NSS Labs regularly compares and contrasts the security capabilities of the major browsers. Since the web is the source of most information security incidents and the browser is the user's interface with the web, it is felt that the browser should also provide a first line of defense against security threats.
But the NSS tests show that no one browser is better than others in all areas. For example, the phishing test report (not yet on site) notes, "The average phishing URL catch rate for browsers over the entire 12-day test period ranged from 96 percent for Firefox (version 19) to 83 percent for Internet Explorer (IE) (version 10). Second was Safari on 95% and third was Chrome on 92%. These three browsers all use Google's Safe Browsing API. Internet Explorer, a significant 13 points behind the leader, uses Microsoft's SmartScreen technology.
However, the report also points to an earlier study by NSS that showed Internet Explorer outperforming its rivals in protecting the user from socially engineered malware. In this it was rivaled only by Chrome. "Chrome’s superior protection against socially engineered malware makes a strong case for Chrome over Firefox and Safari." However it adds, "The superior performance of Internet Explorer over Chrome in socially engineered malware protection compensates for the lower than expected phishing protection observed in this test."
A second new report looked at the browsers and user privacy. Here, Internet Explorer is a clear winner (Chrome, Firefox, IE and Safari were the tested products.) All four products warn the user if the website seeks to access geo-location data; but only Internet Explorer has a tracking protection list (TPL) as a built-in option. TPLs are lists of sites that will not be allowed to read tracking cookies.
The IE option allows users to build their own TPL or use one provided by third party privacy companies such as Abine. "Of note," says the report, "IE is the only leading browser with a TPL that is specifically designed to block Google from circumventing privacy protections." However, NSS is not convinced that IE's own solution is the best. "While the intent of the TPLs in IE is admirable, the current implementation makes certain add-ons, such as those provided by Abine and Disconnect, a superior choice for privacy."
Since those same and similar add-ons are available for other browsers, this would seem to be a victory of intent rather than effect for Internet Explorer. A similar argument could be applied to IE's inclusion of Do Not Track as default on. All of the browsers provide a Do Not Track setting, but only Internet Explorer has it pre-set. The problem with Do Not Track is that it is currently optional; and the reality is that websites can and do simply ignore it.
"The technology today," notes NSS, "actually does nothing to protect privacy; however, if proposed legislation prevails and requires honest compliance with the Do Not Track header, IE 10 users will be far better protected by default than will the users of any other current browser."
Internet Explorer may not provide much actual additional privacy, but it has a clear statement to its users that it is concerned for their privacy. However if users are looking for a single browser that stands out as the most secure, they won't find it in these new reports.
04 October 2013
The major browsers original design center wasn’t built for protecting against malware or phishing attacks. Retrofitting stops the bleeding and provides a level of protection and healing but allowing attacks through 17% to 5% of the time is a huge problem that needs a new solution. We are a long way away from 5 – 9’s reliability! And the attacks are increasing and becoming more sophisticated as evidenced by the advent of watering hole attacks so the major browsers will always fall behind and need to catch-up as the NSS Labs testing showed. It would be nice to see a review of some of the young companies that have created browsing technology to exist in an environment expecting increasing and novel phishing and malware attacks. For example, Spikes (www.spikes.com) challenged the attendees at Black Hat 2013 to beat their browser technology and no one claimed the $10,000 reward.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.