Despite the potential for a conflict of interest, Accuvant is a well-respected firm, and its researchers have performed a thorough and fair study, even making the tools they used to test the browsers publicly available [1]... Nor are Accuvant’s findings entirely positive for Google. It points out that Chrome fails to effectively blacklist malicious URLs, though neither of the other browsers fared better on that front.
...but as a journalist, I can't let that get in the way of my constructed narrative! Mozilla and Google are totally in a fight. Seriously guys, if you could argue a little in the comments section, that would be great for our page views.
more seriously, the chart forbes copied makes the report look seriously amateur hour (forbes's jpg of it doesn't help), but the report is pretty interesting.
long section in the front about why previous browser security studies have been pretty poor, then gets into what seem to be good details on testing JIT hardening on page 28 (34 in the scribd). Haven't read farther yet.
Google basically made Firefox. And they make money from them as well. I don't think they hate it that much. Maybe they just don't like being held back and want to pursue their stu..eh dart ideas.
Firefox existed before Google funded it through the deal. If anyone, Netscape made Firefox. Heck, they actually made it, with no ones help and they actually created one of the first successful, fully open browser.
They're also the reason you have even Chrome today. Let's not change history too much.
Now that's true Firefox today is sustained by Google's money primarily (but I'm sure it would be fine with Bing's money - its all about money for corporations, and Firefox still has a large user base).
I also doubt they hate Firefox. But Chrome's advertisement budget alone is 20 times higher than what they pay to Firefox. That's quite a bit.
Certainly there are interests in Firefox's demise for Chrome (and for IE). You'll notice IE's marketing study was _exactly_ the same at Chrome's one.
Put IE on top, Chrome behind (it would be make the study looks too fake if they're all put too low and Chrome is the cool kid right now), then Firefox last, and no one cares for Opera, Safari, etc.
Why? Because it has nothing to do with technical details. It has everything to do with advertisement (or FUD, like we called it back in the days.)
ugh, I hate this kind of post because it does exactly what I mentioned above: creates more divisions than it actually describes.
I'll just say your mention of FUD is ironic since last I checked, Mozilla's income from the google search referral contract was something like $80 million, which would make 20x that number $1.6 billion. I'd love to see your source on that one.
You also clearly didn't bother to actually read any of the report. There are in fact serious security issues brought up there, have been brought up before [1], and are an active and interesting area of research. Mozilla and the other browser vendors are actively working on the issues brought up there (for instance, [2]), which no one has solved completely.
But yes, please. Let's reduce this to soap opera and sound bites.
We actually have the code for JIT hardening already for Firefox, but we had some problems with Win32 that need investigation. If you want to follow along https://bugzilla.mozilla.org/show_bug.cgi?id=677272.
Firefox remains the best choice. It doesn't send data to Google or someone else to monitor what sites you visit and other things which Chrome might be doing.
Firefox also allows you to use AdBlock Plus, NoScript, Ghostery and a few other addons to improve security, lower bandwidth usage and improve performance.
I really hate these studies paid by other companies. Where's the "don't be evil", Google? Are you afraid that Firefox will kill your beloved monitoring tool Chrome?
Why does Chrome have a unique ID? Isn't this meant to identify you in a very precise way by attaching the browser unique ID to the gmail account?
I recall looking up a way to remove it and found something for Chrome 8-9. However, that "field" has now been merged into some other field and you can't remove it without losing all the data.
>Firefox remains the best choice. It doesn't send data to Google or someone else to monitor what sites you visit and other things which Chrome might be doing.
Chrome does not do this. Here is a link to the Chrome privacy policy listing all communication with Google and settings to disable such communication: http://www.google.com/chrome/intl/en/privacy.html
>Firefox also allows you to use AdBlock Plus, NoScript, Ghostery and a few other addons to improve security, lower bandwidth usage and improve performance.
I'm glad to hear that you're a happy Firefox user and agree that they support a very diverse extension ecosystem.
>I really hate these studies paid by other companies.
This is one of the perils with commissioning an objective third-party assessment. Simply put, the results might include things you really didn't want to hear. However, all the data, methodology, and tools are publicly available. If you think there's a legitimate issue with the study, then please investigate further.
I always had my suspicions about using Chrome, but could never prove it. In Google's business model, the user is the product, so I always question their free software and how my data is being harvested.
Do you happen to have any links about Chrome's unique ID? I would love to read more about it...
Chromium doesn't (necessarily) send data to Google. As far as safety, it should be comparably safe to Chrome, since beyond branding, the differences between the two browsers are slight.
Last time this came up, I believe the Moz engineers said that it doesn't anymore, as long as you download it directly from google, but it does if you get chrome from downloading it with mcaffee or whatever (which makes it like three bad things at once).
As long as Firefox is the only browser where complete versions of add-ons such as NoScript, RequestPolicy and many others are offered, it is with no doubt the safest for me.
Which parts of noscript do you want? If you want to block javascript fully on certain sites, Chrome can do that without an extension. If you want to block external scripts from certain URLs, that should be possible soon through the webrequest API. I can't see any equivalent of the clickjacking protection, though.
I want whitelisting with a little dropdown that gives me the option to temporarily or permanently whitelist domains as I see fit. I'm not really interested in blacklisting, which is I think what you're describing.
I've been following (and looked back at) NoScript's development and realized that it does much, much more than blocking execution of scripts and clickjacking protection. XSS-protection, their ABE-system and the ability to block all kinds of media content that I want, are among a few. Much of it appears to be hidden "behind the scenes".
But mentionning that wouldn't fit in the marketing speech of Google and Microsoft (which pulled _exactly_ the same stunt a couple of month ago, IE slightly on top of course)
Microsoft has actually released numerous studies through NSS Labs. However, I believe what you are explicitly referring to is the yourbrowsermatters.org campaign. That was not a study, it was a marketing site that mapped the browser's user-agent to a listing based mostly on past NSS Labs studies.
As for the study from Accuvant, I definitely encourage you to dig into as deeply as you feel appropriate. Unlike the pro Microsoft reports from NSS Labs, this Accuvant study is completely transparent and verifiable. The methodology is documented and all tools and data sets are provided. If you have a legitimate concern with its merit, then you should have all the information you need to address it.
AFAIK there are not many comprehensive studies of this kind done without some sort of corporate\company backing. In the industry its the reputation of the company doing the study that is at stake, so what most companies do is they fund a research but reserve the right to decide in the end if the study will be published or not. If the results end up reflecting positive view on the company that funded it they publish it, otherwise they use the information collected by such study to improve the product
Just wondering: why do browser makers fund studies like this? You always hear MS have funded a study that shows IE is more secure, Google funded a study that shows Chrome is more secure, etc. etc. Doesn't seem to really help anything.
Publicity. Simple as that. It's news-worthy article (as you can see here) and they gain users or at least a good name from it. Chrome's campaign value is in billions of dollars. Why does it surprises anyone they want to spend some more?
There's very little good information on the relative security afforded by different browsers. In that vacuum we've seen tremendous amounts of misinformation spread (both intentionally and accidentally). So, in order to get a better picture we decided to commission an objective study that would be transparent, repeatable, and verifiable.
A good study requires knowledgeable experts (who typically don't work for free). So, we sought out a respected, independent security company with a team of very well known researchers. They set the terms of the study and put their names and reputations behind the results. All the data and tools are public and open to independent verification. If anything isn't above board you should already have whatever you need to prove it.
So, I think there's an incorrect assumption in your original question. Browser makers don't always put out studies like this. To my knowledge, no browser maker has ever commissioned a study remotely like this in terms of both scope and quality.
In laymen's terms I will definitely not claim that Firefox is less secure. BUT what is up with the damn RAM leaks and crashes?
I love FF but it's a very one sided relationship from a user perspective that is about to end if FF and MOZ does not fix the mem leaks that have been sucking since 2007!
I have the latest version, and still have to restart the browser from time to time. Otherwise, it becomes impossible to use. When I check Process Explorer, the browser is using up to 1.6 GB regularly. Doesn´t sound right to me at all.
The next time you see that, please open about:memory and paste the contents into a bug. Or you can even email me directly (pcwalton at mozilla dot com) and I will forward it to the relevant people.
We are serious about cutting down Firefox's memory usage.
1) Disable all plugins and add-ons, and re-enable 1-by-1 until you find the one that leaks.
2) about:memory (will likely show not much as it's almost certainly a plugin/add-on that leaks)
3) Make sure that General->Advanced->Submit performance data is enabled, so if it's really a leak in Firefox, it can be tracked down.
If you still see 1.6G memory usage even with all add-ons and plugins disabled, be sure to report a bug. (I'm assuming you don't have hundreds of tabs open or anything which would otherwise explain that)
A common reason for this is extensions which break Firefox's ability to clean up RAM usage. See this bug and its dependencies https://bugzilla.mozilla.org/show_bug.cgi?id=700547 (Firebug, LastPass, and Scriptish/Greasemonkey seem to be commonly at fault.)
...but as a journalist, I can't let that get in the way of my constructed narrative! Mozilla and Google are totally in a fight. Seriously guys, if you could argue a little in the comments section, that would be great for our page views.
[1] http://www.accuvant.com/capability/accuvant-labs/security-re...