computer security just by going to Microsoft and downloading for free an up to date version of IE. A book on Windows 7 from the local Barnes and Noble book sellers probably also would not hurt.

A free antivirus is obviously better than no antivirus. Heck, some so-called 'experts' have advised ordinary people to not use any antivirus program on a Windows computer! But I think the best antivirus programs offer more than a free antivirus program.

And I have to wonder a little bit about people who are supposed to be writing a book about a Microsoft operating system but they personally have a dislike for Microsoft and Windows. Maybe they should write books about Linux operating systems and Open Source software?

 

[Mystic]

And let me correct you on something you say here. Perhaps you need to read again what I wrote. It was not '2 addons' for Firefox that had problems. There were problems with more Firefox add-ons than that. Read again what I wrote or else go to Threatpost and look up what was written there.

And you say that the advice to use Firefox was issued when IE was at version 5.5. There is no comparison between IE5.5 and IE6 to IE8 when it comes to security. IE8 is much more secure and is more 'sandboxed' from the operating system. Trying to compare IE6 with IE8 is like trying to compare Windows 98 with Windows 7.

If you want to compare Firefox, or for that matter Google Chrome, with IE we have to have a level playing field. Compare the latest version of Firefox or Google Chromw with IE8, the latest version of Internet Explorer.

 

[simple_gifts]

Quote:

And you say that the advice to use Firefox was issued when IE was at version 5.5. There is no comparison between IE5.5 and IE6 to IE8 when it comes to security. IE8 is much more secure and is more 'sandboxed' from the operating system. Trying to compare IE6 with IE8 is like trying to compare Windows 98 with Windows 7.


so what browser was recommended BETWEEN IE5.5 and IE8?

MS broswer security, it is like they just showed up to the week long block party. lol

We call agree if IE8 security is better, that is a good thing

 

[Mystic]

When exactly was IE5.5 released? And how old is that advice from CERT to IE5.5 users? The white paper from Sophos that I told you about is NOW! It is not some ancient advice given to computer users who long since have mostly moved to a much more advanced version of IE. Is that ancient advice by CERT given to users of IE5.5 (a web browswer used by Microsoft a long time ago) the reason why open source advocates keep telling Windows users to use Firefox? If that is their justification for advocating Firefox they are using out of date information. They need to catch up to the real world. When that advice from CERT came out Firefox probably was more secure. It had a much smaller user base and few malware writers were probably even bothering to target it.

And do you actually read what I write in my posts and replies to posts? There were four or five different Firefox add-ons that were mentioned-not two. And for all we know those may just be the tip of the iceberg. Exactly how safe is it for the average computer user to use ANY Firefox add-ons? There were 2000 downloads of the password stealing add-on. There were 77,000 downloads a week of the add-on that had a critical security flaw.

 

[simple_gifts]

Quote:

And for all we know


4 or 5, instead of 2? Not worried. IE has hundreds of published security issues.

http://mashable.com/2010/01/14/google-china-attack-anatomy/

Quote:

As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals. We suspect these individuals were targeted because they likely had access to valuable intellectual property. These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file. That’s when the exploitation takes place, using the vulnerability in Microsoft’s Internet Explorer


This year. Not a "hypothetical" based on "for all we know" but a real cyberattack against Google based on IE security deficiencies. Google has chosen to ditch IE because of this.

Quote:

Overall, while Microsoft and IE seem to be partly to blame, the attack was sophisticated and executed on multiple fronts.


Quote:

McAffee begins by stating that it discovered a previously unknown vulnerability in Internet Explorer (Internet Explorer) that was exploited by the malware used in the attack. Microsoft has been informed of the exploit


Can you reference a cyber attack based on FF problems?

 

[OVERKILL]

It is the user's own fault if they download insecure add-ons. ActiveX is probably THE most exploited component of Internet Explorer; and no other browser natively supports it! That was one of the primary reasons "back in the day" for the recommendation of Firefox, Opera... and now Chrome for everyday computer users. It leaves one less thing that is readily exploitable.

There is no "perfect" browser. And there are MANY ways to back-door Windows, through pretty much any browser. Historically, all of them have been "better" than IE in that respect however.

Now, I do not scour the web looking for research to support my professional opinion that Firefox has historically been more secure than IE. Past experience with thousands of computer systems supports that conclusion for me. The systems where the user is running Firefox get less malware, virii and infestations than their IE-using counterparts. Things have most certainly been better since Microsoft's roll-out of IE8 but to USE the new features like InPrivate browsing and the like require user education; something that many are simply too lazy to seek out and do themselves. And there is no wizard or familiarization process that opens once the browser is installed to prompt the user to familiarize themselves with these features before they start browsing. So to automatically assume that those who upgrade their browser to IE8 are going to be browsing securely because of the browser's feature set is an exercise in naivety.

And then there is the issue of inherited browser security settings. Does IE8 automatically reset all the zones to the correct "secure" settings when upgrading from a previous version that may have had those settings adjusted via a past malicious exploit? Nope.

Out of the box, on a fresh Windows install, IE8 is a massive improvement over anything that came before it. It is "on-par"; and some, like you Mystic, may argue "better" than many of its counterparts. And I won't disagree with that.

However, most installs of IE8 are NOT done on a fresh copy of Windows. Many copies of IE8 are deployed on copies of Windows where the system has had past exploits, changes made to the security zone settings, potentially malicious activeX controls installed and all sorts of fun things.

Comparing THAT to a fresh install of Firefox with no add-ons.... There is no contest. And that is where lab testing and "in the field" testing differs.

 

[Garak]

Originally Posted By: Mystic
Sophos is a major antivirus company and they have a white paper that you can download from their website. In the white paper they list Firefox and say that it is one of the myths of internet security that Firefox is more secure than other web browsers.


So, you ignore some security organizations and take what others say as gospel truth? Sophos, as a "major antivirus company" is in business to sell a product. That doesn't mean they're wrong or lying, but you have to consider the source. It is not in the interest of Sophos or Symantec for everyone to immediately start enforcing secure computing habits outside of running an antivirus or security suite.

There are some very computer literate people who use Windows without antivirus with no problems. They are able to do so because they follow sensible practices. They don't go to weird sites or click on random links or open unexpected email attachments. Some even enforce plain text only email and bounce any HTML mail received.

When I was on Windows, there were a couple reasons I used Netscape/Mozilla instead of IE. One was security. Secondly, I simply didn't like IE.

As for someone who dislikes Microsoft yet writes a book on Windows, isn't it nice to get a more critical view, rather than hear simply the Gospel According to Bill?

 

[Mystic]

Well, I don't mind if somebody who is somewhat anti-Microsoft and anti-Windows writes a book on a Windows operating system, such as Windows 7. Because you do get to learn about any negative aspects. And I did buy the book. It is informative and well written and the guy was at least in the past a Microsoft MVP. So he must know something. It did present a kind of different point of view compared to 'Windows 7 Secrets' which was written by two any pro-Microsoft guys. Unlike some Linux and Open Source people who go insane if anybody says anything negative about their favorite operating systems and software, I WANT to know about any negative aspects of Windows.

And I agree with you when you say that it is mainly up to the user to use good computing practices and to get educated about their software. Really, a person needs to buy a good book on any new version of the operating system they will be using. Like I myself said above, some people who use IE8 probably do not even know about InPrivate Filtering. If I go anywhere on the internet where I have not been before I use InPrivate Filtering. When some people here posted about problems they had on the internet and they said that they were using IE6, I felt like saying something. But what is the use? I am not sure if IE8 will work in Windows XP but they at least could have updated to IE7. It is free!

I was glad when Microsoft came out with Microsoft Security Essentials because some people will simply not pay for any security software for their computers. Of course there have been other free antivirus programs as well. There is really no excuse.

A lot of people are totally to blame for their own problems. If a person opens just any email attachment, visits certain kinds of websites, uses peer-to-peer file sharing networks that are not secure, does not use an updated decent antivirus program, and does not update their operating system and the software on their computers-it is only a matter of time before they will be attacked.

Nobody seems to have noticed (how well do they even read my posts?) but I have repeatedly said that regardless what web browser a person uses they can still be attacked sucessfully by a well designed drive-by download.

Something that I do get tired of it is the silly anti-Microsoft, anti-Windows, anti-Bill Gates nonsense. It is really strange to have a hatred for a corporation or an operating system. An operating system can be good or bad technology but it is just technology. And Bill Gates and his wife have donated a lot of money to worthwhile causes throughout the world so I don't know how people like that can be hated.

It kind of makes me think about Google. An internal memo at Google was leaked to the press. Supposedly workers at Google were being told that they had to use either a Linux or a Mac Computer for their own use. They could not use a Windows computer. Well, 95% of the potential customers of Google throughout the world use Windows on their desktop computers. If Google made software only for Linux operating systems and served only people using Linux desktops what percentage of the web browser user base would Google have?

No matter how superior Linux and open source software people may feel that they are to Windows users, they still need to keep certain facts in mind-at least if they are going to do something like develop a web browser to be used by the computer desktop users of the world.

 

[uc50ic4more]

Originally Posted By: Mystic
It kind of makes me think about Google. An internal memo at Google was leaked to the press. Supposedly workers at Google were being told that they had to use either a Linux or a Mac Computer for their own use. They could not use a Windows computer. Well, 95% of the potential customers of Google throughout the world use Windows on their desktop computers.


How does the OS (They use their own Ubuntu derivative, called Goobuntu) they use for development relate to the OS their customers use? That makes no sense to equate those two points.

Also, Google *doesn't* make software for Linux, by the way - We Linux users are forced to use their Windows products bundled with Wine on Linux.

And *all* big organizations I know of have some kind of policy that governs what software their employees use in-house.

Originally Posted By: Mystic
If Google made software only for Linux operating systems and served only people using Linux desktops what percentage of the web browser user base would Google have?


About 1% if statistics are to be believed. Is Google planning on developing software only for Linux?

 

[DragRace]

Doest matter the browser used,period. They can all be hacked,compromised etc.

If you isolate the browser from the rest of the system,you wont have any issues.But,what do I know,I've ran sandboxie with no antivirus program for years with no malware / virus problems. Both with Firefox and IE.

There is also virtulization programs which are free that protects the entire c drive in case something goes bad such as virus,etc and with a simple reboot,all the bad stuff is gone.

But arguing about browsers which is best IMO is a waste of time as they all can be only as good as the user behind the keyboard.

 

[simple_gifts]

Still waiting for your reference on large web attacks caused by FF insecurity. j/k

One thing I know for sure, we both have strong opinions.

 

[Mystic]

I think they have to make sure their software will work on Windows computers. Is not their user base 95% Windows?

Yes, they can force employees to use whatever computers they want the employees to use at work. Of course, if they started to put pressure on employees about what home computers they use.......

If Google wanted to they could fire any employee who used a Windows computer at work. But they can't fire the 95% of world computer desktop users who use Windows. Those people could fire Google!

I have fired Google. I have a choice. I can use Bing and Yahoo and choose not to use Google. I choose not to use Google. I have concerns about GMAIL privacy and if Google has a problem with me because I am a Windows user I have news for them. They don't get my business.

 

[Garak]

Originally Posted By: Mystic
I was glad when Microsoft came out with Microsoft Security Essentials because some people will simply not pay for any security software for their computers. Of course there have been other free antivirus programs as well. There is really no excuse.


The biggest beef is that it should not have been necessary. The OS itself is the problem. Band-Aid solutions aren't really solutions. If the operating system isn't secure in the first place, all that is left is playing catch up with patches. We know how well that works.

Originally Posted By: Mystic
Something that I do get tired of it is the silly anti-Microsoft, anti-Windows, anti-Bill Gates nonsense. It is really strange to have a hatred for a corporation or an operating system. An operating system can be good or bad technology but it is just technology. And Bill Gates and his wife have donated a lot of money to worthwhile causes throughout the world so I don't know how people like that can be hated.


Lots of companies and public figures are hated. Microsoft's business practices have made a lot of money, no doubt, but also a lot of enemies. For good or for bad, Bill Gates is the public face to that company, and will remain that way long into his retirement. Donating money to causes is one thing, but it doesn't change the way Microsoft did and does business. Lots of companies are hated. Lots of hated companies donate to charities. There are tax benefits and it can help PR. It's the same as patches, though. You don't solve a bad PR problem by carrying on the same way as usual and throwing money at various charitable causes. You fix the PR problem first.

Originally Posted By: Mystic
It kind of makes me think about Google. An internal memo at Google was leaked to the press. Supposedly workers at Google were being told that they had to use either a Linux or a Mac Computer for their own use. They could not use a Windows computer. Well, 95% of the potential customers of Google throughout the world use Windows on their desktop computers. If Google made software only for Linux operating systems and served only people using Linux desktops what percentage of the web browser user base would Google have?


The point being, however, that Google and most other websites work with any browser or OS. They don't make software or their website only for one browser. Microsoft (and a few select others) do, however, make things only IE compatible. Also, don't forget that part of the beauty of open source code is portability between platforms. Microsoft will gladly sell me any of the software products I wish to buy. If I'm not using Windows, though, I'm simply out of luck.

Originally Posted By: Mystic
No matter how superior Linux and open source software people may feel that they are to Windows users, they still need to keep certain facts in mind-at least if they are going to do something like develop a web browser to be used by the computer desktop users of the world.


Which Firefox does, on just about any platform.