Ummm, no! Not even close! Got links? I do. Big ones.Chrome is legitimately the fastest and most secure, but Firefox easily wins on the quantity and versatility of its addons. IE9 has made great strides, but it still lags behind both of its competitors in speed/security.
This is fact, not opinion.
Same time last year, NSS Labs Q3 2010It became obvious from this worldwide test and our recent European and Asia-Pacific tests, in comparison to our earlier global tests, that Microsoft continues to improve their IE malware protection in Internet Explorer 9 through its SmartScreen® Filter technology and with the addition of SmartScreen Application Reputation technology. With SmartScreen enabled and Application Reputation disabled, IE9 achieved a unique URL blocking score of 89.5% and over-time protection rating of 96%.
With a protection rating of 13.2%, Chrome 12 offered inferior protection to IE9, yet superior protection to Opera, Safari and Firefox.
NSS Labs Q1 2009Windows Internet Explorer 9 (beta) caught an exceptional 99% of the live threats, leading the non-IE pack by 80%. IE9's protection includes SmartScreen URL filtering, which is included in IE8 as well as SmartScreen application reputation, which is new to IE9.
Windows Internet Explorer 8 caught 90% of the live threats, an exceptional score which was a 5% improvement from the Q1 2010 test and built upon prior improvements from the Q3 2009 and Q1 2009 tests. IE8 showed a 71% lead over the next best browser.
Mozilla Firefox 3.6 caught 19% of the live threats, far fewer than Internet Explorer 8 or Internet Explorer 9. This is a 10% decrease in protection from the Q1 2010 test.
Apple Safari 5 caught 11% of the live threats. Overall protection declined 18% from Q1 2010.
Google Chrome 6 caught 3% of the live threats, down 14% from the Q1 2010 test.
Opera 10 caught 0% of the live threats, providing virtually no protection against socially-engineered malware.
Note this April 2011 Ed Bott Report. He provides an excellent explanation of social engineering. Note these excerpts:Microsoft Internet Explorer 8 (RC1) was the standout in our tests, achieving a best-in-class 69% catch rate against Malware. It is clear that Microsoft is making an effort to provide security to their customers with IE8.
With a catch rate of 30%, Mozilla Firefox was a distant second to IE8, but commendable nevertheless.
Apple Safari achieved a respectable 24% catch rate, However, test results indicate operational delays in distributing protection filters, leaving Safari users unprotected for long periods of time.
Google Chrome’s protection was notably inconsistent. Initial protection was commendable, however as the test progressed, Chrome’s protection faded dramatically – bringing down the average catch rate to 16%. We were concerned that this was somehow an artifact of our test harness and spent extensive time manually verifying results. Our findings were that Chrome’s protection did indeed drop off significantly.
With a catch rate of 5%, Opera, provided virtually no protection against Malware.
With a 4% catch rate, Microsoft Internet Explorer 7 provided practically no protection against malware
Of special interest to me was his closing comment about the commitment Microsoft has made (in terms of money and people resources),Summary: Social engineering has become the dominant method of distribution for fake antivirus software these days. Google Chrome puts you at risk: in my testing, malware broke through Chrome’s defenses in four clicks. Internet Explorer 9 flags the exact same sites and files as suspicious.
I recommend anyone interested in security to sign up for the US Government's CERTS Vulnerability Bulletins. I note in this Aug 1, 2011, US-CERTS Report Chrome had 14 High (the highest rating) vulnerabilities reported that one week! If you go back through the archive, you will see Firefox leads (in a bad way), by far. Chrome is much better than FF, but IE 8 and 9 have had much fewer than Chrome.Ed Bott said:This kind of improvement isn’t just a matter of clever code. It takes a tremendous investment in back-end services and a huge commitment of resources—people and money—to do the necessary analysis. This is one feature that other browser makers—especially Google—desperately need to copy.
I'll tell you why all your links are invalid: NSS labs tested IE9 against Chrome 6 in some of its reports. Chrome 6 is so unbelievably old that it boggles the mind. Even in its most recent reports, the tested version was behind what any user can download (currently v14), which certainly makes me question the validity of any data that I'm reading.Ummm, no! Not even close! Got links? I do. Big ones.
OMG! Did you research this? I did! Pwn2own is a contest! A game! An exhibition! A prepared competition using one specially prepared exploit in a controlled environment! A game to test hacker skills. It is NOT, in ANY way, designed to test and evaluate browser security.Thrax said:When it comes to actual exploits that can get me even when I'm cautious, I will always take the pwn2own contest as a bellwether.
Ed Bott has a long established career of unbiased reporting, and the US Government does not take advertisement, promotion, or hush (I hope! ) money from the vendors. These actions are to avoid even the "appearance" of impropriety. The promoters of pwn2own, TippingPoint DVLabs, on the other hand, may have good intentions, but by their own admission, have "partnered with Google"! And that, "certainly makes me question the validity of any data" out of that contest.4.4 ABOUT THIS TEST
This report was produced as part of NSS Labs’ independent testing information services. Leading vendors were invited to participate fully at no cost, and NSS Labs received no vendor funding to produce this report.
Michal Zalewski said:..."The formula of the contest boils down to this: once a year, a single, secretly developed exploit is exchanged for a substantial amount of money."...
..."It takes days or weeks to find and exploit a vulnerability, and Pwn2own is no exception: the actual exploits are prepared months or weeks in advance,"...
dragosr - contest organizer said:You can use the results of the sometimes chance related availability of exploits for a target platform a somewhat litmus test of overall security, but it's very hard to draw definitive conclusions.
I find it scary ignoring not 1, but 3 reliable, independent sources, including genuine testing labs and a government agency assigned to keep the public informed of cyberthreats, and instead, using the results of a contrived, narrowly focused game as a "bellwether" for security? That's certainly your choice, but I would ask you reconsider your position in lieu of what I have presented here. And please don't announce and advise others, "This is fact, not opinion." Because it's not fact - it is opinion.Aaron Portnoy - contest organizer said:The purpose of Pwn2Own is not about which browser is more secure than it's peers. The point of Pwn2Own has always been to entice those who are able to actually exploit these vulnerabilities to come to Vancouver to show off their techniques.
...this doesn't actually help draw any high-level conclusions about browser security...
Please, Thrax, that's very misleading! I don't trust ME, why should I trust you? I am researching and validating as I type. I suggest you do the same. Your link references the Q3 2010 report and with a quick look here you can see that V6 was the current version at that time! My first link was to their Q3 2011 report and they tested with Chrome 12, the current version at the time of testing. 13 just came out this month! 14 is still in beta! They do 4 reports a year to keep up with version changes - not an easy thing to do with Chrome having 7 in one year!Thrax said:I'll tell you why all your links are invalid: NSS labs tested IE9 against Chrome 6 in some of its reports.
which certainly makes me question the validity of any data that I'm reading.
I NEVER said it did. I noted, as Ed Bott noted, and as NSS Labs noted, it is a "distribution method" for malware, and a very popular one, growing in popularity.Social engineering does not account for real security flaws
Also invalid. The vast majority of all malware relies on human failings. AS NOTED BEFORE - if the user practices safe computing, then it does not matter the browser of choice! It is the exposed vulnerabilities that get exploited. How are they exposed? By not updating Windows. By not using a firewall. By not using a good anti-malware solution. By participating in illegal on-line activities. By opening the door and letting the badguys in. Not by your browser of choice.it relies on the user doing something ignorant or stupid to activate it. A real security flaw requires no user intervention at all.
There are organizations that do that. One is US-CERT, the ignored source that ranks those that are more serious.I hope we can agree on which flaws are more serious
Since the requirement to practice safe computing to keep your computer safe and secure is the same, regardless the browser of choice, your choice of browsers is just that, your choice. Pick the most current version of the one that has the "look and feel" you prefer. I prefer IE9.
There's no need to dump them. None of the major browsers, on a properly secured computer, are "unsafe". While I prefer IE9, and it is the default on all my systems, I have Chrome installed on this machine and FF on my other main machine to use as an "alternative browser". If I have trouble connecting to a site, or a site does not render right in IE9, I will call up my alternative browser to see if it is IE9 or the site.mr.magoo said:I just dumped Mozilla and Chrome.
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.